Microsoft is warning that hackers possibly linked to Iran have been trying to break into numerous Office 365 accounts through password-guessing attacks.
The hackers have been targeting US, EU, and Israeli defense companies that produce “military-grade radars, drone technology, satellite systems and emergency response communication systems,” the company wrote in a blog post on Monday.
According to Microsoft, the hacking group has been using these “password-spraying” attacks on 250 Office 365 “tenants.” These tenants encompass an entire organization’s resources, including employee user accounts, under a Microsoft cloud service.
“Less than 20 of the targeted tenants were successfully compromised,” Microsoft added.
The company has dubbed the hacking group DEV-0343. Other targets have included Persian Gulf ports of entry and global maritime transportation companies in the Middle East.
“Microsoft assesses this targeting supports Iranian government tracking of adversary security services and maritime shipping in the Middle East to enhance their contingency plans,” the company said. “Gaining access to commercial satellite imagery and proprietary shipping plans and logs could help Iran compensate for its developing satellite program.”
As a result, the company is urging its customers to be on guard. The password-spraying attacks works by learning a user’s email address and then trying numerous passwords over several hours or days to try and break in.
In the case of DEV-0343, the group has been emulating a Firefox browser over IP addresses hosted over the Tor network, which is designed to help anonymize the attacker’s origins.
“They typically target dozens to hundreds of accounts within an organization, depending on the size, and enumerate each account from dozens to thousands of times,” Microsoft says. “On average, between 150 and 1,000+ unique Tor proxy IP addresses are used in attacks against each organization.”
To stop the attacks, Microsoft is encouraging its clients to enable multi-factor authentication on their accounts. This requires anyone logging on to type in both the correct password, and provide another mode of authentication, usually a one-time passcode generated over the account owner’s smartphone.
