How to Detect and Respond to Microsoft Office 365 Security Issues

Posted by Dan St. Hilaire  /  September 30, 2019  /  Microsoft 365, MSP, Security   —   No Comments ↓

Email Phishing Scam

Microsoft 365 is one of the most widely used business technology platforms in the world. Office 365 presents an opportunity for businesses to create a modern workplace for employees and offers advanced networking and communications tools that empower employees to carry out their job duties seamlessly as part of the natural rhythm of their work. However, no system is immune to malicious cyberattacks and being the number one business platform creates a target for those looking to take advantage ofunsuspecting businesses and their users.

In this post, we highlight some of the most common security breaches on Microsoft 365 and we’ll share some tips for IT administrators and Managed Service Providers (MSP) and how they can best address these threats for their users and clients.

Email-Based and other Phishing Based Security Threats

Phishing links, spoofed sender addresses, and other email-based cybersecurity threats are one of the most commonly cited security issues on Microsoft Office 365. Some of these threats may include malicious code that may be virtually impossible for an unwary employee to detect, but many attacks are avoidable with good email habits.

This past August, Microsoft discovered a phishing campaign that would trick users into logging in with custom 404 login pages. Microsoft explained that they discovered this recent hacking attempt while analyzing phishing emails. “Because the malformed 404 page is served to any non-existent URL in an attacker-controlled domain, the phishers can use random URLs for their campaigns. We also found that the attackers randomize domains, exponentially increasing the number of phishing URLs.” Said Microsoft. Alerting and teaching end-users to identify potential phishing URL is an important piece of limiting risk.

Providing end-user awareness training around topics like not opening links in emails from unknown senders can help limit phishing scams attempt to dupe email recipients into clicking on malicious links, which then proceed to install malicious code into the target system. IT administrators and MSPs should provide users and clients with regular notifications of the new methods that hackers take with phishing attempts. Also, open for consideration should be enabling DMRC, SFT, and DKIM to identify and avoid various phishing attempts. Additionally, Multi-factor Authentication (MFA) is another means to protect users against spoofed pages, which requires users to verify their identity with a second device. In April 2018 the CFO of Unatrac Holding Limited was phished for over 11 Million dollars; features mentioned in this post may have helped to prevent that from happening.

Data Loss

Physical data security is just as important as creating digital backups. Make sure you have a consistent and defined backup system in place and take steps to ensure physical device security, such as BitLocker encryption for company devices.

A backup plan is always a good idea. Administrators and MSP’s should review data retention tolerance levels and help their organization and clients set retention policies that alight with their defined governance. Policy should help determine if a third-party backup solution should be implemented. Additionally, companies using Microsoft 365 can look at device management via Microsoft Intune. Intune provides businesses with an integrated endpoint management platform to manage both a company’s issued device and 'bring your own devices' (BYOD). It also provides a means to produce and safeguard data on non-governed devices.

Cloud Vendors

Cloud technology has changed the business-to-business environment, offering many companies an easy way to store data offsite in a secure digital cloud. However, be careful which cloud vendors you trust with your organization’s data, and find out whether you will have a dedicated and secure cloud server or if your data will intermingle with other organizations’ in a shared cloud server, which can be a major security liability for some companies.

In the world of Office 365, we're talking OneDrive for Business and SharePoint, but many organizations may have used other cloud vendors to host data. Businesses should assess possible shadow IT solutions currently in place and align policy to best manage data moving forward. Office 365 can secure data within Office 365, but other third-party services that may connect to tools like Microsoft Teams are not controlled through the Security and Compliance center. This may present non-compliance with existing governance policies. You should assess the third-party connectors and resources to understand how data accessed or stored in the third-party tool/service is governed.

SAML Single Sign-On

Configuring Security Assertion Markup Language (SAML) to enable single sign-on for some users may seem like a good way to streamline internal operations, however, it can also create a serious security issue for some organizations. If an unauthorized user gains SAML credentials from an approved user, the unauthorized user now has the login information for every application under the approved user’s permissions list.

While SAML and Single Sign-On (SSO) are excellent ease of use features businesses should be aware of the potential security risk. Consider Multi-factor Authentication (MFA). Instead of relying on a single set of a username and a password for login credentials, multi-factor authentication, also referred to as two-step authentication, prevents unauthorized access in the event approved credentials are compromised by an unauthorized user attempting to login from a new device and strengthens the use of SAML and SSO. MFA is a feature available in all Microsoft 365 License levels, and the MSP should discuss enabling MFA with each client and determine if additional security using Intune will be required.

Unauthorized Administrator Access

Windows 10 for Business allows domain administrators to create permission-based groups of users. Administrators can decide who has access and how far that access extends, but administrators must carefully safeguard their own credentials and only allow approved administrators to have administrator credentials. Separating administrator accounts from user accounts. Configuring a permission-based hierarchy of access in the company’s digital environment effectively creates multiple levels of security.

MSPs need to work closely with clients to help prevent these security threats from devastating their clients’ digital environments and should never assign direct administrative rights to a user’s account in Office 365, but rather create separate admin-based accounts and assign users to those accounts.

KnowledgeWave offers online video training on end-user security basics – many of our clients require that all new employees take this training to ensure the highest level of enterprise data security when using Microsoft Office 365. If you’re interested in learning how we can help train your team, or your clients team to avoid, identify, and address these security threats safely, contact KnowledgeWave today for more information.

Topics: Microsoft 365, MSP, Security