As businesses shifted to accommodate the needs of their newly remote workforces following the COVID-19 pandemic, scammers took note. In order to exploit the uncertainty surrounding the rapid deployment of new software and security solutions, they engaged in deceptive phishing attacks.
Targeting Office 365 credentials
TechRadar reported on one such attack that encouraged recipients to enter their Office 365 credentials in order to update their virtual private network (VPN) for better protection while working from home. Not only was the attack opportunistic, but scam emails were also delivered with a spoofed sender address that matched the recipient’s domain, and users were directed to a convincing login page that boasted a secure padlock, making it look legitimate.
The danger of malicious third-party Office 365 apps
According to ZDnet, another attack resulted in Microsoft being granted permission to seize several domains that were used in phishing campaigns targeting the company’s Office 365 users. Using an Office document as bait, users attempting to access the file were directed to download a third-party Office 365 client, granting the scammers access to the account as part of a larger business email compromise (BEC) effort.
Actionable administrative techniques for using Office 365 securely
It’s clear that, as a highly popular and trusted workplace collaboration suite, Office 365 serves as both an attack surface and a target for cybercriminals. In April 2020, the federal Cybersecurity and Infrastructure Security Agency (CISA) warned that, without careful planning, a hasty move to remote work entailing a sudden influx of Office 365 usage could put companies at risk.
CISA recommended several precautions and best practices for Office 365 security, including:
Enabling multifactor authentication for all users, but especially for administrators
If lower-level users have their accounts compromised, bad actors can gain access to sensitive information, or they can target administrators for phishing attacks. Also, multifactor authentication may not be automatically enabled, even for some administrators. Don’t forget to turn on this feature. To ensure that multifactor authentication is deployed broadly, you’ll also need to disable legacy email protocols that don’t support it.
Limiting the use of Global Administrator accounts in favor of more restrictive permissions
Ensure that administrators only have access to the lowest level of privilege necessary for completing their tasks. This will help ensure that if an administrator account is compromised, the damage can be better contained.
Making use of the Unified Audit Log (UAL), establishing alerts and integrating
In the Security and Compliance Center, an administrator with sufficient privileges will have to enable the Unified Audit Log. Once this is done, they can then run queries that help them identify malicious or unauthorized activity. Administrators can also establish or allow alerts. The simplest alerts recommended by the agency are for unusual login locations and overactive email sends. You should also be sure to integrate with your existing security information and event management (SIEM) software.
Office 365 user tips for greater security
It’s essential that your enterprise Office 365 deployment is securely implemented, but user education is also important for secure operation.
In a March 2020 blog post, Microsoft outlined additional steps it was taking in the face of coronavirus-related attacks while encouraging users to:
- Identify phishing red flags: Looking for improper spelling and grammar, and be wary of unexpected attachments or files from unknown senders. Instead of clicking them, hover over links to see if they match the URL or other anchor text.
- Report suspicious messages: Reporting capabilities are built into Outlook.com and into other Outlook clients.
- Submit potentially phony files: Instead of attempting to download anything that seems odd, if you can’t verify it in person or over the phone with the supposed sender, submit the file for analysis. Microsoft can receive submissions here.
For more information about cybersecurity best practices, contact Total Defense today.
