On October 11,2021, Microsoft reported that a new group of hackers have been identified who have been targeting Office 365 tenants and customers. Over 250 tenants and about 20 user accounts have been compromised as of now.
The attacks seem to be still continuing with more accounts compromised each day. The targets have been identified to be focused on US based entities and Israeli defense companies amongst other companies in the Middle East.
The group has been using the technique of password spraying which means that hackers use the same password over and over again only changing the username each time. The investigation of this attack has been named DEV-0343.
The attacks have usually been taking place with Tor IP addresses and imitating Firefox browser agents. Before the attacks hit however, the group first enumerates active employee accounts of an organization and then starts the spraying of passwords. Enumeration of accounts is done through Autodiscover and Autosync which are servers offered by Exchange.
Thousands of Tor IP addresses can be used in just one attack. While Microsoft is still investigating the group, the attacks are still taking place and have not slowed down yet. Such frequent attacks might slow down Microsoft’s promise to go passwordless in the future.
