Follow our best-practice recommendations for Office 365 security. These security recommendations would help you avoid common configuration errors and improve security posture to protect Office 365 against cyber attacks. Microsoft Exchange online is one of the many products in O365 offering. It is a cloud-based messaging solution consisting of an Exchange server.
Top Myths around Office 365 & Cloud Usage
Let’s get rid of the most ridiculous myths out of the way:
Myth: No one should have access to our data.
NO ONE has access unless any unauthorised access due to misconfigurations, vulnerabilities or security lapses.
Myth: Microsoft would own your systems including data.
No, just like other cloud providers Microsoft just like any other provider offers services (platform, infrastructure or services) against what you want to buy. Data and its control remains in your hands.
Myth: Any disgruntled employees from Microsoft may cause mayhem to your business as well.
No, it doesn’t work like that. Microsoft have robust measures (not endorsing them as such, anyone can get compromised) in place to limit access to tenant infrastructure. Read here further on this.
Is Office 365 Secure?
Cloud shouldn’t create any fears in your mind.
Office 365 security concerns are sometimes the greatest barrier for organisations holding back cloud adoption. Since Microsoft has been demonstrating huge commitment towards cyber security from OS related components to email security, in our review (we have no commercial relationship with Microsoft), this is a no brainer to follow Office 365 security best practices. A lot of features are part of Office 365 subscriptions used by medium and large businesses, allowing granular control to a large extent. It’s constantly improving, and there certainly are pain-points of O365 however weighing less compared to security features currently available for use.
These concerns are sometimes wrapped under the commercial tag ‘Office 365 pentest’. This is similar to performing a configuration review opposed to an in-depth technical risk assessment from unauthenticated scenario. Pentesting Office 365 in actual terms would include ethical hacking scenarios such as providing low level accounts to measure the extent of exploitation within an organisation. This would include internal enumeration, data exfiltration tricks, checking anti-spam, anti-phishing, attachment checks, horizontal and vertical privilege escalation attempts and the usual penetration testing tricks.
SME organisations relying on Microsoft’s business plans, for example, can run into a myriad of cybercriminals and hackers that can put your company at risk – from malware installations, breach of sensitive information, and more. Fortunately, there are basic practices that Microsoft Office 365 users can use it as safely as possible.
Microsoft Advanced Threat Protection (ATP)
Microsoft Office 365 ATP is a cloud-based email security service to help organisations against unknown malware and email-based threats. Additionally, it provides insight into the attacks through reporting, URL trace capabilities and related features for administrators. As we have observed Microsoft’s products are showing constant improvements in security area, these features may be superseded by newer ones, always check with the documentation based on your purchased subscription.
You can use Office 365 ATP in the following implementations:
- ATP provides email protection for on-premises Exchange server
- ATP can be enabled to protect Exchange Online (cloud based) mailboxes
- In hybrid deployment, where on-premises and cloud-based mailboxes with Exchange Online Protection for inbound email filtering
Office 365 ATP availability differs based on your subscription, please check your subscription for further information on ATP plans available to your organisation. Microsoft is constantly revising their product range, especially with security features on all their cloud products. Be sure to check with your subscription, features and latest documentations here.
Our intention is to recommend Office 365 security practices in line with features that have maximum impact on security improvement. These offer added protection without any additional investments such as high paying consultants, security products or relevant expense.
Office 365 Security Risks
The following list contains examples of Office 365 configuration vulnerabilities:
- Multi-factor authentication (MFA) for administrator accounts is not enabled by default. AAD (Azure Active Directory) global admins are the highest privilege accounts at tenant level, similar to traditional domain administrator in an on-premises AD network. This is one of the top security concerns in Office 365 installations due to the highest level privileges attached to global administrators.
- Password Sync enabled. Azure AD connect is a Microsoft tool designed to ensure hybrid identity goals. It’s main purpose is password hash synchronization of hashes of all the users on-premises AD with Azure AD. Office 365 security practices do not encourage this setting. Where an attacker has compromised on-premises AD and password sync enabled would allow an attacker to move laterally to cloud environments. Microsoft later disabled this function, however, some businesses may have performed administrator account matching prior to disabling this feature.
- Mailbox auditing is disabled. Prior to Jan 2019 Office365 installations did not had mailbox auditing enabled by default. This means explicit changes to configuration are needed, that adds to Office 365 security risks.
- Unsupported authentication by legacy protocols. Protocols such as POP3, IMAP, SMTP are used with older email clients and do not support modern authentication such as Exchange Online authentication with MFA. Use Azure AD conditional access policies in this case.
Office 365 Security Best Practices Checklist
Without further ado, here is our list of top security practices.
Go for Unified Audit Logging
Companies that share information throughout different departments can improve their level of security by enabling Microsoft’s unified audit logging. It’s a revolutionizing feature that can safely track, monitor, and search for configuration changes for every user and account. This minimizes the risk of losing critical data as one document is shared throughout different groups, applications, or domain.
Give a good think with your IT and security teams on what to log and what no to log, as there is a fine balance between volumes of just data, and useful data to be logged.
Enable Multi-Factor Authentication
One of the easiest yet effective ways to increase your organization’s security is to set-up a multi-factor authentication for all Microsoft accounts. All users receive mobile notifications when their account is being accessed, keeping hackers on the fence when they gain access to your password.
Consider deploying conditional access policies to enforce the use of MFA. These policies can be configured to ensure users are authenticating from trusted locations or compliant devices only. By defining a list of countries for MFA and blocking high risk countries (where there is least likelihood of staff and higher chances of attack attempts), conditional access policies would help security teams with less unwanted noise. However, this feature may be available to Azure AD premium subscribers only.
Moving to cloud-native authentication has loads of advantages due to new features. In hybrid environments, it is recommended to use native authentication against Azure AD rather than ADFS.
Use Dedicated Admin Accounts
Businesses that use administrative accounts can leverage better privileges, but the drawback is that it’s often a prime target for cybercriminals. Seeing as it has the highest vulnerabilities, it’s better to limit the admin accounts for administrators only.
Admins should also have a separate, non-administrative account when completing tasks beyond their duties to restrict access and minimize damages in case a hacker breaches the account. Not only security, this is an important tip as part of Office 365 administration best practices. It leads to reducing the likelihood of impact in case of an account compromise.
Of course, all admin accounts should also have a multi-factor authentication and must always be logged in or out of the browser session when completing tasks.
The following image shows office 365 best practices security in a graphical format that can be used by security teams as a basic checklist.
Protect Against Malware in EMails
Microsoft 365 has anti-malware programs in place, but you can increase its functionality by allowing it to block suspicious malware. Follow these steps to ensure maximum efficiency and minimum damage from malware laden emails or sharing of potentially malicious links across Office desktop apps:
Email rules for ransomware
Add conditional rules for certain attachments with extensions known for ransomware spread. For instance, attachments with macros would be added as file extensions such as dotm, docm, xlsm, xla, xlam, sltm, xll, pptm,ppam,sldm. In order to create such conditional rules, go to Exchange – mail flow – Rules – Create a new rule and add conditions such as exceptions or notify the recipient with a message. This could be a reminder that they have been sent a mail with macros. You may want to add multiple rules under this category to utilise Microsoft Office 365 help your business protect against ransomware.
Stop auto forwarding
If a threat actor gains access to email inbox, they can easily forward emails to forward sensitive information. Create a mail flow rule to stop auto forwarding.
Discuss your concerns today
Increase protection against phishing attacks by refining the Office 365 threat management settings. Go to Office 365 admin portal, select Security – Threat management – Policy – ATP anti-phishing – Default policy. Click on Impersonation – edit that should take you to editing window.
- You can then define anti-phishing impersonation conditions that would alert you, move message to junk folder or redirect messages to other mail address. For instance, the following screenshot shows an example of domain to protect. Partners, vendors and third-party domains can be added under custom domains list.
- Don’t forget to ‘turn on impersonation safety tips’ under Actions tab (shown below in the screenshot).
- Mailbox intelligence – Microsoft uses AI to determine user email patterns based on your frequent contacts to identify between legitimate and spoofed email from those contacts. This is available for Exchange Online Mailboxes. Turn on ‘Mailbox intelligence based impersonation protection’ that provides better handle over false positives and user impersonation detection. You can define the further action settings such as redirect message to other email address or move to junk folder.
- Enter your trusted domain name into the ‘Add trusted senders and domains tab’.
ATP Safe Attachments
This is a feature that is available based on your Office 365 subscription. ATP safe attachments feature ensures your organisation is protected from malicious content in email attachments and files in OneDrive, Teams, Office Apps and SharePoint. You can define the policies here, for instance, the following screenshot shows a ‘block’ policy against malicious files shared via Office products mentioned earlier. Administrators can visit the reports page for further information.
ATP Safe Links
This feature helps stop users from opening and sharing links in email messages and Office desktop applications. You can define actions for unknown malicious URLs to be rewritten and checked against a list of known malicious links, and also select action against unknown or potentially malicious links being shared in Teams. You can define trust URLs/Domains under the ‘Do not write the following URLs’ feature.
Do not forget to include other security practices that are part of email server hardening processes. These include logging and monitoring, configure DMARC and SPF records for email validity and other hardening related items.
By implementing these suggestions, you would set up your business for good feedback (if Office 365 pen test reports cover good practices) when you provide for an Office 365 security review.
Office 365 Compliance
- Data Loss Prevention – DLP controls to assist security teams with sensitive data transfer violations.
- Data Governance – This phase relates to defining content classification, retention rules and data policies.
- Classifications – Information labels can be added to enforce policies such as sensitive information restrictions.
- Data Privacy – This relates to data privacy regulations such as complying with GDPR requirements and access to personal data.
- Threat Management – Threat management portal to highlight how a business is protected with tracking and other supporting parameters.
Take advantage of Office 365 DLP
Businesses must protect sensitive information and it’s disclosure by adhering to Office 365 DLP best practices. Sensitive information may include but not limited to:
- Credit card numbers
- Personally Identifiable Information (PII)
- National Insurance or Social security numbers
- Health records
With DLP available under security & compliance center, it is easier to tune DLP policies to help with the following:
- Prevent accidental information sharing outside the organisation.
- Protect information across Microsoft Office products such as Excel, Word, PowerPoint.
- DLP alerts management portal shows how your business is comply with DLP policies. These policies can be defined with conditions and actions and show if any users are allowed to override a policy and report a false positive.
It is recommended to first test the waters before entire organisation is put through new DLP checks. You would require to add classifications and sensitive information under compliance center to help you generate and test fake data.
Check out more details here on how to use endpoint DLP.
Above tips for exchange online best security practices are a great start without additional investments. The above is by no means comprehensive list of security features, or offers 100% (those believing in 100% security score!). Microsoft have introduced a concept known as Microsoft Secure Score, to measure an organisation’s security posture based on improvement actions taken. You can assess your organisation’s security score by visiting this URL https://security.microsoft.com/securescore or via Secure Score widget on the Security and Compliance Center page.
Cyber threats have always been present throughout the years, but the abruptness of COVID-19 and the sudden shift toward a work-from-home set-up bumped up the cybercrime rate by a whopping 300 percent since the beginning of the outbreak. SME businesses and fortune companies alike are going remote in an effort to curb the spread of the virus, but the sudden uptick in cloud-based solutions come with another virtual pandemic to worry about.
How Can We Help Protect Your Office 365?
Dealing with cybersecurity issues can lead to costly consequences for your business, especially when your network and software run into a myriad of cybercrimes in this digitally-driven workforce. Our Office 365 Tenancy security review offers a good value on your investments where we perform Office 365 security review. We review and ensure that your setup includes Device Management, Account Policies, Application Permissions, Security Controls around authentication, exchange, auditing & storage. An Office 365 pen test is different approach as described earlier in this article. Our cybersecurity company can help protect UK businesses from different threats with our penetration testing, managed security, threat intelligence, and data privacy services. Get in touch with us at 0333 050 9002 and let us find your company’s blind spots.