German police warn of cyberattacks via Office 365

A new wave of cyberattacks is threatening companies in Germany. The State Criminal Police Office of North Rhine-Westphalia has warned that cybercriminals are exploiting Microsoft 365, especially email and document management, as an initial attack vector.

According to the statement, the perpetrators are taking over email accounts and using them to send malicious emails with dangerous attachments and links. Therefore, the attacks pose a risk to all the connected companies, customers, and communication partners.

“The emails appear legitimate, as they contain no language errors, but often include real past conversations. As soon as a recipient clicks on the links, the IT system can be immediately attacked, leading to data loss or theft of data, as well as further attacks such as phishing attacks,” the police said.

The cybercriminals were observed specifically searching the taken-over email accounts for information from the early days of the COVID crisis, particularly for VPN access data for non-public IT networks. This information allows the perpetrators to gain direct access to the companies' IT infrastructure, and perpetrators can also access documents in the emails.

“Several companies have already been protected from further attacks such as encryption by ransomware and the associated extortion. Otherwise, such cyberattacks regularly cause damages in the millions,” the police said in the press release.

“If your company's IT is affected by such Office 365 attacks, or if employees have clicked on suspicious links or entered their login data, there is a high risk to your IT systems. This also applies if files have been downloaded from well-known platforms or large cloud services providers.”

The police also warn that cybercriminals constantly update their dangerous attachments, so existing virus scanners may not always be able to detect them.

The press release does not include any particular techniques or procedures that the hackers use or any detailed mitigations.

Microsoft recently updated a guide on how to respond to compromised email accounts.

“Even after the user regains access to their account, the attacker may have left backdoor entries that allow the attacker to continue control of the account,” Microsoft warns. It recommends resetting the user’s password and enabling multi-factor authentication, among other measures.

Microsoft rebranded its Office suite to the Microsoft 365 in late 2022.