May 16, 2024

7 Steps To Secure Your Microsoft 365 Environment

Microsoft 365 is trusted by organisations large and small for their day to day operations. Email, data storage, document exchange, customer and company critical information are all entrusted to 365 for safe keeping. And yet out-of-the-box, or out-of-the-cloud as is more common, Microsoft 365 security features are configured for usability, rather than maximum security.

Get Your 'Vulnerability Management Template' FREE!‍

Your Vulnerability Management Template Includes:

  • Full Vulnerability Identification Process Documents
  • Easy to Follow Process Diagrams
  • System and Data Criticality Definitions
  • Vulnerability Triage Process
  • Remediation Allocation Process
  • Root Cause Analysis Process

Secure your organisation today by completing the form for your Vulnerability Management Template.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Download the, 'How to secure Microsoft Office Desktop Deployments Technical Guide' - FREE

  • 15 Technical Controls to help secure your users and keep your business safe.
  • 100’s of reference group policy objects to implement the controls
  • Reference material to learn more about each control

Complete the form to download your free technical guide and secure your organisation today.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Download the Cyber Essentials Template Policy Pack - FREE

Complete the form to download your FREE Cyber Essentials Template Pack today, including:

  • User Management Policy
  • Patch Management Policy
  • Mobile Device Management Policy
  • Information Security Policy
  • Device Build Policy
  • Credential Management Policy
  • Account Usage Policy
  • Registers for all of the above policies

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Download the Microsoft 365 Security Guide  - FREE

Complete the form to download your FREE Microsoft 365 Security Guide today, including:

  • A checklist to ensure your organisation is protected.
  • Top tips you can distribute to employees to keep your data safe.
  • Recommended secure configuration settings for your environment.

Sign up on the form and receive the guide instantly.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Microsoft 365 is trusted by organisations large and small for their day to day operations. Email, data storage, document exchange, customer and company critical information are all entrusted to 365 for safe keeping. And yet out-of-the-box, or out-of-the-cloud as is more common, Microsoft 365 security features are configured for usability, rather than maximum security.

Cyber attackers have taken notice and are shifting their focus towards this attractive target.

This guide outlines 7 simple configuration changes that significantly increase the security of your Microsoft 365 environment. Make sure you are not their next target.

1. Enable Multi-Factor Authentication (MFA)

Enabling Multi-Factor authentication is still the single most effective change you can make to protect your organisation from account take-over. Microsoft themselves state that enabling MFA on your Microsoft 365 account can prevent 99.9% of account attacks. [1] Despite this, many users don’t enable MFA and organisations don’t enforce the policy.

FACT: 37% of all security breaches last year involved the use of stolen credentials. [2]

2. Disable Legacy Authentication

Familiar email protocols such as IMAP4 and POP have no way to support MFA and yet are enabled by default in Microsoft 365. As MFA policy cannot be enforced across these legacy methods of authentication, it is no surprise to find that they are a favourite of attackers looking to access 365 accounts. Enabling Modern Authentication for your client apps disables these Legacy Authentication protocols and ensures that remote users follow your MFA policies.

FACT: Up to 60% of Microsoft 365 customers have been targeted by this type of attack. [3]

3. Use Dedicated Administrator Accounts

Using administrative accounts for day-to-day activities is an unacceptable and unnecessary risk. Daily use increases the likelihood of these highly privileged accounts being taken over as even the most experienced users can fall victim to phishing attacks or compromised passwords.

Even authorised administrators can do most of their day-to-day activity using a separate standard account. Keeping administrative accounts only for those operations that absolutely require additional authorisations also allows more stringent security controls to be applied to these critical accounts.

FACT: Gaining access to an administrator account is the holy grail of account based attacks.

4. Block Malicious Attachments

Over 22% of successful breaches in the past year involved phishing [2] using malicious attachments delivered via email. They are a favourite for attackers trying to gain a foothold in a target network, especially since so many businesses use email to share office documents and users are used to receiving them.

While many documents are safe, it is critical that ‘executable’ file types are prevented from entering a users’ inbox. Common malicious attachment types include:

EXE, DLL, HTA, DOC/DOCM, XLS/XLK/XLL, PDF, PPT, and ZIP/RAR archives

There are, of course, business cases where some of these file types are required so it is impossible to simply block all delivery. This highlights the need for strong controls and "defence in depth", supplemented with regular user awareness training.

FACT: Statistics show that over 48% of malicious attachments are Office files [4].

5. Disable Third-Party Applications

Third-party applications are an increasingly popular avenue of attack for adversaries looking to compromise your Microsoft 365 environment. While users see them as increasing productivity and providing new features, these applications often use very powerful Microsoft 365 REST APIs. Users may grant applications access to their Microsoft 365 data, such as emails, calendars, contacts, users, groups, files, and folders, inadvertently giving full control of their Microsoft 365 account to an attacker.

We advise that the ability to load new applications is limited only to authorised and protected staff, with each application undergoing a rigorous review process before being released to general users.

6. Disable Email Auto-Forwarding

Email auto-forwarding is a common technique used by attackers looking to stealthily exfiltrate data from a users’ inbox. By configuring malicious forwarding rules on compromised 365 accounts an attacker can choose to relay all emails to another third-party inbox that they control. In a more targeted approach, an adversary can choose to only forward emails containing specific keywords depending on their objectives, for example: "Password", “Invoice”, “VPN”, “Account Number” etc.

Ideally, email auto-forwarding to external domains should be disabled. However, legitimate business cases do exist for auto-forwarding email. A review should be conducted and the functionality restricted to the absolute minimum required to operate. Auto Forwarding should be closely monitored.

7. Test & Assure

Changes to your Microsoft 365 configuration are an unavoidable component of normal day-to-day operations. Over time they can easily result in ‘config drift’ and introduce previously unseen vulnerabilities and weaknesses. Maintaining a strong and secure environment requires regular reviews against a secure target baseline.

Our Microsoft 365 Configuration Assessment reviews your tenancy against 50+ individual best practice configuration settings across eight core categories, ranging from Authentication & Auditing to Data Storage & Email Security.

Precursor Security are a UK based Cyber Security Consultancy specialising in Cloud Security for Microsoft 365, Microsoft Azure and AWS Cloud Computing environments. We use a mixture of Continuous Security Testing and Offensive Security and Penetration Testing techniques to ensure that your business stays safe in the cloud.

If you need to distribute this information internally you can download this entire post as a PDF guide here

References

[1] https://www.microsoft.com/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/

[2] https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf

[3] https://www.proofpoint.com/us/threat-insight/post/threat-actors-leverage-credential-dumps-phishing-and-legacy-email-protocols

[4] https://docs.broadcom.com/doc/istr-24-2019-en

Ready for a true 24x7 cyber risk management solution from a CREST-Accredited SOC?

Get Your CREST 'What is a Security Operations Centre?' Guide!

It’s important to know what you’re getting, what’s not included and what else is available. This starts with understanding a SOC and it’s critical functions. CREST has recently published a guide to the critical functions of a SOC which aligns with the CREST SOC standard.

Enter your details here and to get the complete guide instantly sent to your inbox.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Why choose us?

Choose Precursor Security for penetration testing excellence—where industry-leading expertise, CREST accreditation, and a client-focused approach converge to fortify your digital defences with precision and reliability.

Written by

Precursor Security

Welcome to Precursor Security, where the forefront of cybersecurity and penetration testing expertise meets unmatched dedication and innovation. We are the architects of robust digital defences, committed to safeguarding the online realm.

menu