In our previous blog, “Microsoft 365: Safeguard Your Data from Unwanted Access,” we highlighted essential best practices to safeguard your Microsoft 365 accounts from data breaches or unauthorized access. Defenses included multi-factor authentication, encryption, user rights management, data loss protection and conditional access. In this blog, we continue our series with additional safeguards that will improve your Microsoft 365 suite security.
Increase in Attacks on Microsoft 365
Attacks on Microsoft 365 accounts are on the rise. Two examples include:
- Spear Phishing Campaign – Using brand impersonation and phishing tactics, an attacker identified certain individuals within a financial services organization and carefully crafted custom content to send them over emails. As might be expected, one user did not carefully identify whether the sender email was incorrect and proceeded to click on a link to view a document. The link sent them to a fake Office365 landing page where it asked for credentials to access the document. While nothing unusual happened that day, the attacker now had a set of credentials for an individual responsible for vendor billing. Using this technique, they were able to remotely access the user’s mailbox and identity key contacts for a future attack.
Within the mailbox, the attacker set up forwarding rules to an external email so they can monitor any reply activity and then also set up a rule for those replies not to show up in the compromised users inbox. Masking these replies and forwarding the users emails without their knowledge, the attacker was able to instruct key vendors to send all new wire payments to a new remittal address, which was a fraudulent wire number operated by the attacker and presented on company letterhead. Since the email came from a trusted source, the vendors never verified if this action was approved. Over the course of the next 30 days as bills were paid by these vendors, they wired money to the attackers account, and promptly withdrew the money so it could not be recovered by the bank. The breach was finally identified once payments were marked as late and the attack was uncovered.
- Password Spraying Attack – An attacker performed reconnaissance on a manufacturing company’s Microsoft 365 environment using public sources such as their company website, LinkedIn and other methods to verify email format and build a database of emails to target an attack. They used the harvested list of usernames and ran a password spraying attack to identify multiple accounts with weak passwords accessing these mailboxes. Since they had already performed reconnaissance on the environment, they knew where they could leverage those credentials to further the attack. They logged into several additional mailboxes from an international location and started extracting data. They were able to log into the companies on-premises virtual private network since it had no form of multi-factor authentication. Ultimately, they were able to access the network and further the attack against the server and workstation infrastructure resulting in a ransomware event.
Preventive Measures to Protect Your Microsoft 365 Environment
Data breaches and unauthorized access to MS365 environments can be prevented. Here are some additional best practices to safeguard your data and stay ahead on multiple fronts.
Strong Password Policies
Avoid simple, easily guessable passwords or phrases, or repeating patterns. It is best to maintain an 8-character minimum length password (12-character or more is preferred). Use passphrases (a collection of short words or phrases) instead of a single, complex password. Hard-to-crack, lengthy passphrases allow password expiration dates to be extended to 180 days.
Multi-factor authentication (MFA) is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something the user and only the user knows), possession (something the user and only the user has), and inherence (something the user and only the user is). MFA comes with certain MS 365 subscription levels. This is one feature you do not want to overlook. MFA is a trusted countermeasure to safeguard your data from unauthorized intrusion. Your account is 99.9% less likely to be compromised if you use MFA!
Conditional Access ensures that Office 365 corporate email and documents can be accessed only on phones and tablets that are managed by your company and are compliant. For best results, some best practices include:
- Geographic Blocking – This allows only logins from countries or regions that you conduct business. For example, if your employees log in only from within the US, logins from outside the country can be blocked. User access when they are out of the country can be evaluated and allowed by your security team on an as-needed basis.
- Legacy Protocol Blocking – Today, the majority of all compromising sign-in attempts come from legacy authentication. Legacy authentication does not support multi-factor authentication (MFA). Even if you have an MFA policy enabled on your directory, a bad actor can authenticate using a legacy protocol and bypass MFA. The best way to protect your account from malicious authentication requests made by legacy protocols is to block these attempts altogether. We recommend blocking authentication requests using these outdated protocols and require modern authentication, such as multi-factor authentication, SAML-based third-party Identity Providers with Office client applications, smart card and certificate-based authentication.
- Risk-based Conditional Access – This makes it easier for you to assign multiple conditions (at the location, application, device, and risk levels) to all users or multiple security groups. You can also specifically exclude groups from being affected by conditional access policies. Two examples include sign-in and user risk-based conditional access. Sign-in risk-based policies detect abnormal user behavior. When behavior falls outside of the norm, you may can block access or require the user to perform multi-factor authentication to prove they are really who they say they are. User risk-based policies detect leaked username and password pairs. Like sign-in risk-based policies, they can be set to block access or require an MFA response.
- Mobile Device Management – Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). You control how your organization’s devices are used, including mobile phones, tablets, and laptops. You can also configure specific policies to control applications and require specific device settings or security policies. Intune integrates with Azure Active Directory (Azure AD) to control who has access, and what they can access in the M365 cloud. It also integrates with Azure Information Protection for data protection.
Message encryption reduces the risk of unintended disclosure by encrypting email messages sent both inside and outside your organization. Only the intended recipients can access the encrypted data. Rights management software includes encryption, identity, and authorization policies to help secure your email. It automatically protects and encrypts emails through Microsoft Information Protection (MIP) and Data Loss Prevention (DLP).
Data Loss Prevention
To prevent accidental sharing of information, Data Loss Protection (DLP) is a set of tools and processes used to ensure that sensitive data is not lost, misused or accessed by unauthorized users. It allows you to identify sensitive info across Exchange Online, SharePoint, Online, OneDrive for Business and Microsoft Teams. You can easily monitor, detect and block data breaches while in use (endpoint actions), in motion (network traffic) and at rest (data storage).
Advanced Email Threat Protection
Advanced Email Threat Protection (ATP) helps protect your organization against unknown malware and viruses by providing robust zero-day attack protection. It includes features to safeguard your organization from harmful links in real time.
- Prevention – A robust filtering stack prevents a wide variety of volume-based and targeted attacks including business email compromise, credential phishing, ransomware and advanced malware.
- Detection – Industry-leading AI detects malicious and suspicious content and correlates attack patterns to identify campaigns designed to evade protection.
- Investigation and Hunting – Powerful experiences help identify, prioritize and investigate threats, with advanced hunting capabilities to track attacks across Office 365.