Office 365 Shell WCSS Attack

We just worked with a compromised client via the Office 365 Shell WCSS attack. I feel it is important for organizations to stay up to date about emerging attack techniques.  I want to explain my perspective on the Office 365 Shell WCSS attack in this blog post, how it works, and a few steps organizations can take to protect themselves.

What is the Office 365 Shell WCSS Attack?

The Office 365 Shell WCSS (Web Configuration Setting Script) attack is a sophisticated method cybercriminals use to compromise Office 365 tenants and gain unauthorized access to sensitive data. This attack exploits vulnerabilities in the Exchange Online PowerShell management interface to execute malicious commands and scripts, allowing attackers to bypass security controls (like MFA) and escalate privileges within the Office 365 environment.

How Does the Attack Work?

The Office 365 Shell WCSS attack typically begins with the attacker gaining access to a legitimate user account within the Office 365 environment through phishing, credential theft, malware, or other means. Once inside, the attacker leverages the Exchange Online PowerShell management interface to execute malicious PowerShell scripts, manipulate web configuration settings, and extract sensitive data from mailboxes, contacts, and other Office 365 resources.

One key tactic used in the Office 365 Shell WCSS attack is manipulating Web Configuration Settings, which control various aspects of the Exchange Online environment, such as mailbox permissions, mail flow rules, and authentication settings. By exploiting vulnerabilities in these settings, attackers can gain unauthorized access to sensitive data and compromise the integrity and confidentiality of the Office 365 environment.

Protecting Against the Office 365 Shell WCSS Attack

To mitigate the risk of falling victim to the Office 365 Shell WCSS attack, organizations should implement a multi-layered approach to cybersecurity that includes some of the following measures:

1. Train users to NEVER click on a link or document unless they were expecting it from a trusted party
2. Configure Microsoft 365 to frequently expire user session tokens by establishing a low idle timeout value.
3. Turn off the optional prompt for users to “keep me signed in” to Microsoft 365 (custom branding configuration required).
4. Set sign-in frequency controls using conditional access (if available to the tenant)
5. Ensure that admin accounts are never left logged in unattended
6. Audit guest accounts regularly and remove old and unused accounts
7. Keep Web browsers (Chrome, Edge, Firefox, etc.) up to date.
8. Ensure that local Office 365 applications are updated regularly.

To help mitigate the consequences of a successful WCSS shall attack:

1. Limit user permissions to the lowest required roles
2. Monitor and restrict access to sensitive data and resources to only those accounts that require access as part of their job function.
3. Review and update security policies, including email filtering and data retention policies.
4. Monitor user account activity for email forwarding, excessive document downloads or deletions, and excessive file sharing.
5. Using SaaS Alerts Respond, establish rules to expire tokens and turn off sign-in when suspicious account behavior is detected, especially when suspicious behavior is recognized by account usage from outside approved geolocations.

Organizations can strengthen their defenses and protect their sensitive data from cyber threats by implementing proactive security measures and staying informed about emerging threats. Stay vigilant, stay informed, and stay secure.