Cyber Security Threats & Microsoft 365: A Review

It’s hard to imagine that a single person reading this won’t have used Microsoft 365 (formerly Office 365) or its desktop predecessor Microsoft Office at some point in their working lives.

According to one estimate, the online suite now has around 320 million licensed users.

That makes Microsoft 365 the most ubiquitous software-as-a-service (SaaS) business application in the world, with the result that it has become a prime target for cybercriminals looking to find a way behind defences. To attackers, Microsoft 365 is like a menu of possibilities, encompassing Office, Excel, Outlook, Teams, SharePoint, and OneNote. That’s a lot to aim at, and aim they do in a way that doesn’t always get the attention it deserves.

Let’s consider the various motivations for targeting Microsoft 365 as well as a few of the techniques they use to do this.

Credential theft and account takeover

Microsoft 365 credentials are a powerful commodity because they allow attackers to do anything an employee has permission to do, which is often a lot. And remember, we’re not talking lots of credentials – even a single account can be used to build a bridgehead inside a target. Once they’ve grabbed the user’s privileges, this allows attackers to send emails or malware to business contacts to execute business email compromise (see below) or siphon off data.

Solution:?Multi-factor authentication (MFA) across all accounts while also limiting privileges.

Email phishing

And how do attackers get hold of credentials? In most cases, using a targeted phishing attack. It sounds incredibly basic, but sending an employee a spoofed email, Teams meeting notification, SharePoint file sharing request, or OneNote request, exploits the obvious fact that employees receive a stream of these communications all the time and are therefore more likely to be caught off guard.

Solution:?Configure settings in Exchange Online Protection (EOP), for example turning on warnings about unauthenticated senders.

Azure Static Web Apps Phishing

In recent months attackers had started?abusing?the Azure Static Web Apps developer service in sophisticated phishing attacks. Normally, this service is an integration tool for developers deploying apps to Azure from GitHub or Azure DevOps but criminals spotted that users might assume it is a trusted domain for phishing attacks, complete with a Microsoft-issued certificate.

Solution:?so far, nothing specific beyond the usual warnings not to trust emails.

MFA bypass phishing

Using multifactor authentication (MFA) on user accounts greatly reduces the chance of being phished but it doesn’t remove it completely. An increasingly popular technique to attempt to bypass MFA is something called consent phishing, which exploits the ability of third-party apps to gain access to a user’s account using the OAuth protocol. The user is persuaded to download a malicious app that looks genuine, which then logs and manipulates the user into granting permissions.

Solution:?Microsoft?claims?Azure’s security controls can be configured to restrict non-verified apps.

Invoice fraud

BEC often plays second fiddle to ransomware in media reports these days but it’s still a major worry. According to MDR services provider Expel, attempted BEC represented?57% of all incidents?investigated by its security teams during the first quarter of 2022. Although not all BEC attacks exploit stolen credentials, this type of internal access always increases the chance of an attack succeeding.

Solution:?additional account and customer verification procedures.

Cloud ransomware attacks

Organizations store a lot of data on SharePoint and OneDrive, so it follows that attackers will go after these resources too. Thanks to versioning (saving possibly unlimited numbers of older versions of a given document) this isn’t as straightforward as it would be on a desktop computer because attackers must encrypt all versions to deny access to the data. However, according to security company Proofpoint, criminals are already looking for ways?around this.

Solution: ensuring files are saved on endpoints or using a separate backup and recovery system.

Conclusion: Are Microsoft’s 365 controls enough?

The direction of travel here is clear – Microsoft 365, including the Business Basic version sold to SMEs, is now being researched by researchers for its attack potential. It’s not clear that the implications of this have sunk in yet, perhaps because defenders have become more preoccupied with specific attacks such as ransomware. Interestingly, Expel’s recent quarterly?threat reports?found barely any similar attacks on Google Workspace. Presumably, that will change in time as that platform expands but it’s an interesting observation.

Microsoft offers a suite of native security layers, principally Microsoft 365 Defender, which a lot of SMEs find themselves relying on. Third-party vendors are always pushing the idea that these controls are lacking but arguably a bigger issue is simply the learning curve and complex pricing options that must be used to configure Microsoft’s 365 security.

For SME’s the best option is to take careful advice from a third party service provider with experience of configuring Microsoft 365 security and not rely on Microsoft’s promises alone.

For more information about how to protect your systems or to discuss your options for antivirus/malware protection - contact Sharp-aX Computer Systems on 01442 505 950 or send an enquiry to [email protected]. We're here to help!