At this point, Microsoft’s Office 365 has become one of the most common business email platforms. Subsequently, as discussed at Blackhat last week, it is becoming a hot target for criminals as well.
The shear size, complexity and amount of data O365 contain make it appealing and easy target for criminal hacking groups.
Just think about all hackers could get their sticky fingers on if your O365 account was compromised. Think outside of exchange. What about Teams? SharePoint? OneDrive?
When we have scanned MSP networks, we’ve been finding all sorts of sensitive information in one or all of these platforms (think credit card, billing, client information, SSNs, among other information). The sheer amount of data O365 helps you store is completely enough to get you into trouble—that is, if your account or one account on your network is compromised.
How are hackers becoming experts in O365?
At this point, there are numerous blogs and YouTube videos online about O365, its properties and talks pointing out problems with security.
Researchers like the ones at Blackhat this year discussing vulnerabilities—often referred to as Advanced Persistent Threats (or APTs)—on the O365 platform are highlighting problems that many have not fixed within their environments (that’s where a continuous scanning tool that easily alerts to problems comes in!)
These attackers are searching out for vulnerabilities in your O365 environment through Azure and PowerShell.
They’re initially compromising an account through a variety of techniques we’re all probably familiar with, including password spraying, phishing, and on premises compromises.
As they establish a foothold on an account, they are targeting your OAuth or conditional access policies to ensure they bypass O365, to then escalate privileges on the account (think mailbox rules, OAuth consent, Golden SAML and rights delegation).
As they discover what they can do on your account and determine where and what data their initial compromise gives them access to, they then can laterally move across accounts in your O365 environment, maintaining further persistence with larger footholds.
While we all see email as a primary initial target of compromise, researchers are finding teams, SharePoint and OneDrive as open targets that might be easier to compromise in certain instances. Especially with remote workers, collaboration tools are exceedingly being used (and have become easier to exploit because of it).
I’m sure that many of you are saying, but what about 2FA (or MFA), we’re safe from password-based attacks. Some issues that are persisting in environments relate back to legacy loopholes with MFA integration (meaning you might not be entirely out of the woods with MFA in place if it’s not being regularly tested!).
You might also be saying that your O365 account has built-in security designed to detect data breaches and malicious activity. The problem is some hackers have used those very tools to sneak onto accounts (logging mechanisms appear to be insufficient to detecting what specific data was compromised). These tools also have incredible access, meaning the if a hacker is able to exploit the O365 security tools, they’d have access and knowledge of every piece of sensitive data on your account without raising a single red flag.
So what can you do to improve your defenses?
Approach O365 as more than just email—one of the biggest points that arose from Blackhat is that O365 is being treated (from a security perspective) as an email platform. If you take the approach of investing security posture (education, technical controls and policies and procedures) around the platform more holistically, you will be much better off to protecting your accounts and the data within.
Understand where Microsoft assumes responsibility—instead of either taking complete ownership of O365 or entrusting its security to Microsoft, we need to step back and clearly define what is being handled by Microsoft and where our teams need to take control. What are the gaps in your O365? What’s between the gap? Where does Microsoft start and stop its control and where does your
Check up on your MFA—I know in the best of worlds, MFA or 2FA would be set it and forget it tools. Unfortunately, if you’re not constantly checking up to see that your authentication tools are working, you may be too late to avoid an avoidable data breach or account takeover. There are so many sizes and shapes to enforcing multifactor authentication in O365, so making sure you have consistency in how you monitor, enforce and test your methodology (and that of your clients) is critical.
