Value vs. Vulnerability in Microsoft Office 365
Today’s successful SMBs (small to medium-sized businesses) edge out competitors by employing both technology and people that work across departments, supporting lean and efficient operations, as well as scalability. Microsoft Office 365 is one of the more popular game-changing cloud platforms being used by efficient SMB teams to enable maximum operational value at minimal cost. This widespread adoption of Office 365, though, has not been accompanied in equal numbers by proper implementation of security-first configurations, leaving many organizations wide open to attacks such as the Business Email Compromise (BEC). How big is the threat? What are attackers after in your business email, anyway? How do you know if you are vulnerable? What steps can you take right now to protect yourself?
136% Increase in Business Email Compromise (BEC) Losses
According to the FBI Crime and Complaint Center (IC3), “The BEC/EAC scam continues to grow and evolve, targeting small, medium, and large business and personal transactions. Between December 2016 and May 2018, there was a 136% increase in identified global exposed losses. The scam has been reported in all 50 states and in 150 countries. Victim complaints filed with the IC3 and financial sources indicate fraudulent transfers have been sent to 115 countries.”
A Typical Office 365 Compromise Scenario
In many of the Office 365 incidents we have worked, the attacker will gain access to an employee’s Office 365 account through a spear phishing attack. We are seeing more mid-level employees being targeted such as those working in billing or accounts payable. Attackers will often keep a low profile, adding a mail forwarding rule to the victim’s account so that email can be read without having to remain logged in to the victim’s Office 365 account. The attacker waits weeks or even months for the right opportunity. Often, this is a simple purchase order, payment, or wire transfer. The attacker then subtly changes a few numbers so that the money will be routed to the attacker’s account. Such changes are so subtle that most people won’t be suspicious of the fraudulent document. By the time the attack is uncovered, it is usually too late.
Holistic IT Security
According to TRUE Security Analyst Jenna Waters, “Most SMBs are working to maximize IT teams that are already stretched thin, so their environment may not have been configured to bridge both IT and security from the beginning.” This holistic way of approaching your business’s IT environment, whether local, cloud, or hybrid, follows an approach known as “Security by Design and by Default”, meaning IT design follows both operational logic and security expertise, concurrently (rather than implementing these in separate phases).
Maximize Security in Office 365
Waters and TRUE Security Consultant Michael Oglesby recently spoke at the 11th annual Information Warfare Summit, explaining how a BEC works, as well as best security practices within Microsoft Office 365 to help SMB IT teams try to maximize the tools they already have. The following are a few highlights from the detailed presentation.1.
Two-Factor Authentication (2FA) is Still Golden in Security
Implement 2FA. It’s simple, but it works, and you can add such features as the geolocation of a user or IP address, in conjunction with their credentials, to be sure that even if someone has obtained your password through nefarious means, they are screened out because they are trying to log in from the wrong place in the world. Keep the wrong people out as often as possible, and you’ll prevent this sort of attack from happening in the first place.
Monitor, Monitor, Analyze
Take advantage of your Office 365 logs–both global and account-based. These logs are now enabled by default, thanks to a recent Office 365 update, but you still need to ensure that it’s configured to log user mailbox activities. You can also configure logs in Azure Online Active Directory. Along with monitoring these logs, you can set and define specific policies to alert, based on user activity baseline thresholds. This is definitely a start in the right direction. It is highly recommended to integrate Office 365 logs into a monitored SIEM solution so that these logs can be correlated and analyzed centrally. It’s true that you can search logs in the Office 365 console using the “Content Search” feature or PowerShell, but you can only search 90 days of logs and export up to 50K records, which is very little for any moderate-sized organization. For robust incident response, you are going to need to offload Office 365 logs to a solution like SIEM.
Disable Automatic Email Forwarding
Disabling email forwarding is helpful not only to prevent business email compromise, but to stop users from forwarding sensitive company information to personal email accounts. If your organization cannot disable email forwarding for whatever reason, make sure you periodically review the email forwarding rules for all users so that you can quickly catch any malicious forwarding rules being added.
Check Your Office 365 Security Score ASAP
Have your Office 365 administrator routinely check and actively respond to your Office 365 Secure Score, available only through higher-access Security Admin accounts. The Secure Score gives you an overall ratio, pitting the number of platform security controls you are currently implementing against the total number of Office 365 security controls typically implemented as best security practice by organizations similar in size and account usage to your company’s. That enables you to get a true feel for where you stand, because you aren’t comparing yourself against an enterprise account as an SMB. The Secure Score provides an insightful, apples to apples comparison. Most importantly, though, below the total security score will be a list of remediation suggestions. Follow Microsoft’s advice and implement the recommendations that will have the greatest impact on your overall security posture first. In some cases, you may even want to enable a few new capabilities, but following best practices in your Office 365 settings and configurations. Based on our experience, using 2FA and blocking “mailbox forwarding rules” will go the farthest in protecting you from BEC attacks.
Read What’s Free and Out There
Familiarize yourself with Microsoft Published Documentation, Identity Protection and Conditional Access. Quality cloud service providers will publish documentation detailing the security configuration options available to organizations. Take advantage of any published documentation and decide what works best for your unique environment and risk tolerance.
In summary, cloud platforms and cloud service providers allow organizations to outsource critical business applications like email in a cost-effective manner, but care needs to be taken to implement best security practices and controls within the cloud-based platforms. It’s tempting to quickly adopt the latest and greatest new technology, but security should be evaluated and planned up-front. If this seems daunting to you, seek the insight of a security professional like those here at TRUE who can help you plan how to best integrate these tools within your environment.