Microsoft Office 365 customers on guard after spike in Cyber Crime

office365phishing_blog.jpg
Written by Greg Sik‌‌‌‌‌‍‌‌‌‌‌‌‌‬orski on 05 November 2018
We have recently identified a significant increase in the number of customers reporting unauthorised access to their email tenants by malicious actors. This is reflected in the industry as a whole and it is the general consensus that there is a significant campaign being launched which is also targeting Office 365 customers. This is costing organisations tens of thousands of pounds in fraud and legal costs.

What is actually happening?

Malicious actors are gaining unauthorised access to an organisations email accounts with the aim of:

  • Defrauding that company or their customers by impersonating real users and tricking individuals into making payments to a foreign bank account (typically by forging Invoices).
  • Exfiltrating data (stealing email content or other material, typically using email forwarding rules).
  • Proliferating phishing or malware ridden emails to the contacts of your users.

How do they gain access to an organisations email?

  • By using a database of stolen username & passwords from the dark web.
  • By “phishing” – tricking a user to handing over their username & password by visiting a faked site which steals the information.
  • By executing a piece of malicious software (malware) and infecting a user’s PC.

This is all happening as we speak, just over the last 2 months we have assisted several companies who have lost significant amounts of money, data, or both.

In cases where an organisation handles personal data there is also the issue of possible ICO (Information Commissioner's Office) sanctions which can lead to large fines if they conclude that reasonable steps were not taken to prevent a leak of personal information in accordance with GDPR regulations. In some cases, legal action from aggrieved parties may be unavoidable if their personal information is leaked.

What steps can you take to ensure your organisation is reasonably protected?

The following is a broad selection of activities that can be undertaken to help reduce an organisations exposure to these types of incidents.

They are presented roughly in order of priority, although the more that are undertaken the lower the chance of a successful breach. Polymorph would be delighted to assist in the configuration of any of these strategies if assistance is required – please get in touch with Mark Worthington at Polymorph's Cyber Security Unit (csu@polymorph.co.uk) or via the contact form on this page,  to discuss specific requirements.

Two-Factor Authentication


Two-factor authentication provides a way of double checking that you really are the person you are claiming to be when you're using online services such as Office 365.

When setting up 2FA, Office 365 will ask you to provide a 'second factor', which is something that you (and only you) can access.

This could be a code that's sent to you by text message, or that's created by an app – but is only available on a phone you physically possess.

Even if a malicious actor has stolen your password, they will be blocked from accessing your account by this process.

Password Policy


The most important aspect of password security is ensuring your users create a unique and strong password for your corporate email.

Credential “stuffing” is a process whereby malicious actors use stolen credentials from the dark web to log in to other services. If your users have the same password on LinkedIn,  eBay or Gmail and those details are stolen, chances are that hackers will try and log in to Office 365 with the same details.

It is also no longer best practice to enforce frequent password changes. The National Cyber Security Centre has some great advice on password policies:

 
 


Microsoft Advanced Threat Protection (ATP)


The best way to help prevent account breaches, spam emails, malicious infections, and phishing/spoof attacks is always at the door – before the payloads ever hit your environment. As always, email environments are often used by attackers to deliver malicious payloads and trick users into sharing sensitive information.
This is where Microsoft ATP comes in, by utilising technologies such as safe link rewriting with destination scanning, advanced anti-phishing capabilities, advanced malware scanning, detonation sandboxing and advanced spoof intelligence you can layer the security of your email environment and better protect against “zero day threats”.
For more information, please review our latest article on Advanced Threat Protection.

Office 365 Security Configuration 


There is a considerable amount of fine tuning and configuration required to ensure a default Office 365 installation is configured to good practice. Polymorph offer a service to assist in the setup of both the Office 365 and Azure AD security settings including but not limited to:

 
  • Implement Password policies
  • Implement Audit Reporting and Alerting
  • Discuss “Data Loss Prevention” service, features and options
  • Implement Journaling
  • Implement Microsoft ATP
  • Implement DKIM & Anti-spoofing settings
  • Implement detailed email audit logs to track deletions etc.
 

Advanced 365 Alert Rules 


O365 alerting can be configured for many different scenarios by default, this can be used to alert if users have created an anonymous link for anyone to access without authentication (OneDrive/SharePoint), shared a file externally (OneDrive/SharePoint) or configured a mail rule to send emails to an external domain address.

The capabilities of audit reporting and alerting are amplified if you have E5 licenses, threat intelligence or advanced compliance subscriptions. You can then alert on things such as malicious emails sent to and from your organisation, if multiple files have been deleted or downloaded at once (OneDrive/SharePoint) or if there are DLP rule matches etc.

End User Training


Ensuring your users are well educated at spotting phishing emails is a critical step. The majority of credential hijacks occur because an individual accidentally signs in to a ‘fake’ website, or begins an email communication with someone pretending to be someone else.

Training can take the form of classroom based or online training material and Polymorph can assist in delivering this on-site for your organisation or host larger numbers at our lecture theatre.

Journaling 


Journaling is the ability to record all communications, including email communications. Exchange Online doesn't support delivering journal reports to an Exchange Online mailbox so typically an external service will be required.
This is essential if you have a regulatory or legal obligation to record all communication in and out of your organisation. If a hacked mailbox is deleted, you still have a means to recover email sent to/from it.
Once relevant journaling/archive destinations are configured, journaling rules are flexible, and can record all, or specific communications/scopes with no additional Office 365 licence cost.

Health Checks 


Office 365 calculates a “Secure Score” for each tenant, this score is calculated based on the number of best practices implemented by an organisation.
We advise regularly reviewing the “Secure Score”, alerts and security notifications to ensure that no unauthorised activity is taking place and that the evolving best practices are adhered to.
The following table is a sample of the type of Office 365 checks Polymorph can carry out on your behalf:
 
 

Frequency

Responsive review of Office 365 “Urgent” security alerts.

Ad-hoc

Polymorph would be configured to receive these alerts via email or text and would respond appropriately

Periodic review of Office 365 security alerts and Advanced Security alerts if configured.

This includes monitoring:

·        Alerts configured

·        Spoof intelligence reports

·        Anti-phishing reports

·        Active malware campaigns

·        Suspicious email flow

Advanced security alerts include issues such as impossible travel activity, ‘suspicious’ IPs for login, etc.

Weekly

Monitor and improve “Microsoft Secure Score” by implementing any new recommendations that occur.

Secure Score figures out what Office 365 services you are using, then looks at your configuration and behaviours and compares it to a baseline asserted by Microsoft.

Monthly

Annual “Attack Simulator” phishing exercise again all users.

This exercise is a “mock” phishing attack launched against the entire user base. The results are collated and indicate the level of user training gin place to spot phishing-type emails.

Annual

In summary

  • If your users have not changed passwords in the past two years and you don't implement Two-Factor authentication, then you are at significant risk of a data breach.
  • Reduce the chance of your user accounts being compromised by implemented some if not all of the steps above.
  • Routinely monitor alerts and implement automated alerting for suspicious activity.
  • Ensure you have the audit-ability and logging in place to report on any issues that do occur.

 

Share this page
About the author
greg.jpg
Greg Sik‌‌‌‌‌‍‌‌‌‌‌‌‌‬orski
Greg, Polymorph's Technical Director, has over 20 years’ experience delivering software and infrastructure projects for the likes of Manchester Airport, Center Parcs, Manchester City Council and the Ministry of Defence.
Can we help? Please get in touch