What is actually happening?
Malicious actors are gaining unauthorised access to an organisations email accounts with the aim of:
- Defrauding that company or their customers by impersonating real users and tricking individuals into making payments to a foreign bank account (typically by forging Invoices).
- Exfiltrating data (stealing email content or other material, typically using email forwarding rules).
- Proliferating phishing or malware ridden emails to the contacts of your users.
How do they gain access to an organisations email?
- By using a database of stolen username & passwords from the dark web.
- By “phishing” – tricking a user to handing over their username & password by visiting a faked site which steals the information.
- By executing a piece of malicious software (malware) and infecting a user’s PC.
This is all happening as we speak, just over the last 2 months we have assisted several companies who have lost significant amounts of money, data, or both.
In cases where an organisation handles personal data there is also the issue of possible ICO (Information Commissioner's Office) sanctions which can lead to large fines if they conclude that reasonable steps were not taken to prevent a leak of personal information in accordance with GDPR regulations. In some cases, legal action from aggrieved parties may be unavoidable if their personal information is leaked.
What steps can you take to ensure your organisation is reasonably protected?
They are presented roughly in order of priority, although the more that are undertaken the lower the chance of a successful breach. Polymorph would be delighted to assist in the configuration of any of these strategies if assistance is required – please get in touch with Mark Worthington at Polymorph's Cyber Security Unit (firstname.lastname@example.org) or via the contact form on this page, to discuss specific requirements.
Two-factor authentication provides a way of double checking that you really are the person you are claiming to be when you're using online services such as Office 365.
When setting up 2FA, Office 365 will ask you to provide a 'second factor', which is something that you (and only you) can access.
This could be a code that's sent to you by text message, or that's created by an app – but is only available on a phone you physically possess.
Even if a malicious actor has stolen your password, they will be blocked from accessing your account by this process.
The most important aspect of password security is ensuring your users create a unique and strong password for your corporate email.
Credential “stuffing” is a process whereby malicious actors use stolen credentials from the dark web to log in to other services. If your users have the same password on LinkedIn, eBay or Gmail and those details are stolen, chances are that hackers will try and log in to Office 365 with the same details.
It is also no longer best practice to enforce frequent password changes. The National Cyber Security Centre has some great advice on password policies:
Microsoft Advanced Threat Protection (ATP)
The best way to help prevent account breaches, spam emails, malicious infections, and phishing/spoof attacks is always at the door – before the payloads ever hit your environment. As always, email environments are often used by attackers to deliver malicious payloads and trick users into sharing sensitive information.
This is where Microsoft ATP comes in, by utilising technologies such as safe link rewriting with destination scanning, advanced anti-phishing capabilities, advanced malware scanning, detonation sandboxing and advanced spoof intelligence you can layer the security of your email environment and better protect against “zero day threats”.
For more information, please review our latest article on Advanced Threat Protection.
Office 365 Security Configuration
There is a considerable amount of fine tuning and configuration required to ensure a default Office 365 installation is configured to good practice. Polymorph offer a service to assist in the setup of both the Office 365 and Azure AD security settings including but not limited to:
- Implement Password policies
- Implement Audit Reporting and Alerting
- Discuss “Data Loss Prevention” service, features and options
- Implement Journaling
- Implement Microsoft ATP
- Implement DKIM & Anti-spoofing settings
- Implement detailed email audit logs to track deletions etc.
Advanced 365 Alert Rules
O365 alerting can be configured for many different scenarios by default, this can be used to alert if users have created an anonymous link for anyone to access without authentication (OneDrive/SharePoint), shared a file externally (OneDrive/SharePoint) or configured a mail rule to send emails to an external domain address.
End User Training
Ensuring your users are well educated at spotting phishing emails is a critical step. The majority of credential hijacks occur because an individual accidentally signs in to a ‘fake’ website, or begins an email communication with someone pretending to be someone else.
Training can take the form of classroom based or online training material and Polymorph can assist in delivering this on-site for your organisation or host larger numbers at our lecture theatre.
Journaling is the ability to record all communications, including email communications. Exchange Online doesn't support delivering journal reports to an Exchange Online mailbox so typically an external service will be required.
Office 365 calculates a “Secure Score” for each tenant, this score is calculated based on the number of best practices implemented by an organisation.
Responsive review of Office 365 “Urgent” security alerts.
Polymorph would be configured to receive these alerts via email or text and would respond appropriately
Periodic review of Office 365 security alerts and Advanced Security alerts if configured.
This includes monitoring:
· Alerts configured
· Spoof intelligence reports
· Anti-phishing reports
· Active malware campaigns
· Suspicious email flow
Advanced security alerts include issues such as impossible travel activity, ‘suspicious’ IPs for login, etc.
Monitor and improve “Microsoft Secure Score” by implementing any new recommendations that occur.
Secure Score figures out what Office 365 services you are using, then looks at your configuration and behaviours and compares it to a baseline asserted by Microsoft.
Annual “Attack Simulator” phishing exercise again all users.
This exercise is a “mock” phishing attack launched against the entire user base. The results are collated and indicate the level of user training gin place to spot phishing-type emails.
- If your users have not changed passwords in the past two years and you don't implement Two-Factor authentication, then you are at significant risk of a data breach.
- Reduce the chance of your user accounts being compromised by implemented some if not all of the steps above.
- Routinely monitor alerts and implement automated alerting for suspicious activity.
- Ensure you have the audit-ability and logging in place to report on any issues that do occur.