We have recently identified a significant increase in the number of customers reporting unauthorised access to their email tenants by malicious actors. This is reflected in the industry as a whole and it is the general consensus that there is a significant campaign being launched which is also targeting Office 365 customers. This is costing organisations tens of thousands of pounds in fraud and legal costs.
What is actually happening?
Malicious actors are gaining unauthorised access to an organisations email accounts with the aim of:
Defrauding that company or their customers by impersonating real users and tricking individuals into making payments to a foreign bank account (typically by forging Invoices).
Exfiltrating data (stealing email content or other material, typically using email forwarding rules).
Proliferating phishing or malware ridden emails to the contacts of your users.
How do they gain access to an organisations email?
- By using a database of stolen username & passwords from the dark web.
- By “phishing” – tricking a user to handing over their username & password by visiting a faked site which steals the information.
- By executing a piece of malicious software (malware) and infecting a user’s PC.
- This is all happening as we speak, just over the last 2 months we have assisted several companies who have lost significant amounts of money, data, or both.
In cases where an organisation handles personal data there is also the issue of possible ICO (Information Commissioner’s Office) sanctions which can lead to large fines if they conclude that reasonable steps were not taken to prevent a leak of personal information in accordance with GDPR regulations. In some cases, legal action from aggrieved parties may be unavoidable if their personal information is leaked.
What steps can you take to ensure your organisation is reasonably protected?
The following is a broad selection of activities that can be undertaken to help reduce an organisations exposure to these types of incidents.
They are presented roughly in order of priority, although the more that are undertaken the lower the chance of a successful breach. Polymorph would be delighted to assist in the configuration of any of these strategies if assistance is required – please get in touch with Mark Worthington at Polymorph’s Cyber Security Unit (firstname.lastname@example.org) or via the contact form on this page, to discuss specific requirements.
Two-factor authentication provides a way of double checking that you really are the person you are claiming to be when you’re using online services such as Office 365.
When setting up 2FA, Office 365 will ask you to provide a ‘second factor’, which is something that you (and only you) can access.
This could be a code that’s sent to you by text message, or that’s created by an app – but is only available on a phone you physically possess.
Even if a malicious actor has stolen your password, they will be blocked from accessing your account by this process.
The most important aspect of password security is ensuring your users create a unique and strong password for your corporate email.
Credential “stuffing” is a process whereby malicious actors use stolen credentials from the dark web to log in to other services. If your users have the same password on LinkedIn, eBay or Gmail and those details are stolen, chances are that hackers will try and log in to Office 365 with the same details.
It is also no longer best practice to enforce frequent password changes. The National Cyber Security Centre has some great advice on password policies:
Microsoft Advanced Threat Protection (ATP)
The best way to help prevent account breaches, spam emails, malicious infections, and phishing/spoof attacks is always at the door – before the payloads ever hit your environment. As always, email environments are often used by attackers to deliver malicious payloads and trick users into sharing sensitive information.
This is where Microsoft ATP comes in, by utilising technologies such as safe link rewriting with destination scanning, advanced anti-phishing capabilities, advanced malware scanning, detonation sandboxing and advanced spoof intelligence you can layer the security of your email environment and better protect against “zero day threats”.
For more information, please review our latest article on Advanced Threat Protection.
Office 365 Security Configuration
There is a considerable amount of fine tuning and configuration required to ensure a default Office 365 installation is configured to good practice. Polymorph offer a service to assist in the setup of both the Office 365 and Azure AD security settings including but not limited to:
Implement Password policies
Implement Audit Reporting and Alerting
Discuss “Data Loss Prevention” service, features and options
Implement Microsoft ATP
Implement DKIM & Anti-spoofing settings
Implement detailed email audit logs to track deletions etc.
Advanced 365 Alert Rules
O365 alerting can be configured for many different scenarios by default, this can be used to alert if users have created an anonymous link for anyone to access without authentication (OneDrive/SharePoint), shared a file externally (OneDrive/SharePoint) or configured a mail rule to send emails to an external domain address.
The capabilities of audit reporting and alerting are amplified if you have E5 licenses, threat intelligence or advanced compliance subscriptions. You can then alert on things such as malicious emails sent to and from your organisation, if multiple files have been deleted or downloaded at once (OneDrive/SharePoint) or if there are DLP rule matches etc.
End User Training
Ensuring your users are well educated at spotting phishing emails is a critical step. The majority of credential hijacks occur because an individual accidentally signs in to a ‘fake’ website, or begins an email communication with someone pretending to be someone else.
Training can take the form of classroom based or online training material and Polymorph can assist in delivering this on-site for your organisation or host larger numbers at our lecture theatre.
Journaling is the ability to record all communications, including email communications. Exchange Online doesn’t support delivering journal reports to an Exchange Online mailbox so typically an external service will be required.
This is essential if you have a regulatory or legal obligation to record all communication in and out of your organisation. If a hacked mailbox is deleted, you still have a means to recover email sent to/from it.
Once relevant journaling/archive destinations are configured, journaling rules are flexible, and can record all, or specific communications/scopes with no additional Office 365 licence cost.
Office 365 calculates a “Secure Score” for each tenant, this score is calculated based on the number of best practices implemented by an organisation.
We advise regularly reviewing the “Secure Score”, alerts and security notifications to ensure that no unauthorised activity is taking place and that the evolving best practices are adhered to.
The following table is a sample of the type of Office 365 checks Polymorph can carry out on your behalf:
- If your users have not changed passwords in the past two years and you don’t implement Two-Factor authentication, then you are at significant risk of a data breach.
- Reduce the chance of your user accounts being compromised by implemented some if not all of the steps above.
- Routinely monitor alerts and implement automated alerting for suspicious activity.
- Ensure you have the audit-ability and logging in place to report on any issues that do occur.