Microsoft Office 365 has become a popular target for hackers. Here are seven measures your company can take to keep them at bay if you are using this cloud service.
Microsoft Office 365 has grown in popularity, which has made it a prime target for hackers. Threats in Office 365 have grown by 63% in the last two years, according to McAfee’s 2019 Cloud Adoption and Risk Report.
Companies subscribing to Office 365 Business and Microsoft 365 Business plans can take measures to use the cloud service more securely. Here are seven measures you might consider taking if your company is using Office 365:
- Use Two-Step Verification
More than 7.8 billion online accounts have been compromised through data breaches. These compromised passwords pose a significant threat, especially given the common practice of reusing passwords. A Virginia Tech study of 28.8 million online account holders over an eight-year period found that more than half of those individuals reused passwords or used slightly modified versions of them. Cybercriminals are aware that people reuse passwords, so they often try compromised credentials on multiple accounts using automated attacks.
Therefore, requiring employees to use unique, strong passwords for their Office 365 accounts might not be enough to protect those accounts. Requiring employees to use two-step verification is a much better strategy. With two-step verification, employees need to provide two pieces of information — such as a password and a security code — to log in. That way, even if the password has been compromised, a cybercriminal won’t be able to use it to hack the account. The US Cybersecurity and Infrastructure Security Agency notes that this is the best mitigation technique to protect against credential theft for Office 365 users.
- Use Administrator Accounts Only for Their Intended Purpose
Office 365 administrator accounts should only be used for their intended purpose — managing Office 365, according to a Microsoft report. Employees with administrative access should use separate user accounts for their other job duties. Two-step verification should be set up for the administrator accounts.
Microsoft’s Security Team, which is responsible for securing the company’s internal infrastructure, has a few other recommendations for protecting administrator accounts, including:
- Using a separate device for administrative operations. Besides setting the device’s security controls at high levels, it is a good idea to not allow administrative tasks to be executed remotely.
- Creating administer accounts in a separate namespace or forest that cannot access the Internet.
- Providing non-persistent access by giving no rights to administrator accounts. When privileges are needed, they should be given for only a specific amount of time.
- Change the Macro Settings
A macro is a series of commands grouped together. Some Office 365 apps (e.g., Word, Excel, PowerPoint) provide macro functionality so that people can use them to automate routine tasks. However, cybercriminals sometimes use macros to spread malware.
By default, macros are automatically disabled in Office 365 applications. However, users are notified when macros have been disabled and are given the option to enable them. To tighten security, businesses can change the setting so that macros are automatically disabled without any notification. When this setting is chosen, users will not get the security notification or the option to enable them. Alternatively, companies that use digitally signed macros can select the option that disables all macros except those that are digitally signed.
- Make Sure Mailbox Auditing Is Enabled
Office 365 mailbox auditing tracks and records various actions performed by mailbox users, administrators, and delegates. For example, it documents when messages are deleted or moved to different folders. The information in the mailbox audit log is useful for investigating security issues and troubleshooting other types of problems.
Starting in January 2019, Microsoft enabled mailbox auditing by default. Prior to that date, companies had to manually enable it for user mailboxes. For this reason, it is a good idea for businesses to make sure it is currently enabled, especially if they have been using Office 365 before January 2019. When doing so, they can also learn what actions are being auditing and customize the audited actions if desired. Similarly, they can customize the length of time records are kept in the mailbox audit log. By default, records are deleted after 90 days.
- Disable or Limit Support for Legacy Email Protocols
Businesses sometimes use legacy email protocols (e.g., IMAP, POP) to provide email services to users with older email clients that do not support modern methods of authentication (e.g., two-step verification). In some circumstances, cybercriminals are able to exploit support for legacy email protocols to bypass two-step verification and hack email accounts.
For example, during a six-month study of major cloud-service tenants, Proofpoint security researchers discovered that hackers were using IMAP to hack Office 365 and Google G Suite accounts. They analyzed more than 100,000 unauthorized logins across millions of cloud user accounts and found that about 60% of Microsoft Office 365 and G Suite tenants were targeted with IMAP-based attacks, with a quarter of the attacks resulting in successful account breaches. These attacks went unnoticed because they were designed to avoid account lockouts and look like isolated failed logins, according to the researchers.
Because such attacks are common and hard to spot, the Cybersecurity and Infrastructure Security Agency recommends that companies using Office 365 disable support for IMAP and other legacy email protocols. If certain employees have older email clients that need this support, businesses should limit the use of legacy email protocols to just those users.
- Block Risky Email Attachments
Cybercriminals like to attach malicious files to emails. Opening the attachments starts a chain of events that can lead to the computer being infected with malware or compromised in some other way.
Word (.doc and .dot) and executable (.exe) files are most often used as malicious attachments, according to Symantec’s 2019 Internet Security Threat Report. Table1 shows other file types that are commonly used.
Table 1. Types of Files Commonly Used as Malicious Email Attachments*
Office 365 provides companies with the ability to block email attachments of certain file types. For example, businesses might want to block emails that contain an attached executable file.
Although Word and Excel files are often used to spread malware, companies do not necessarily have to block emails with those types of attachments. The attack vector in Word and Excel files is often a malicious macro. Changing Word’s and Excel’s macro settings so that macros are automatically disabled without any notification can mitigate much of the risk.
- Block the Automatic Forwarding of Emails to External Addresses
Cybercriminals who gain access to an employee’s mailbox can configure it to automatically forward the person’s email messages to an external email account. By design, the auto-forwarding process operates silently in the background, so the employee won’t know it is occurring.
Hackers typically auto-forward employees’ emails to steal sensitive data or get the information they need to launch other types of attacks (e.g., Business Email Compromise attacks). To prevent this data theft, companies can configure Office 365 to block any emails being automatically forwarded to external email addresses.
Help Is Here
If you need help in implementing the seven security measures discussed, contact us. We can also provide additional recommendations on how to securely use Office 365 or any other type of cloud service.
Keyboard of a computer flickr photo by wuestenigel shared under a Creative Commons (BY) license