Microsoft 365 is trusted by organisations large and small for their day to day operations. Email, data storage, document exchange, customer and company critical information are all entrusted to 365 for safe keeping. And yet out-of-the-box, or out-of-the-cloud as is more common, Microsoft 365 security features are configured for usability, rather than maximum security.
Get Your 'Vulnerability Management Template' FREE!
Your Vulnerability Management Template Includes:
Secure your organisation today by completing the form for your Vulnerability Management Template.
Download the, 'How to secure Microsoft Office Desktop Deployments Technical Guide' - FREE
Complete the form to download your free technical guide and secure your organisation today.
Download the Cyber Essentials Template Policy Pack - FREE
Complete the form to download your FREE Cyber Essentials Template Pack today, including:
Download the Microsoft 365 Security Guide - FREE
Complete the form to download your FREE Microsoft 365 Security Guide today, including:
Sign up on the form and receive the guide instantly.
Microsoft 365 is trusted by organisations large and small for their day to day operations. Email, data storage, document exchange, customer and company critical information are all entrusted to 365 for safe keeping. And yet out-of-the-box, or out-of-the-cloud as is more common, Microsoft 365 security features are configured for usability, rather than maximum security.
Cyber attackers have taken notice and are shifting their focus towards this attractive target.
This guide outlines 7 simple configuration changes that significantly increase the security of your Microsoft 365 environment. Make sure you are not their next target.
1. Enable Multi-Factor Authentication (MFA)
Enabling Multi-Factor authentication is still the single most effective change you can make to protect your organisation from account take-over. Microsoft themselves state that enabling MFA on your Microsoft 365 account can prevent 99.9% of account attacks. [1] Despite this, many users don’t enable MFA and organisations don’t enforce the policy.
FACT: 37% of all security breaches last year involved the use of stolen credentials. [2]
2. Disable Legacy Authentication
Familiar email protocols such as IMAP4 and POP have no way to support MFA and yet are enabled by default in Microsoft 365. As MFA policy cannot be enforced across these legacy methods of authentication, it is no surprise to find that they are a favourite of attackers looking to access 365 accounts. Enabling Modern Authentication for your client apps disables these Legacy Authentication protocols and ensures that remote users follow your MFA policies.
FACT: Up to 60% of Microsoft 365 customers have been targeted by this type of attack. [3]
3. Use Dedicated Administrator Accounts
Using administrative accounts for day-to-day activities is an unacceptable and unnecessary risk. Daily use increases the likelihood of these highly privileged accounts being taken over as even the most experienced users can fall victim to phishing attacks or compromised passwords.
Even authorised administrators can do most of their day-to-day activity using a separate standard account. Keeping administrative accounts only for those operations that absolutely require additional authorisations also allows more stringent security controls to be applied to these critical accounts.
FACT: Gaining access to an administrator account is the holy grail of account based attacks.
4. Block Malicious Attachments
Over 22% of successful breaches in the past year involved phishing [2] using malicious attachments delivered via email. They are a favourite for attackers trying to gain a foothold in a target network, especially since so many businesses use email to share office documents and users are used to receiving them.
While many documents are safe, it is critical that ‘executable’ file types are prevented from entering a users’ inbox. Common malicious attachment types include:
EXE, DLL, HTA, DOC/DOCM, XLS/XLK/XLL, PDF, PPT, and ZIP/RAR archives
There are, of course, business cases where some of these file types are required so it is impossible to simply block all delivery. This highlights the need for strong controls and "defence in depth", supplemented with regular user awareness training.
FACT: Statistics show that over 48% of malicious attachments are Office files [4].
5. Disable Third-Party Applications
Third-party applications are an increasingly popular avenue of attack for adversaries looking to compromise your Microsoft 365 environment. While users see them as increasing productivity and providing new features, these applications often use very powerful Microsoft 365 REST APIs. Users may grant applications access to their Microsoft 365 data, such as emails, calendars, contacts, users, groups, files, and folders, inadvertently giving full control of their Microsoft 365 account to an attacker.
We advise that the ability to load new applications is limited only to authorised and protected staff, with each application undergoing a rigorous review process before being released to general users.
6. Disable Email Auto-Forwarding
Email auto-forwarding is a common technique used by attackers looking to stealthily exfiltrate data from a users’ inbox. By configuring malicious forwarding rules on compromised 365 accounts an attacker can choose to relay all emails to another third-party inbox that they control. In a more targeted approach, an adversary can choose to only forward emails containing specific keywords depending on their objectives, for example: "Password", “Invoice”, “VPN”, “Account Number” etc.
Ideally, email auto-forwarding to external domains should be disabled. However, legitimate business cases do exist for auto-forwarding email. A review should be conducted and the functionality restricted to the absolute minimum required to operate. Auto Forwarding should be closely monitored.
7. Test & Assure
Changes to your Microsoft 365 configuration are an unavoidable component of normal day-to-day operations. Over time they can easily result in ‘config drift’ and introduce previously unseen vulnerabilities and weaknesses. Maintaining a strong and secure environment requires regular reviews against a secure target baseline.
Our Microsoft 365 Configuration Assessment reviews your tenancy against 50+ individual best practice configuration settings across eight core categories, ranging from Authentication & Auditing to Data Storage & Email Security.
Precursor Security are a UK based Cyber Security Consultancy specialising in Cloud Security for Microsoft 365, Microsoft Azure and AWS Cloud Computing environments. We use a mixture of Continuous Security Testing and Offensive Security and Penetration Testing techniques to ensure that your business stays safe in the cloud.
If you need to distribute this information internally you can download this entire post as a PDF guide here
References
[1] https://www.microsoft.com/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/
[2] https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf
[3] https://www.proofpoint.com/us/threat-insight/post/threat-actors-leverage-credential-dumps-phishing-and-legacy-email-protocols
[4] https://docs.broadcom.com/doc/istr-24-2019-en
Choose Precursor Security for penetration testing excellence—where industry-leading expertise, CREST accreditation, and a client-focused approach converge to fortify your digital defences with precision and reliability.
We have a CREST accredited Security Operations Centre and all of our penetration testers are CREST certified.
We are accredited to the highest of standards including CREST, ISO27001, ISO9001 and Cyber Essentials Plus.
Our experts have a combined experience of over 30 years delivering security operations to sectors such as healthcare, financial services, aerospace and more.
It’s important to know what you’re getting, what’s not included and what else is available. This starts with understanding a SOC and it’s critical functions. CREST has recently published a guide to the critical functions of a SOC which aligns with the CREST SOC standard.
Enter your details here and to get the complete guide instantly sent to your inbox.
Choose Precursor Security for penetration testing excellence—where industry-leading expertise, CREST accreditation, and a client-focused approach converge to fortify your digital defences with precision and reliability.
We have a CREST accredited Security Operations Centre and all of our penetration testers are CREST certified.
We are accredited to the highest of standards including CREST, ISO27001, ISO9001 and Cyber Essentials Plus.
Our experts have a combined experience of over 30 years delivering security operations to sectors such as healthcare, financial services, aerospace and more.
Precursor Security
Welcome to Precursor Security, where the forefront of cybersecurity and penetration testing expertise meets unmatched dedication and innovation. We are the architects of robust digital defences, committed to safeguarding the online realm.