Have you secured access to your company’s O365 accounts? Are you aware of the main vulnerabilities and what the options are for locking them down? Microsoft 365 (M365) offers several best-in-class solutions – at no cost. The simple act of enabling or configuring security will give you peace of mind that your company data is secure with extra protections that can be licensed at additional cost.
Want to know more about how best to secure your O365 accounts? Contact one of our certified M365 technical consultants to discuss how we can help keep your company and data protected.Contact Us
If you’re using M365, it’s likely that you’re using it as your email service as well as to store company documents in SharePoint, OneDrive or Teams. If one of your accounts is compromised, an intruder can gain access to all the data that the compromised account has access to. It can also impersonate the compromised user for attempted commercial gain.
Here’s a scenario that we’ve seen several times. The account of someone in a Finance Team is compromised, the intruder sets up Outlook mail rules to prevent the user in Finance from being alerted and sets up email forwarding. They then email the company’s customers saying that they’ve changed their bank account details and request that invoices are paid into this new account.
The intruder will also have access to all the same services associated with that account. In addition to emails, this includes documents and data stored in SharePoint, OneDrive, Teams, CRM and any third-party systems where they have been set up to use Azure AD as their authentication mechanism (Single Sign On).
Further, if the compromised account has global admin rights, this will give the intruder full access to everything including the mail and file data of ALL users. They could also remove the user’s global admin role for other accounts, lock them out and completely prevent them from being able to administer M365, while they go about doing what they want to do.
The authentication service for M365 is Azure Active Directory (Azure AD), so when the user signs in using their username and password, it’s Azure AD that checks and authenticates these. This is the authentication service for all Microsoft cloud services (M365, Dynamics and Azure) so the points in this blog apply to all these environments.
Intruders need the same credentials as you do to sign in, so they need to obtain or bypass them:
If you have Multi-factor Authentication (MFA) set up, intruders also need this additional factor to hack your account (for example, a code texted to your mobile phone or response on the authenticator app). This makes it significantly harder, but not impossible, for hackers to succeed.
NB One commonly exploited back door allows hackers to bypass MFA. They do this by trying to sign into your account using legacy authentication protocols, which don’t support MFA. Therefore, if you have MFA enabled but legacy authentication is allowed, this makes your account vulnerable.
As highlighted in this useful article on blocking legacy authentication in the Microsoft Tech Community, it is vital to block legacy authentication for MFA to be effective. Legacy authentication protocols like POP, SMTP, IMAP, and MAPI can’t enforce MFA, making them common entry points for hackers. From an analysis of Azure Active Directory (Azure AD), the statistics on legacy authentication traffic are stark proof of this:
If you’re signing into your M365 account with a username and password, you’re using two factors. Using Multi-factor Authentication (MFA), adds a third factor. The MFA mechanisms supported by M365 for user accounts are:
The additional verification method is not employed until after the user’s password has been verified.
You can enable MFA in three different ways:
Here is how to enable MFA on a per user basis: Multifactor authentication for Microsoft 365.
New M365 tenants have security defaults enabled. These give all organizations a good level of default security for user sign-in by requiring all users to use MFA with the Microsoft Authenticator app and by blocking legacy authentication.
Users have 14 days to register for MFA with the Microsoft Authenticator app from smart phones. After this, they’re unable to sign in until MFA registration is completed.
The Microsoft article, What are security defaults? provides a useful overview of security defaults and shows you how to check whether or not this is enabled for your tenant.
Most compromising sign-in attempts come from legacy authentication and consequently, the blog, Introducing security defaults from the Microsoft Tech Community blog underlines the importance of blocking legacy authentication.
Legacy authentication refers to an authentication request made by:
So as allowing Legacy Authentication represents such a threat, you will want to block it, but before you do you need to be aware of the impact on your legitimate users and applications. This article, Identify legacy authentication use explains how, using Azure AD sign ins, you can see where legacy authentication is being used.
Once you’ve done this investigation, if you find that none of your users or applications are using legacy authentication, you can go ahead and block it across the board using security defaults or Conditional Access. However if you find that there are some users or applications that need to use it, then you can implement Conditional Access policies to just allow those and block it for everyone else.
Conditional Access enables you to specify conditions for sign-ins. Further, it allows you to require MFA based on group membership, rather than trying to configure individual user accounts for MFA when they are assigned or unassigned from these groups for example.
You can also use Conditional Access policies for more advanced capabilities, such as requiring MFA for specific apps or for sign-in via a specific compliant device, such as your laptop running Windows 10.
To use Conditional Access, you need to be licensed for Azure AD Premium 1 or have a license that includes this such as Microsoft 365 Business Premium or Microsoft 365 E3 for example.
This Microsoft tutorial for Azure AD Multi-Factor Authentication explains how to create a Conditional Access policy for MFA. This link Conditional Access – Block legacy authentication – Azure Active Directory | Microsoft Docs explains how to create a Conditional Access policy to block legacy authentication – so you would set up both policies.
Microsoft Defender for O365 offers Safe Links, to help protect against phishing. It works by opening every link sent to you in your email in a neutral area to decide whether the website in question is malicious. If it is, it won’t let you proceed onto the site, preventing you from giving away your O365 password.
It also offers a Safe Attachments feature, where an email attachment is opened and tested in a virtual environment before the user receives it. If the attachment is malicious, it will be automatically removed. If the attachment is safe, it will open as expected when the user clicks on it.
The blog, Microsoft Defender for Office 365 security overview gives an overview of the service.
Microsoft Defender can be licensed standalone (as Microsoft Defender for O365 Plan 1 or Plan 2) or it is included in certain other plans:
There are several tell-tale signs indicating that an account has been compromised:
Take the following immediate actions for the affected O365 account in the O365 Admin Centre:
The Microsoft article, Responding to a Compromised Email Account gives additional guidance.
You can then investigate to see if the account really has been compromised and what damage has been done. There are three key places to look in M365, for which you need admin rights:
Once you’ve carried out the investigation and identified how the intruder gained access, you’ll need to close that hole using the protective measures discussed in this blog, for example by blocking Legacy Authentication and setting up MFA.
Finally, O365 is a powerful, cloud-based enterprise product. Not only is it capable of significantly increasing productivity and operational efficiency, but it has also been designed from the ground up with business security in mind – but you do need to take advantage of and configure these services as discussed in this blog.
If you’d like to discuss how to secure your O365 accounts, then please contact us for a free discussion with one of our certified M365 technical consultants.
If you’ve enjoyed reading this blog, then sign up to receive our monthly newsletter where we share new blogs, technical updates, product news, case studies, company updates, Microsoft and Cloud news.
We promise that we won’t share your email address with other business or parties, and will keep your details safe. You can choose to unsubscribe at any time.Newsletter Sign Up