searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
December 10, 2018
Share

Mitigating the risk of Office 365 account hijacking

Office 365 – the online, subscription-based version of Microsoft’s Office application suite – is one the most widely used enterprise cloud applications/services, which makes it the preferred target of attackers looking to gain access to sensitive business information.

Office 365 compromise prevention

“Once an actor has obtained credentials for an O365 account, not only can the account access be used to access documents across a user’s O365 surface (SharePoint, OneNote etc.) but it can also be used as a launchpad to carry out further compromises within an organisation,” UK’s National Cyber Security Centre warns.

“(We are) aware of several incidents involving the compromise of O365 accounts within the UK, including the use of such methods in targeted supply chain attacks. The ultimate objective of this type of targeting is not clear and the attacks appear not to be limited to any particular sector or attributed to any single threat actor.”

A way in for attackers

Attackers are constantly finding new ways to bypass Office 365’s built-in security. According to Vircom’s threat intelligence, the majority of accounts compromised within Office 365 fall victim to previously compromised Office 365 accounts.

The attackers are after information and access that can be used to manipulate the movement of money, steal sensitive commercial information, distribute spear phishing emails, gain access to users’ other online accounts.

According to the NCSC, they usually opt for one of two approaches to break into O365 accounts: brute forcing or spear phishing.

The former is usually limited to specific individuals in organisations to reduce the chances of attack detection by the cloud service provider. The latter usually leads targets to a spoofed O365 login page designed to harvest entered account credentials.

Risk mitigation

Using a password manager can help minimize the effectiveness of both these approaches, as users can choose long, complex passwords that are difficult to brute force and the application will not work with spoofed login pages.

The NCSC advises organisations to implement another layer of security: multi-factor authentication (MFA).

“The O365 platform supports a number of different MFA mechanisms and depending on the subscription, organisations are able to use a mixture of different deployments,” they pointed out.

“To implement MFA effectively across an organisation’s O365 platform will require IT departments to understand the user group to which they are intending to roll it out. This is especially crucial when organisations are dealing with a diverse workforce. As an example, organisations that have employees deployed in locations with poor mobile phone coverage may have problems receiving SMS tokens, causing difficulties in access to the O365 platform. In this scenario, organisations should consider the different MFA mechanisms available to them to avoid reluctance in adoption across the wider organisation.”

The NCSC also advises enterprise admins to:

  • Implement Microsoft’s published security best practices for Office 365, consider security hardening measures and to keep an eye on the organisation’s O365 configuration,
  • Enable a type of MFA for all accounts and enforce it by Conditional Access (they can check what their peers are saying about Office 365 MFA and the approaches they are taking to improve security),
  • Disable legacy authentication protocols that do not fully support MFA (as part of an organisation’s Conditional Access policy),
  • Make sure that they are collecting audit data to give insight into any attempted or successful breaches, and
  • Implement and keep on top od device hardening measures and efforts (ensure that devices are fully patched, are not using administrative privileges, have malware defences in place and are collecting security logs).
More about
  • 2FA
  • account protection
  • email security
  • enterprise
  • MFA
  • Microsoft
  • NCSC
  • Office 365
  • risk management
  • tips
Share this

Featured news

  • Exchange Online will soon start blocking emails from old, vulnerable on-prem servers
  • Apple backports fix for exploited WebKit bug to older iPhones, iPads (CVE-2023-23529)
  • What you need before the next vulnerability hits
How to protect online privacy in the age of pixel trackers

Sponsored

Webinar: Tips from MSSPs to MSSPs – starting a vCISO practice

Security in the cloud with more automation

CISOs struggle with stress and limited resources

How to scale cybersecurity for your business

Don't miss

Exchange Online will soon start blocking emails from old, vulnerable on-prem servers

Apple backports fix for exploited WebKit bug to older iPhones, iPads (CVE-2023-23529)

Europol details ChatGPT’s potential for criminal abuse

What you need before the next vulnerability hits

Running a security program before your first security hire

Cybersecurity news
Help Net Security - Daily information security news with a focus on enterprise security.
© Copyright 1998-2023 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us