Written by Jed Kafetz, Redscan Senior Security Consultant
In the space of just a few weeks, the coronavirus pandemic has forced many businesses to completely reassess their approach to remote working and, in many cases, the technology and solutions they use to support it.
One key impact has been a huge spike in the use of SaaS tools to help manage business operations and enable employees to continue to work collaboratively. However, in a rush to deploy new SaaS solutions, many organisations have failed to adequately consider the security risks.
Perhaps unsurprisingly, ease and speed of deployment have been more immediate concerns. While it is Zoom, the videoconferencing platform, that has attracted a multitude of headlines for its security record in recent weeks, there is a danger that this has shifted focus away from other SaaS platforms that organisations have become equally, if not more, reliant on.
One such platform is Microsoft 365, known until recently as Office 365. Consider the functionality of both Zoom and Microsoft 365 and the volume of data stored in each. In a business setting, Zoom is a single application used intermittently for the purpose of communicating with customers and colleagues.
On the other hand, Microsoft 365 encompasses a vast array of products that are used continuously every day. The attack surface of the latter is much greater, and so are the potential returns for cybercriminals.
365 ways to suffer a data breach
Given its huge userbase of over 180 million active commercial users globally, Microsoft 365 is an attractive target – arguably more so now than ever. As organisations flock to migrate to the platform, many are doing so without an awareness of how to properly secure it, and in many cases are opting to use aversion software (such as a trial) which lacks security features.
During the COVID-19 pandemic, cybercriminals have wasted no time in ramping up attacks that target Microsoft 365, particularly those without controls to secure it.
There are currently thousands of sophisticated, ready-to-use phishing kits available to buy on the dark web which enable individuals, even those with limited technical skills, to craft convincing emails designed to trick users into disclosing passwords and installing malware.
Many of the latest phishing scams disseminate COVID-19 related health advice and bogus information about government financial aid packages. A high proportion also use Office 365 as a hook, aiming to trick users with false security alerts, meeting invitations and files shares.
Remote workers are increasingly vulnerable to receiving and falling victim to these scams since many security controls that organisations rely upon to defend against them are less effective outside of the office environment. There has been a large increase in workers using their own devices to access corporate networks.
How to enhance Microsoft 365 Security
Organisations that have recently migrated to Microsoft 365, as well as those that have been using it for a while, are advised to review their use of the platform and the way it configured. Key ways to quickly harden Microsoft 365 security include:
-Measure its Secure Score
A good starting point to understand the robustness of a Microsoft 365 environment is to run Secure Score from within the platform’s security centre. Secure Score is an automated analytics tool that can be used to report on the current state of an organisation’s secure posture, identify areas for improvement, and benchmark results. The maximum Secure Score is 707. However, in 2019 the average was just 37 – demonstrating just how bad the situation is for many organisations.
-Turn on MFA
Multi-Factor Authentication (MFA) is a key control that all organisations should enforce across all Microsoft 365 accounts. MFA provides an additional layer of protection by requiring users to enter a one-time verification code, sent via text message or generated by Microsoft’s Authenticator application.
The system means that even if an attacker is able to steal an employee’s password, access to the employee’s account will be prohibited unless a verification code is entered. MFA is a key control to enhance the security of Microsoft 365 but according to the company just 11% of enterprise accounts have this enabled.
-Review email rules
Business Email Compromise (BEC) attacks are sophisticated phishing scams that aim to trick employees into wiring payments for goods or services into bank accounts affiliated with fraudsters. To better target their victims, once they have access to a user’s Microsoft 365 account, attackers will often create email rules to forward incoming and outgoing email messages to a third-party email address.
This is in order to conduct reconnaissance and obtain information to send fraudulent requests to the victims’ colleagues, such as an urgent request to pay a current, legitimate invoice to an alternative back account.
Since there is likely to be an increase in the number of email communications sent during this period of mass remote working, employees should be particularly vigilant of all requests received via email.
In May, it was announced that Microsoft is to disable email forwarding to external recipients by default. However, this feature is not expected to be rolled out until the end of the year, and it is recommended that Office 365 administrators enforce this manually via the Exchange Admin Centre.
-Disable third party plug-ins
To mitigate the risk of attackers obtaining access to data stored in Microsoft 365, organisations are also advised to disable the use of third-party plug-ins. These can introduce vulnerabilities and provide an opportunity for attackers to access to an employee’s account. Any applications included as part of Microsoft 365 that are not in use should also be disabled.
Human error continues to be one of the most common causes of data breaches and it’s for this reason that employee cyber awareness training should be a key part of every organisation’s efforts to minimise cyber security risk. Training is particularly important at this time, as employees may be less aware of the increased security risks associated with remote working.
A good cyber security awareness program should be refreshed regularly and cover areas such as data protection, device and password management and social engineering tactics. Employees should also be encouraged to formally report scams and suspicious activity.
-Enhancing threat visibility
With increased remote working likely to become a longer-term trend in the future, securing Microsoft 365 against emerging threats should also be a serious consideration. Hackers will only continue to develop new techniques to circumvent Microsoft’s in-built controls, meaning a prevention only strategy is unlikely to be effective.
Microsoft 365 monitoring is recommended to help identify threats that are able to slip through net. As a minimum, organisations should activate full audit logging within Microsoft 365 to help identify unusual activity, such as employees attempting to log in from unknown locations or at unusual times.
Microsoft stores log data for 30 days but, ideally, security logs should be captured, analysed and retained over a longer period. Cybercriminals are now more patient and clandestine than ever, often initiating attacks over many months as not to arouse suspicion. This means it’s important to identify events and analyse trends over an extended duration.
To help enhance and automate threat detection, specialist SIEM and EDR tools should be a consideration. A Managed Detection and Response service that supplies not only these technologies but also the security professionals to deploy, optimise and monitor them 24/7 could also be a good option for organisations that have a small security teams and need to quickly level-up capabilities.
Regular vulnerability assessments to help stay on top of insecure configurations and access controls are also recommended, supplemented by penetration testing to help identify exposures that automated tools are unable to identify. Penetration testing can also be used to validate detection and response processes, including blind spots in threat coverage and visibility.
Given the need to support remote working, it’s unsurprising that more organisations than ever are turning to Microsoft 365 to support business operations at this critical time. However, to avoid becoming a soft target, it’s important that they don’t forget about the security impact of doing so. When headlines are focused elsewhere, it can be easy to lose sight of other priorities.
The last thing organisations need in the current climate is to suffer a damaging data breach that could be difficult and expensive to recover from. It is therefore imperative that use of Microsoft 365 is regularly assessed in line with business transformation and changes to the wider threat landscape. This will remain important even as workers return to the office post covid-19 lockdown, when dormant attackers may seize their moment to strike.