7 Steps To Secure Your Microsoft 365 Environment

Microsoft 365 is trusted by organisations large and small for their day to day operations. Email, data storage, document exchange, customer and company critical information are all entrusted to 365 for safe keeping. And yet out-of-the-box, or out-of-the-cloud as is more common, Microsoft 365 security features are configured for usability, rather than maximum security.

Cyber attackers have taken notice and are shifting their focus towards this attractive target.

This guide outlines 7 simple configuration changes that significantly increase the security of your Microsoft 365 environment. Make sure you are not their next target.

‍

1. Enable Multi-Factor Authentication (MFA)

Enabling Multi-Factor authentication is still the single most effective change you can make to protect your organisation from account take-over. Microsoft themselves state that enabling MFA on your Microsoft 365 account can prevent 99.9% of account attacks. [1] Despite this, many users don’t enable MFA and organisations don’t enforce the policy.

FACT: 37% of all security breaches last year involved the use of stolen credentials. [2]

‍

2. Disable Legacy Authentication

Familiar email protocols such as IMAP4 and POP have no way to support MFA and yet are enabled by default in Microsoft 365. As MFA policy cannot be enforced across these legacy methods of authentication, it is no surprise to find that they are a favourite of attackers looking to access 365 accounts. Enabling Modern Authentication for your client apps disables these Legacy Authentication protocols and ensures that remote users follow your MFA policies.

FACT: Up to 60% of Microsoft 365 customers have been targeted by this type of attack. [3]

‍

3. Use Dedicated Administrator Accounts

Using administrative accounts for day-to-day activities is an unacceptable and unnecessary risk. Daily use increases the likelihood of these highly privileged accounts being taken over as even the most experienced users can fall victim to phishing attacks or compromised passwords.

Even authorised administrators can do most of their day-to-day activity using a separate standard account. Keeping administrative accounts only for those operations that absolutely require additional authorisations also allows more stringent security controls to be applied to these critical accounts.

FACT: Gaining access to an administrator account is the holy grail of account based attacks.

‍

4. Block Malicious Attachments

Over 22% of successful breaches in the past year involved phishing [2] using malicious attachments delivered via email. They are a favourite for attackers trying to gain a foothold in a target network, especially since so many businesses use email to share office documents and users are used to receiving them.

While many documents are safe, it is critical that ‘executable’ file types are prevented from entering a users’ inbox. Common malicious attachment types include:

EXE, DLL, HTA, DOC/DOCM, XLS/XLK/XLL, PDF, PPT, and ZIP/RAR archives

There are, of course, business cases where some of these file types are required so it is impossible to simply block all delivery. This highlights the need for strong controls and "defence in depth", supplemented with regular user awareness training.

FACT: Statistics show that over 48% of malicious attachments are Office files [4].

‍

5. Disable Third-Party Applications

Third-party applications are an increasingly popular avenue of attack for adversaries looking to compromise your Microsoft 365 environment. While users see them as increasing productivity and providing new features, these applications often use very powerful Microsoft 365 REST APIs. Users may grant applications access to their Microsoft 365 data, such as emails, calendars, contacts, users, groups, files, and folders, inadvertently giving full control of their Microsoft 365 account to an attacker.

We advise that the ability to load new applications is limited only to authorised and protected staff, with each application undergoing a rigorous review process before being released to general users.

‍

6. Disable Email Auto-Forwarding

Email auto-forwarding is a common technique used by attackers looking to stealthily exfiltrate data from a users’ inbox. By configuring malicious forwarding rules on compromised 365 accounts an attacker can choose to relay all emails to another third-party inbox that they control. In a more targeted approach, an adversary can choose to only forward emails containing specific keywords depending on their objectives, for example: "Password", “Invoice”, “VPN”, “Account Number” etc.

Ideally, email auto-forwarding to external domains should be disabled. However, legitimate business cases do exist for auto-forwarding email. A review should be conducted and the functionality restricted to the absolute minimum required to operate. Auto Forwarding should be closely monitored.

‍

7. Test & Assure

Changes to your Microsoft 365 configuration are an unavoidable component of normal day-to-day operations. Over time they can easily result in ‘config drift’ and introduce previously unseen vulnerabilities and weaknesses. Maintaining a strong and secure environment requires regular reviews against a secure target baseline.

Our Microsoft 365 Configuration Assessment reviews your tenancy against 50+ individual best practice configuration settings across eight core categories, ranging from Authentication & Auditing to Data Storage & Email Security.

Precursor Security are a UK based Cyber Security Consultancy specialising in Cloud Security for Microsoft 365, Microsoft Azure and AWS Cloud Computing environments. We use a mixture of Continuous Security Testing and Offensive Security and Penetration Testing techniques to ensure that your business stays safe in the cloud.

If you need to distribute this information internally you can download this entire post as a PDF guide here

‍

References

[1] https://www.microsoft.com/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/

[2] https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf

[3] https://www.proofpoint.com/us/threat-insight/post/threat-actors-leverage-credential-dumps-phishing-and-legacy-email-protocols

[4] https://docs.broadcom.com/doc/istr-24-2019-en

‍