Office 365 Security Guidance
Microsoft Office 365 has seen explosive growth in recent times, being adopted by organisations of all sizes and business sectors. This rapid growth, when teamed with the importance of the data stored and level of access within an organisation, has made Office 365 an alluring target for hackers. Once access is foothold is obtained the results can be devastating, giving the attacker access to sensitive internal data and documents, email accounts, corporate address books and invoicing to name just a few.
The number of attacks, and subsequent compromises, has been on the rise [1], forcing governmental agencies such as GCHQ and CISA (Dept. of Homeland Security) to publish guidance on how organisations can protect themselves. Samurai has also been made aware of this rise, with some of the most successful attacks requiring very little skill on the part of the attacker. As frequent readers of our blog will know, at Samurai, we enjoy sharing “war stories” as we believe these offer some of the best opportunities to learn and provide a bit of fun reading at the same time.
Typically, Office 365 accounts are compromised through Phishing, however, it is what happens post-compromise that allows cybercriminals to monetise their work. In this example, a user’s Office 365 account was compromised, giving access to their email. From there the attacker set up automatic forwarding rules to forward certain emails to the attacker’s account, acting as a man in the middle between the client and the victim. Only intercepting certain emails allowed the attacker to monitor business deals between the victim and client, until it came to the details of payment. As the attacker had full control of the conversation, false payment details were added to the invoice, allowing the hacker to con the client into sending payment to the attacker’s account. Only when it was too late did they realise that they had been subject to an attack, with no way of recovering the money being feasible. A publicly documented example of this sort of email hijacking can be found here, where a family lost £340K to scammers as they intercepted the payment from the sale of their family home.
The simplicity of this attack and low skill level required is what makes it so elegant and potent. As with the majority of cyber attacks, there are a number of controls and protections that could have been implemented that would have reduced the likelihood of the attack being successful. Multi-Factor Authentication (MFA) should be implemented for ALL accounts and enforced so it is required to gain access. Some examples of MFA techniques recommended by the NCSC are:
- Authentication apps (Google Authenticator, Microsoft Authenticator, Authy)
- SMS or phone call to a pre-registered number
- Accessing the service from a known work device
- Accessing the service from a trusted network or VPN
Problems can arise from organisations utilising legacy protocols such as IMAP, SMTP and POP, that don’t fully support modern authentication options such as MFA. To ensure robust implementation, MFA must be implemented on every method to access the service, failing to do this offers attackers an easy way in, undermining all other controls. A recent study by Proofpoint found that supporting legacy protocols allowed for attackers to launch brute force attacks against cloud application tenants, who use applications such as Office 365 and G Suite, resulting in a success rate of roughly 25%. By design these attack methods avoid other protection methods such as account lock-out and isolated failed logins, allowing them to go unnoticed.
Implementing effective logging and auditing is also recommended and would have likely minimised the impact of this attack. Unlike Gmail, which displays a banner in the email client for 7 days stating that automatic forwarding has been enabled, Outlook fails to notify users of any changes. With properly implemented logging and alerting, changes are flagged to administrators, especially as messages were being automatically forwarded to an external domain (which should be disabled anyway). Office 365 has some auditing enabled by default, but it is further recommended by the NCSC that both audit log data recording and mailbox auditing are set up. In a post-breach situation having a wealth of information to search through can be invaluable, allowing for full investigations to take place and lessons to be learnt.
Staff training as a defence method is one which should not be ignored. The email hijacking war story told earlier may have been prevented if the employee had been more aware of what constitutes a phishing email. In class learning followed by phishing simulation campaigns allow organisations to effectively measure their employee’s phishing awareness, build knowledge and re-enforce it with realistic simulations.
Which as you might have guessed Samurai do provide –
https://samuraisecurity.co.uk/services/training/cyber-security-awareness/
https://samuraisecurity.co.uk/services/security-assessments/social-engineering/
For those administering or implementing Office 365 environments, Microsoft has a 30 day, 90 day and beyond security checklist which offers excellent configuration guidelines and other best practice. Further reading and more specific Office 365 security and configuration options can be found in the links below.
Thank you for reading and we hope to see you in the next one.
Further reading
https://www.us-cert.gov/ncas/analysis-reports/AR19-133A
https://www.ncsc.gov.uk/news/rise-microsoft-office-365-compromise
https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2MHP5
References:
[1] – GCHQ report
Risky Biz#504 29:00 – MITM email account via email automatic forwarding rules