Casserly Consulting Blog

Casserly Consulting blog with tech tips, actionable advice and more related to cyber security and IT.

As more businesses are migrating to Microsoft Office 365, it’s made more obvious the vulnerabilities of its configuration. Also, the fact that smaller organizations do not have dedicated IT teams, makes it easier for hackers to exploit the gaps and compromise their security. 

In this blog, we explain the most important vulnerabilities you should keep an eye on, and how to mitigate the risks for your business.

When we talk about vulnerabilities we aren’t just talking about bugs in the software. Microsoft has a massive team of developers working around the globe to continuously fix and improve the software that runs Office 365. Sure, there are bugs in all software, but in a service provider model, there is less lag time between a bug being discovered and a bug being fixed, especially when it comes to security.

Instead, the most obvious (and immediately addressable) vulnerabilities are around configuration, and making the right choices to ensure a secure configuration. Default settings in Office 365 are designed for compatibility and addressing the needs of the masses. These are not necessarily the most secure settings.

Without being a security expert, tweaking these settings are not the most straightforward. One way to identify settings that introduce risk is through a cyber security assessment. Microsoft has one they offer to all Office 365 customers that provides a score to use as a benchmark. Independent firms can provide a more user-friendly view with specific guidance on what to change.

The good news is there are a few things that can be done now to mitigate common Office 365 vulnerabilities.

 

Multi-factor Authentication Not Enabled for Administrator Accounts

Account hijacking is big business, especially when it comes to email. Landing an email administrator account gives a hacker the keys to the kingdom. With an email administrator account, a hacker can create countless email accounts for use in spam and phishing. It can also be used to change passwords and access private customer information, or add rogue email addresses to email distribution lists to gain inside information. Regardless of the nefarious purpose, administrator accounts must be protected. Once a hacker gains access to an account, the hacker can change the password and the recovery email, which makes it incredibly difficult for the real owner to recover the account.

By enabling multi-factor authentication, Office 365 will use a secondary method to verify that you are actually you. The top methods used are verification via email and text message, with text message being the preferred method. This means the hacker would need to be in physical possession of your phone to receive the message, and do so within the time limit for verification (usually just a few minutes). This feature is a no-brainer and should be implemented on every account where it’s offered. This is a place where a vulnerability assessment can identify this and other security features are disabled.

 

cyber security webinar

 

Mailbox Auditing Disabled by Default

In Office 365, mailboxes can be delegated by owners to non-owners to act on their behalf. One example is when an executive has delegated her mailbox to her assistant, to help filter through emails and respond to meeting requests. This eliminates the need for the executive to give her credentials to the assistant, but still access email and calendar. Activity by a non-owner using a mailbox is audited by default.

What is disabled by default is auditing of activity by an owner using their own mailbox. This auditing provides critical information for an IT administrator to identify when a mailbox has been breached. Details on to/from of emails sent and received and from which IP addresses or locations, are all clues for chasing down a compromised account. Sudden usage from outside the country while the owner is not traveling would be one example of where this auditing would be useful.

 

Replication May Cause Data Loss

Companies migrating to Office 365 from legacy IT environments are especially vulnerable because outdated or mismatched security settings will not carry forward into Office 365. One of the trickiest pieces of this is mapping of your company’s Active Directory security server up to the Microsoft cloud’s security server. Eliminating outdated or disabled accounts, or deleting old email accounts no longer required under audit protocols, all need to be taken care of prior to migration.

The way customers migrate from traditional email systems running in their own office to Office 365 is through replication of email and other data. User accounts are mapped to cloud-based user accounts, and the data replicated from the customer’s servers to Microsoft’s cloud servers are associated with user accounts in the cloud. If there is a mismatch or a misconfiguration at the destination, there is a risk that data loss could occur during that replication.

 

Phishing Emails Bypass Office 365

Nobody’s perfect and phishing emails count on this fact. Office 365 provides some level of filtering but there is no way for it to catch everything coming in. A common attack method targeting Office 365 customers is for the hacker to pose as Microsoft, sending an email about something wrong with the customer’s service and then prompting the target to log into a fake Microsoft site.

When the tries to log in, the fake site captures the user’s username and password, then gives an error and redirects the user to the actual Microsoft site to log in, leaving them none the wiser. The hacker then logs in as that user, and now has a legitimate user account to send phishing emails to the coworkers of the real account owner, and there is no filter that will capture legitimate emails from a coworker.

One way to mitigate against this is a combination of auditing and multi-factor authentication. If multi-factor authentication was enabled, the owner of the account would have been notified the first time the hacker tried to log in with the stolen credentials. Auditing would give administrators the ability to see where the hacker was trying to log in from. Even if multi-factor authentication was not enabled, auditing would still allow the administrator to see what emails were sent using the stolen account.

 

What can I do About These Vulnerabilities?

Find the holes in your Office 365 configuration. A cyber security assessment will identify opportunities to secure an Office 365 environment through configuration changes. A business may not be able to implement 100% of the recommendations, but every improvement helps.
Enable multi-factor authentication. Multi-factor authentication should be applied everywhere it’s available, not just Office 365. This added protection makes it incredibly difficult for hackers to be successful with just a username and password.

Auditing everywhere. Enabling auditing for owner account access in addition to non-owner account access can be the key to catching a compromised account. Plus, it gives an administrator the clues to track down the perpetrator in the case of a legitimate compromise.

Look before you leap to Office 365. Misconfiguration and legacy settings left unresolved prior to a migration to Office 365 can leave a business exposed. Perform an assessment to ensure accurate settings that will pull through to Office 365 correctly. If you’re not comfortable doing this yourself, consider hiring a professional to handle the transition.

Office 365 brings a multitude of features and flexibility, but it also introduces new risks. Get ahead of it through vulnerability assessments and careful configuration to maximize the value of Office 365 to your business without the unneeded risk.

cyber security webinar