Easy Target

Office 365 is the most popular line of digital services for businesses for a reason, but when it comes to cyber attacks, its prevalence could be its greatest weakness.

If it seems like every week there’s a new headline about a large-scale hacking incident, it’s not a case of rampant fake news. According to the 2018 Symantec Internet Security Threat Report, 7,710 organizations are hit by a business email compromise scam every month, and 71.4% of targeted attacks involve the use of spear-phishing emails.

Phishing attacks are among the most common methods that malicious actors use to infiltrate systems and pilfer usernames, passwords, and personal information from unwitting victims. These attacks can take the form of email spoofing, texts, or even phone calls in which the attacker is disguised as a trustworthy person.

Office 365 (O365), a suite of subscription services by Microsoft Office, has reached the status of ubiquity—in April 2019, it counted 180 million monthly active users. The subscription model puts all of Microsoft Office’s programs online and accessible through a cloud, dramatically increasing its convenience for users.

Due in part to O365’s massive popularity, the subscription service has become a target for phishing attacks. Often targeting users who deal with a company’s finances through O365, these fraudulent actors gain access to systems, set up rules to forward emails to external addresses, comb through interactions to glean information, and phish coworkers with a goal of obtaining financial data, such as bank routing information.

Phishing attacks often try to trick the user into providing their credentials through a fake website that the attacker sets up by mirroring a valid site with which the user is familiar. Phishing can also be used to install malware on the system.

But what makes O365 such a plump sitting duck?

Convenience at a Cost

Some of the perks that make O365 such a convenience for users are the same features that are a boon for hackers or malicious actors.

Because O365 is accessible through a browser and does not require a download of specific software, accounts are accessible anywhere with an Internet connection. Of course, that also means that a hacker could have that same access to Outlook, Word, Excel, and PowerPoint from anywhere as well.

While the requirement to enter a password with each use might add a layer of peace of mind for the user, passwords are generally the weakest point in most organizations’ security posture. When conceiving of a password, which typically has to be changed with some frequency, a user is likely to pick something simple, short, and easy to remember, increasing the likelihood of a successful brute-force attack.

Further, if an organization’s accounts are misconfigured, normal users could end up with administrative rights, and if such an account is compromised, the hacker would have access to each and every associated account. The hacker could then set forwarding rules to send all emails to themselves, as well as send and receive emails from anyone.

Unless users conduct their own physical backups, they have no control over their data—Microsoft has it all. Logs are also stored in the cloud, so extra features such as network logging are not available.

Light in the Tunnel

But it’s not all doom and gloom. O365 is guaranteed to be online, since Microsoft has the resources to keep multiple redundancies and failover procedures in place (something we should all have, but alas). Further, O365 is less expensive (and less of a headache) for users than hosting each Office product individually—making the switch from piecemeal software to cloud services is a no-brainer for any money-conscious organization.

So while the cloud may be a wise option from a business perspective, the risks must still be considered and remediated to the greatest degree possible. As we see a new high-profile hack grabbing headlines each week, it’s becoming clear that attacks are an inevitability, and organizations should be prepared for if and when they become the unlucky target.

Tips to Keep O365 Safer

  1. Support strong passwords. By default, passwords in O365 are set to never expire. Brute-forcing attacks often take time, so if passwords are updated regularly, i.e., every 30 days, the efforts of attackers will be constantly thwarted. Passwords should never be reused and multi-factor authentication (MFA) should be implemented.
  2. Perform periodic analysis of O365 audit logs. It often takes months for attackers to infiltrate a network, and users can filter and search through audit logs for possible indicators of compromise (IoCs), noting when usage patterns become abnormal. This can also be automated. Logs should be retained for at least six (6) months.
  3. Employ a third-party security operations center (SOC) to monitor systems and O365 on your behalf.
  4. Enable mailbox auditing. By default, the ability to search individual mailbox events is disabled, which minimizes the user activities visible in the audit log search. By enabling mailbox auditing, the size of the audit log will increase with more robust information.
  5. Institute a virtual private network (VPN) with MFA to allow the company to lock its O365 to a single IP address. This allows users to work from the unsecured Wi-Fi at Starbucks with reduced risk.

Author: TrustedSec

TrustedSec is a highly specialized information security company made up of some of the industry’s most respected individuals. We work with our business partners to increase their security posture, helping to reduce risk and impact in an ever-changing cyber landscape.