NCSC Incident trends report for 2018/19.

This summary is a 10 minute read to highlight the five main trends NCSC state are affecting UK organisations.  

1. Office365

2. Ransomware

3. Phishing

4. Vulnerability scanning

5. Supply chain attacks


Office 365 

The use of tools and scripts to try and guess users’ passwords has almost become the daily norm for Office 365 deployments. The most common attacks are Password Spraying and Credential Stuffing. 


The most common attack affecting Office 365 is password spraying, which attempts a small number of commonly used passwords against multiple accounts over a long period of time.  This method can target a large number of accounts in one organisation without raising any security suspicion.


On a smaller scale, credential stuffing takes pairs of usernames and passwords from leaked data sets and tries them against other services, such as Office 365.  This is difficult to detect in logs as an attacker gaining success from a single attempt to log, this can look like normal behaviour.


The attacker’s goals are commonly:

  • accessing data and inboxes for the purposes of intellectual property theft or espionage. 
  • using one inbox to add credibility to onward attacks
  • traditional network access by re-using the Office 365 credentials against other services.

Any attack will have a significantly higher impact if the compromised account holds administrator status.


How to keep my online accounts secure and create strong passwords



Since the WannaCry and NotPetya attacks of 2017, ransomware attacks against enterprise networks have continued to rise in number and sophistication. All sectors of industry, academia and government are regular targets.  The increase in sophistication can sometimes include an apparently lower impact pathfinder attack; this is a sort of recce to determine how to deliver the most impact.  Cybercrime botnets such as Emotet, Dridex and Trickbot are commonly used as an initial infection vector, prior to retrieving and installing the ransomware.  

Ransomware such as Ryuk, LockerGoga, Bitpaymer and Dharma have been prevalent in recent months.  Cases observed by the NCSC often tend to have resulted from a trojanised document, sent via email. The malware will exploit publicly known vulnerabilities and macros in Microsoft Office documents.


Our first line of defence is you.  Take heed of security measures on your accounts and the phishing risk outlined below.  If you suspect that any compromise has happened, report to OxCERT.



Phishing has been the most prevalent attack delivery method seen over the last few years, and particularly in recent months.  

  • Legitimate-looking login pages, which prompt for sign on credentials are common attacks.  These can be dynamically generated, and personalised, pulling the real imagery and artwork from the victim’s Office 365 portal.
  • Emails from real, but compromised, accounts - can exploit an existing email thread or relationship to add a layer of authenticity to a spear phish.


Again, the best line of defence is you, the user.  Please report any suspicions you have a phishing effort.


Vulnerability scanning 

Vulnerability scanning is a common reconnaissance method used to search for open network ports, identify unpatched, legacy or otherwise vulnerable software and to identify misconfigurations, all of which could have an effect on security.  Once an attacker has a foothold on the edge of your infrastructure, they will then attempt to run more network scans and re-use stolen credentials to pivot through to the core network. 


Port scans and vulnerability scans are normal for any system connected to the Internet. You should ensure that all internet-facing servers that an attacker might be able to find are hardened, and the software running on them is fully patched. 


Supply chain or trusted relationships

Threats introduced to enterprise networks via other service providers continue to be a major problem.  In recent months there have been several examples of attackers exploiting the connections of service providers to gain access to enterprise networks.


Ensure that INFOSEC are involved at the earliest stages of a project that involves a third party service provider.  The Project Security Assessment can be augmented by Third Party Security Assessments as required.  In this way, we can build in the principle of secure by design.