Last fall, the US Department of Homeland Security undertook a multi-month assessment of Office 365 tenants managed by various businesses. As of this month CISA has published their findings. The study has illuminated common configuration errors that can put data at risk.
The success of phishing as a hacking strategy is due to its focus on individual users, rather than infrastructure. Typically, these attacks will pose as a provider for your email services, for example, and ask users to log in on a dummy page used to collect their passwords. Without MFA, end user logins are a single point of failure that can be bypassed with a convincing enough email.
By utilizing MFA for your organization, authenticating into your network requires both credentials and possession of a security policy enrolled device, and thereby ensures the only individuals accessing accounts are their owners.
When a breach occurs, the average time before it is discovered sites around 3-months. During this time, a hacker will spend time learning about the organization and attempting to increase their access to data by manipulating settings and compromising additional user accounts.
The hacker will spend their time concealing their presence within the network while making efforts to spread the breach to more and more significant personnel. A compromised account may request information from another user that can help widen the breach or put sensitive data at risk.
While enabling auditing provides no solid defense against breaches, it is the best tool available to identify if a breach has occurred. Without auditing, there is close to no oversight for activities engaged in by end-users. This can present a difficult challenge for administrators in identifying suspicious behaviors that may indicate a breach.
- For example, auditing can help flag:
- Mail rule changes – used by hackers to cover their tracks and hide malicious emails (34% of all attacks – Barracuda study)
- Bulk downloads – Data exfiltration
- Internal messages to accounts/HR – users in these departments are common phishing targets
Legacy Email Systems
By utilizing email clients that do not utilize Microsoft’s authentication in favor of older protocols, such as POP3, IMAP and SMTP, businesses are unable to configure MFA for their infrastructure. This can allow some devices that commonly use alternative email clients such as smartphones and tablets to be more easily compromised.
The best way to ensure that this does not occur is to configure an MDM plan that can only allow users to access email from a whitelist of secure clients.
Enabling Password Sync
For Office 365 tenants configured to synchronize with an on-premise server, such data sharing can allow a breach to spread from one location to the other. While the main purpose of this feature is saving time on the part of the user, administrators must often weigh such usability features against security in order to determine what is most valuable to them.
Some things to note about Password sync:
- Many hybrid setups are for the purpose of migrating from on-premises to the cloud, so the risk is often temporary and requires a watchful eye (Enable auditing, etc.)
- If an on-premises server were to be compromised, a bad actor can create an identity matching that of a user in the cloud. This would allow the accounts to be synchronized and allow the hacker to access the user’s account in cloud environment
- Thanks to a Microsoft security patch last year, it is not possible to duplicate accounts with Global Admin privileges. Therefore, this method can likely only be used to impersonate other users and attempt to phish users with more access.
For businesses that maintain a hybrid connection between on-premises and cloud servers, utilizing Microsoft’s password sync services can be a source of threat. While password sync does not create a massive gap in your security, it can create a narrow pathway for exploiting your system under specific circumstances.
No Dedicated IT Teams
In most cases for the CISA study, the Office 365 tenants configured as part of contracted work, after which the service provider was no longer involved in the management of the environment. Today, this set-it-and-forget-it mentality is not enough to protect infrastructure and requires continuous review of policies to address new and evolving threats.
If you are unsure if your Office 365 environment is free of these misconfiguration follies, please reach out! We can provide you with a complimentary assessment of your infrastructure to determine what your overall security posture is.