Have you secured access to your company’s O365 accounts? Are you aware of the main vulnerabilities and what the options are for locking them down? Microsoft 365 (M365) offers several best-in-class solutions – at no cost. The simple act of enabling or configuring security will give you peace of mind that your company data is secure with extra protections that can be licensed at additional cost.
Want to know more about how best to secure your O365 accounts? Contact one of our certified M365 technical consultants to discuss how we can help keep your company and data protected.Contact us
Why is securing your M365 account important?
If you’re using M365, it’s likely that you’re using it as your email service as well as to store company documents in SharePoint, OneDrive or Teams. If one of your accounts is compromised, an intruder can gain access to all the data that the compromised account has access to. It can also impersonate the compromised user for attempted commercial gain.
Here’s a scenario that we’ve seen several times. The account of someone in a Finance Team is compromised, the intruder sets up Outlook mail rules to prevent the user in Finance from being alerted and sets up email forwarding. They then email the company’s customers saying that they’ve changed their bank account details and request that invoices are paid into this new account.
The intruder will also have access to all the same services associated with that account. In addition to emails, this includes documents and data stored in SharePoint, OneDrive, Teams, CRM and any third-party systems where they have been set up to use Azure AD as their authentication mechanism (Single Sign On).
Further, if the compromised account has global admin rights, this will give the intruder full access to everything including the mail and file data of ALL users. They could also remove the user’s global admin role for other accounts, lock them out and completely prevent them from being able to administer M365, while they go about doing what they want to do.
The authentication service for M365 is Azure Active Directory (Azure AD), so when the user signs in using their username and password, it’s Azure AD that checks and authenticates these. This is the authentication service for all Microsoft cloud services (M365, Dynamics and Azure) so the points in this blog apply to all these environments.
How can intruders hack your account?
Intruders need the same credentials as you do to sign in, so they need to obtain or bypass them:
Typically, this is your email address. Therefore, they can obtain this via emails you’ve sent, find it on your web site or LinkedIn page or work it out from your company’s format for email addresses.
There are several different ways that an intruder might use to obtain your password:
- When phishing emails are sent to your company, a user may click on a link and then give away their password.
- If you use the same password for lots of different accounts, for example your gym membership, online shopping sites etc, and one of these becomes compromised, then the intruder will check to see if you use the same password on other sites and systems. So they may gain your O365 password in this way if you are using the same password. A good reason for having a unique password for O365.
- Brute force attacks use automation to guess your password until they get it right – a good reason to have a long and complex password.
If you have Multi-factor Authentication (MFA) set up, intruders also need this additional factor to hack your account (for example, a code texted to your mobile phone or response on the authenticator app). This makes it significantly harder, but not impossible, for hackers to succeed.
NB One commonly exploited back door allows hackers to bypass MFA. They do this by trying to sign into your account using legacy authentication protocols, which don’t support MFA. Therefore, if you have MFA enabled but legacy authentication is allowed, this makes your account vulnerable.
As highlighted in this useful article on blocking legacy authentication in the Microsoft Tech Community, it is vital to block legacy authentication for MFA to be effective. Legacy authentication protocols like POP, SMTP, IMAP, and MAPI can’t enforce MFA, making them common entry points for hackers. From an analysis of Azure Active Directory (Azure AD), the statistics on legacy authentication traffic are stark proof of this:
- More than 99% password spray attacks use legacy authentication protocols.
- More than 97% credential stuffing attacks use legacy authentication.
- There are 67% fewer compromises for organizations that have disabled legacy authentication in their Azure AD accounts, than those that have enabled legacy authentication.
What protection comes out of the box with M365?
If you’re signing into your M365 account with a username and password, you’re using two factors. Using Multi-factor Authentication (MFA), adds a third factor. The MFA mechanisms supported by M365 for user accounts are:
- A text message sent to a phone that requires the user to type a verification code.
- A phone call.
- The Microsoft Authenticator smart phone app – this is the most secure
The additional verification method is not employed until after the user’s password has been verified.
You can enable MFA in three different ways:
- On a per user basis – this is not recommended unless you can’t use one of the next two options.
- With Security Defaults – see below.
- With Conditional Access – see below.
Here is how to enable MFA on a per user basis: Multifactor authentication for Microsoft 365.
New M365 tenants have security defaults enabled. These give all organizations a good level of default security for user sign-in by requiring all users to use MFA with the Microsoft Authenticator app and by blocking legacy authentication.
Users have 14 days to register for MFA with the Microsoft Authenticator app from smart phones. After this, they’re unable to sign in until MFA registration is completed.
The Microsoft article, What are security defaults? provides a useful overview of security defaults and shows you how to check whether or not this is enabled for your tenant.
What effect does blocking Legacy Authentication have on your users?
Most compromising sign-in attempts come from legacy authentication and consequently, the blog, Introducing security defaults from the Microsoft Tech Community blog underlines the importance of blocking legacy authentication.
Legacy authentication refers to an authentication request made by:
- clients that don’t use modern authentication, for example, an Office 2010 client.
- any client that uses older mail protocols such as IMAP, SMTP, or POP3.
So as allowing Legacy Authentication represents such a threat, you will want to block it, but before you do you need to be aware of the impact on your legitimate users and applications. This article, Identify legacy authentication use explains how, using Azure AD sign ins, you can see where legacy authentication is being used.
Once you’ve done this investigation, if you find that none of your users or applications are using legacy authentication, you can go ahead and block it across the board using security defaults or Conditional Access. However if you find that there are some users or applications that need to use it, then you can implement Conditional Access policies to just allow those and block it for everyone else.
What additional protective measures are available in O365?
Conditional Access Policies
Conditional Access enables you to specify conditions for sign-ins. Further, it allows you to require MFA based on group membership, rather than trying to configure individual user accounts for MFA when they are assigned or unassigned from these groups for example.
You can also use Conditional Access policies for more advanced capabilities, such as requiring MFA for specific apps or for sign-in via a specific compliant device, such as your laptop running Windows 10.
To use Conditional Access, you need to be licensed for Azure AD Premium 1 or have a license that includes this such as Microsoft 365 Business Premium or Microsoft 365 E3 for example.
This Microsoft tutorial for Azure AD Multi-Factor Authentication explains how to create a Conditional Access policy for MFA. This link Conditional Access – Block legacy authentication – Azure Active Directory | Microsoft Docs explains how to create a Conditional Access policy to block legacy authentication – so you would set up both policies.
Microsoft Defender for O365
Microsoft Defender for O365 offers Safe Links, to help protect against phishing. It works by opening every link sent to you in your email in a neutral area to decide whether the website in question is malicious. If it is, it won’t let you proceed onto the site, preventing you from giving away your O365 password.
It also offers a Safe Attachments feature, where an email attachment is opened and tested in a virtual environment before the user receives it. If the attachment is malicious, it will be automatically removed. If the attachment is safe, it will open as expected when the user clicks on it.
The blog, Microsoft Defender for Office 365 security overview gives an overview of the service.
Microsoft Defender can be licensed standalone (as Microsoft Defender for O365 Plan 1 or Plan 2) or it is included in certain other plans:
- Microsoft Defender for Office 365 Plan 1 is included in Microsoft 365 Business Premium.
- Microsoft Defender for Office 365 Plan 2 is included in Office 365 E5, Office 365 A5, and Microsoft 365 E5.
If you think your account has been compromised, what should you do?
There are several tell-tale signs indicating that an account has been compromised:
- Emails being sent from the account – either as spam or trying to obtain payments.
- Email forwarding set up from the account.
- Automatic replies set up on the account.
Take the following immediate actions for the affected O365 account in the O365 Admin Centre:
- Change the user’s password and make it a strong password that hasn’t been used before by that account.
- Sign out of all O365 sessions.
- Remove any mail forwarding if set up by the intruder.
- Remove any inbox rules if set up by the intruder.
- Remove any mail auto-replies if set up by the intruder.
The Microsoft article, Responding to a Compromised Email Account gives additional guidance.
You can then investigate to see if the account really has been compromised and what damage has been done. There are three key places to look in M365, for which you need admin rights:
- You can run a message trace in the Exchange Admin Centre to investigate emails sent and received by the affected user, as explained in Microsoft’s article on message trace.
- You can look at the sign-in logs in Azure AD so that you can investigate the sign-ins for the affected account, as described in Microsoft’s article, Sign-in logs in Azure Active Directory. For example, if you’re seeing successful sign-ins from an IP address or country that doesn’t match the user, this is a strong indication.
- To see what that account has done since the intruder gained access, use the Audit Log search in the M365 Compliance Centre. Here you can see a significant amount of detail regarding what the account has done across all your different O365 services (email, SharePoint, OneDrive, Teams etc). The Microsoft article, Search the audit log explains this process.
Once you’ve carried out the investigation and identified how the intruder gained access, you’ll need to close that hole using the protective measures discussed in this blog, for example by blocking Legacy Authentication and setting up MFA.
Finally, O365 is a powerful, cloud-based enterprise product. Not only is it capable of significantly increasing productivity and operational efficiency, but it has also been designed from the ground up with business security in mind – but you do need to take advantage of and configure these services as discussed in this blog.
If you’d like to discuss how to secure your O365 accounts, then please contact us for a free discussion with one of our certified M365 technical consultants.
Want to keep in touch?
If you’ve enjoyed reading this blog, then sign up to receive our monthly newsletter where we share new blogs, technical updates, product news, case studies, company updates, Microsoft and Cloud news.
We promise that we won’t share your email address with other business or parties, and will keep your details safe. You can choose to unsubscribe at any time.Newsletter Sign Up