Office 365 is the most popular line of digital services for businesses for a reason, but when it comes to cyberattacks, its ubiquity is creating challenges.

If it seems like every week there’s a new headline about a large-scale hacking incident, it’s not a case of rampant fake news. According to the 2018 Symantec Internet Security Threat Report[SN1], 7,710 organizations are hit by a business email compromise scam every month, and 71.4% of targeted attacks involve the use of spear-phishing emails.

Phishing attacks are among the most common methods that malicious actors use to infiltrate systems and pilfer usernames, passwords, and personal information from unwitting victims. These attacks can take the form of email spoofing, texts, or even phone calls in which the attacker is disguised as a trustworthy person.

Office 365 (O365) has reached the status of ubiquity—in April 2019, it counted 180 million monthly active users. The subscription model puts all of Microsoft Office’s programs online and accessible through a cloud, dramatically increasing its convenience for users.

Due in part to O365’s massive popularity, the subscription service has become a target for phishing attacks. Often pursuing users who deal with a company’s finances through O365, these fraudulent actors gain access to systems, set up rules to forward emails to external addresses, comb through interactions to glean information, and phish coworkers with a goal of obtaining financial data, such as bank routing information.

Phishing attacks can also try to trick the user into providing their credentials through a fake website that the attacker sets up by mirroring a valid site with which the user is familiar. Phishing can also be used to install malware on the system.

But what makes O365 such a plump sitting duck?

Convenience at a Cost

Some of the perks that make O365 such a convenience for users are the same features that are a boon for hackers or malicious actors.

Because O365 is accessible through a browser and does not require a download of specific software, accounts are accessible anywhere with an Internet connection. Of course, that also means that a hacker could have that same access to Outlook, Word, Excel, and PowerPoint from anywhere as well.

If an organization’s accounts are misconfigured or passwords are easy to guess, normal users could end up with administrative rights. If such an account is compromised, the hacker would have access to each and every associated account. The hacker could then set forwarding rules to send all emails to themselves, as well as send and receive emails from anyone.

Security at an Additional Cost

Microsoft does offer enhanced security features, but they cost extra and most organizations do not know how to implement or use them. For example, Advanced Threat Protection (ATP) with anti-phishing technology is available, but it can cost up to $5 per month, per user. There are also Active Directory Identity Services, which has the ability to detect and lock down when fraud occurs, but as of last check, Microsoft is charging $8 per month for the extra security. 

Tips to Keep O365 Safer

1. Use multi-factor authentication (MFA). By default, passwords in O365 are set to never expire. Brute-forcing attacks often take time, but even if passwords are updated regularly, i.e., every 30 days, the efforts of attackers can still potentially overcome it.
2. Enable Audit Logging and perform periodic analysis of O365 audit logs. Until recently, Microsoft had not enabled audit logs by default, so if you began using O365 before the beginning of the year, you should recheck this setting. It often takes months for attackers to infiltrate a network, and users can filter and search through audit logs for possible indicators of compromise (IoCs), noting when usage patterns become abnormal. This can also be automated. Logs should be retained for at least six (6) months.
3. Employ a third-party security operations center (SOC) to monitor systems and O365 on your behalf.
4. Enable mailbox auditing. By default, the ability to search individual mailbox events is disabled, which minimizes the user activities visible in the audit log search. By enabling mailbox auditing, the size of the audit log will increase with more robust information.
5. Institute a virtual private network (VPN) with MFA to allow the company to lock its O365 to a single IP address. This allows users to work from the unsecured Wi-Fi at Starbucks with reduced risk.
6. Microsoft has introduced the Security and Compliance center to all O365 tenants. Review the automated threat detection and ATP to help prevent phishing attacks.

Other items to consider:

• Compromised accounts are being used to put malware on legitimate company SharePoint sites and then sending that link to other clients as a normal business document. These scams have gone as far as adjusting the names and contents of the files to look legitimate. For example, we have seen cases where a malware-laden Excel document was posted on an employee’s legitimate OneDrive for Business shared folder, and that link was sent to all business contacts that had been active in the past six (6) months.
• OneDrive for Business is a double-edged sword. In the example above, it is clear that it can be used for fraud; however, it can be used to protect a person’s data files by keeping copies in the cloud. Windows will now prompt users to “Set up OneDrive for file recovery options in case of a ransomware attack.”

Light in the Tunnel

But it’s not all doom and gloom. O365 is guaranteed to be online, since Microsoft has the resources to keep multiple redundancies and failover procedures in place (something we should all have, but alas). Further, O365 is less expensive (and less of a headache) for users than hosting each Office product individually, making the switch from piecemeal software to cloud services is the best option for talent-strapped organizations. So, while the O365 may be a wise option from a business perspective, it is important to factor in all of the costs, along with consideration of the risks, remediation, and response necessary to protect your organization.