The adoption of Microsoft’s Office 365 collaboration and email platform became much more widespread this year. In part, the switch is due to the phenomenon of Work from Home (WFH) – a practice that was becoming more common even prior to the COVID-19 outbreak but is becoming the norm in many industries.
Ubiquitous WFH practices mean it is no longer convenient for employees to be limited to on-premise infrastructure or dedicated endpoints. They expect increased mobility and need quick time to delivery, and Office 365 meets these demands.
But many CISOs have concerns about the rate of cyber attacks compromising Office 365 credentials – in particular, how attackers are bypassing phishing protections and leveraging legitimate services and configuration settings to evade detection. This type of adversary behavior can be seen with recent attacks such as the ‘Compact’ phishing campaign which has been ongoing since December 2020 and is reported to still be active today.
Implementing a SaaS solution, stakeholders feel, means relinquishing to Microsoft a certain degree of control over their own organization’s security posture. This is exactly why – until recently – most public sector organizations (including governments and the military) avoided using Office 365. However, the advantages of Office 365 are significant enough that today, these types of policies have started to change.
Let’s have a look at some of the security measures that need to be put in place to keep the security bar high and reduce risk.
1. Leverage Microsoft’s Security Features
Organizations tend to assume they can install Office 365 first, and only afterwards worry about implementing security controls. The key to reducing risk and maintaining your security posture is to flip that process. Design and implement your security architecture before Office 365 is installed.
From a risk perspective, the first thing that an organization should do is adopt the security features that are included as part of Office 365 such as multi-factor authentication, message encryption, security policies for anti-malware and anti-phishing. Make sure to leverage those features! Don’t reinvent the wheel by trying to develop something yourself.
2. Engage Your Security Team Early
Some of the security controls provided by Microsoft need to be integrated with your Security Operations. So, make sure to engage your SOC team in integrating these controls. Some controls can be integrated quite easily while others require customization or correlation both with Office 365 and with other log collection sources. Talk to your SOC analysts and make sure they can add the native Microsoft controls to existing SOC security controls.
Implementing the right security controls is more straightforward if you opt to use Office 365 together with Microsoft’s Azure Sentinel Security Information Event Management (SIEM). While there are a range of products available to gather the logs from Office 365, in our experience you are likely to have an easier integration process with Azure Sentinel due to the native collectors, low latency, and current free-of-charge data ingestion.
We also recommend that you use:
- Microsoft Defender for Office 365 – for email policies and advanced detection rules
- Microsoft Cloud App Security – for Identity Management and SaaS cloud access security broker functionality
- Microsoft’s free Compliance Manager – to create and publish risk assessment workflows against frameworks like ISO 27001
3. Implement Out-of-the-Box Detection Use Cases
Every CISO is plagued constantly by FOMO, the Fear of Missing Out – a nagging worry that you are going to miss an alert and leave your organization exposed. Implementing the right security controls in your SOC helps address that concern. Enable by default the Sentinel detection use cases that Microsoft provides out of the box – here is a selection:
- Mail Redirect detection rule: Identifies when Exchange Online transport rule configured to forward emails. This could be an adversary mailbox configured to collect mail from multiple user accounts
- Malicious Inbox Rule: Often, after the initial compromise, attackers create inbox rules to delete emails that contain certain keywords. This is done to limit the ability to warn compromised users that they have been compromised.
- Suspicious Mail Forwarding: Identifies when multiple (more than one) users’ mailboxes are configured to forward to the same destination. This could be an attacker-controlled destination mailbox configured to collect mail.
- Suspicious Uploaded Executables detection rule: Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive. List currently includes 'exe', 'inf', 'gzip', 'cmd', and 'bat' file extensions. Additionally, identifies when a given user is uploading these files to another user’s workspace. This may be an indication of a staging location.
- Rare Office Operations detection rule: Identifies Office operations that are typically rare.
4. Implement Additional Detection Rules
In addition to the out-of-the-box detection rules that are provided, we recommend implementing additional detection rules such as the following selection developed by CyberProof. Here is a selection of rules that will further reduce risk of compromise:
- Mail Redirect via ExO Transport Rule for Threat Hunting: Identifies when Exchange Online transport rule is configured to forward emails. This could be an adversary mailbox configured to collect mail.
- New Windows Reserved File Names on Office File Services detection rule: Identifies when new Windows Reserved File names show up on Office services such as SharePoint and OneDrive.
- Office Mail Forwarding for Threat Hunting: Adversaries often abuse email-forwarding rules to monitor activities of a victim, steal information, and further gain intelligence about the victim or victim's organization.
- Teams Files Uploaded detection rule: Provides a summary of files uploaded to Teams chats and extracts the users’ and IP addresses that have accessed them.
- Double File Extension Executables detection rule: Provides a summary of executable files with double file extensions in SharePoint and the users and IP addresses that have accessed them.
5. Follow Microsoft’s Best Practices
Microsoft provides instructions on the best configuration to implement to optimize detection and response. Some of these basic measures - outlined by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) here - include:
- Enabling multi-factor authentication for administrator accounts
- Assigning Administrator roles using Role-based Access Control (RBAC)
- Enabling Office 365’s Unified Audit Log (UAL)
- Enabling multi-factor authentication for all users
- Disabling legacy protocol authentication when appropriate
- Enabling alerts for suspicious activity
- Incorporating Microsoft Secure Score, a built-in tool that measures your organization’s security posture with respect to Office 365 services
- Integrating Office 365 logs with your existing SIEM tool
6. Identify Your Office 365 and SaaS Applications in the Cloud
It is likely there are many SaaS apps that are being used in your organization that you don’t even know about. It’s important to identify any previously unsolicited applications that are being used in your environment.
This will help you map out the log data from these applications to help build detection rules, and correlate against sources of enrichment such as threat intelligence and vulnerability data. Some of the ways of doing this include using Cloud Security Access Broker or even interrogating a firewall or intrusion detection system product that will be able to generate the report. Implementing a robust Data Loss Prevention (DLP) strategy would then benefit your data governance.
Leverage Native Controls and Augment with Adaptable Threat Detection
Integrating native security tools from Microsoft as well as augmenting these with use cases will provide your organization with better protection against attacks and mitigate the risks that may be associated with ongoing Office 365 services. You could utilize, for example, the 400+ rules that were customized to meet client needs, which have been implemented by CyberProof in our Use Case Factory.
We recommend implementing an agile development process and continuously improving use cases, security policies and configurations – testing them in a red lab environment, running attack simulations, and maintaining an ongoing process of targeted threat intelligence collection.
Interested in learning more about how CyberProof can help you minimize the risk of using Office 365? Get in touch with our expert cyber security team today!