Finnish Govt. Releases Guide on Securing Microsoft Office 365

Finnish Govt. Releases Guide on Securing Microsoft Office 365

The National Cyber Security Centre Finland (NCSC-FI) which acts as Finland’s National Communications Security Authority published today a detailed guide on how to secure Microsoft Office 365 against data breaches and credential phishing.

NCSC-FI’s guide is focused on mitigating Microsoft Office 365 phishing which can lead to stolen credentials and to financial losses in the event of a successful Business Email Compromise (BEC) scam fraud that would use the stolen information.

To put the seriousness of BEC attacks into perspective, FBI’s Internet Crime Complaint Center (IC3) received victim complaints regarding 166,349 domestic and international incidents between June 2016 and July 2019, with a total exposed dollar loss of more than $26 billion according to a PSA issued on September 10.

The same day, the U.S. Department of Justice (DoJ) said in a press release that 281 individuals were arrested over a four-month period in the U.S. and around the world as part of Operation reWired, a worldwide coordinated effort to disrupt BEC schemes.

BEC scheme diagram
BEC fraud following a phishing attack

Microsoft Office 365 protection measures

The first step to secure Office 365 against phishing and security breaches is to secure identities by customizing login pages to match the organization’s look, using hard to crack passwords, securing the local Active Directory, enabling modern authentication, blocking legacy email protocols without two-factor authentication (2FA) support, enabling 2FA, using conditional access, and carefully manage administrator roles.

Next in line is securing Office 365 email accounts by securing email routing by rejecting emails that aren’t sent over TLS and aren’t sent by parties authenticated using certificates.

Also, users should be secured against junk, malware, phishing emails, and zero-day attacks with the help of Office 365 Advanced Threat Protection (Office 365 ATP) via the ATP Safe Attachments, ATP Safe Links, and ATP Antiphishing features.

Monitoring, analyzing, and toggling on automatic responses to user events logs using solutions such as Azure Monitor integrated with a security information and event management (SIEM) system makes it possible to collect data on logins, creation of new users, and other actions taken by users and administrators to identify phishing attempts as they occur.

Azure AD version and retention period (days)

Monitoring reports using the Microsoft 365 admin center, controlling and securing end-user devices, and providing users and administrators with proper training are also recommended as measures needed to improve Office 365 information security.

NCSC-FI also advises following instructions provided by Microsoft in its Email Phishing Protection and the Microsoft 365 identity infrastructure deployment stages guides.

Last but not least, password-less sign-in is also important mitigation against phishing given that it removes the goal of these type of attacks since users no longer need usernames and passwords to authenticate (the targets of phishers).

Office 365 migration security best practices

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also issued a set of best practices designed to help organizations to mitigate vulnerabilities and risks associated with migrating email services to Microsoft Office 365.

CISA advises all organizations to make sure that their Office 365 infrastructure assets are protected against attackers who might take advantage of misconfigured installations during service migrations or afterward.

Also, CISA listed the following mitigations and best practices that should be implemented by all Office 365 admins:

• Use multi-factor authentication. This is the best mitigation technique to use to protect against credential theft for O365 users.
• Enable unified audit logging in the Security and Compliance Center.
• Enable mailbox auditing for each user.
• Ensure Azure AD password sync is planned for and configured correctly, prior to migrating users.
• Disable legacy email protocols, if not required, or limit their use to specific users.