Follow our best-practice recommendations for Office 365 security. These security recommendations would help you avoid common configuration errors and improve security posture to protect Office 365 against cyber attacks. Microsoft Exchange Online is one of the many products in O365 offering. It is a cloud-based messaging solution consisting of an Exchange server. Should you feel your assets are ready for an independent security audit, see our office 365 security review.
Top Myths around Office 365 & Cloud Usage
Let’s get rid of the ridiculous myths out of the way:
Myth: No one should have access to our data.
NO ONE has access unless any unauthorised access due to misconfigurations, vulnerabilities or security lapses.
Myth: Microsoft would own your systems, including data.
No, just like other cloud providers Microsoft just like any other provider offers services (platform, infrastructure or services) against what you want to buy. Data and its control remain in your hands.
Myth: Any disgruntled employees from Microsoft may cause mayhem to your business as well.
No, it doesn’t work like that. Microsoft has robust measures (not endorsing them as such, anyone can get compromised) to limit access to tenant infrastructure. Read here further on this.
If you prefer, you can also watch a condensed version of this article here:
Is Office 365 Secure?
Cloud shouldn’t create any fears in your mind.
Office 365 security concerns are sometimes the greatest barrier for organisations holding back cloud adoption. Since Microsoft has been demonstrating huge commitment towards cyber security from OS related components to email security, in our review (we have no commercial relationship with Microsoft), this is a no brainer to follow Office 365 security best practices. Many features are part of Office 365 subscriptions used by medium and large businesses, allowing granular control to a large extent. It’s constantly improving, and there certainly are pain points of O365 however weighing less than security features currently available for use.
These concerns are sometimes wrapped under the commercial tag ‘Office 365 pentest’. This is similar to performing a configuration review instead of an in-depth technical risk assessment (pentest) from an unauthenticated scenario. Pentesting Office 365 in actual terms would include ethical hacking scenarios such as providing low-level accounts to measure the extent of exploitation within an organisation. This would include internal enumeration, data exfiltration tricks, checking anti-spam, anti-phishing, attachment checks, horizontal and vertical privilege escalation attempts and the usual penetration testing tricks.
For example, SME organisations relying on Microsoft’s business plans can run into a myriad of cybercriminals and hackers that can put your company at risk – from malware installations, breach of sensitive information, and more. Fortunately, there are basic practices that Microsoft Office 365 users can use them as safely as possible.
Microsoft Advanced Threat Protection (ATP)
Microsoft Office 365 ATP is a cloud-based email security service to help organisations against unknown malware and email-based threats. Additionally, it provides insight into the attacks through reporting, URL trace capabilities, and administrators’ related features. As we have observed, Microsoft’s products show constant improvements in the security area; these features may be superseded by newer ones, always check with the documentation based on your purchased subscription.
You can use Office 365 ATP in the following implementations:
- ATP provides email protection for on-premises Exchange server
- ATP can be enabled to protect Exchange Online (cloud-based) mailboxes
- In hybrid deployment, where on-premises and cloud-based mailboxes with Exchange Online Protection for inbound email filtering
Office 365 ATP availability differs based on your subscription; please check your subscription for further information on ATP plans available to your organisation. Microsoft is constantly revising its product range, especially with security features on all their cloud products. Be sure to check with your subscription, features and latest documentation here.
We intend to recommend Office 365 security practices in line with features that have maximum impact on security improvement. These tips offer added protection without any additional investments such as high paying consultants, security products or relevant expense.
Office 365 Security Risks
The following list contains examples of Office 365 configuration vulnerabilities:
- Multi-factor authentication (MFA) for administrator accounts is not enabled by default. AAD (Azure Active Directory) global admins are the highest privilege accounts at the tenant level, similar to traditional domain administrator in an on-premises AD network. This is one of the top security concerns in Office 365 installations due to the highest level privileges attached to global administrators.
- Password Sync enabled. Azure AD Connect is a Microsoft tool designed to ensure hybrid identity goals. Its main purpose is password hash synchronization of hashes of all the users on-premises AD with Azure AD. Office 365 security practices do not encourage this setting. An attacker has compromised, on-premises AD and password sync enabled would allow an attacker to move laterally to cloud environments. Microsoft later disabled this function; however, some businesses may have performed administrator account matching before disabling this feature.
- Mailbox auditing is disabled. Before Jan 2019 Office365 installations did not have mailbox auditing enabled by default. This means explicit changes to the configuration are needed, that adds to Office 365 security risks.
- Unsupported authentication by legacy protocols. Protocols such as POP3, IMAP, SMTP are used with older email clients and do not support modern authentication such as Exchange Online authentication with MFA. Use Azure AD conditional access policies in this case.
Office 365 Security Best Practices Checklist
Without further ado, here is our list of top security practices.
Go for Unified Audit Logging
Companies that share information throughout different departments can improve their security level by enabling Microsoft’s unified audit logging. It’s a revolutionizing feature that can safely track, monitor, and search for configuration changes for every user and account. This minimizes the risk of losing critical data as one document is shared throughout different groups, applications, or domain.
Give a good thing with your IT and security teams on what to log and what no to log, as there is a fine balance between volumes of just data, and useful data to be logged.
Enable Multi-Factor Authentication
One of the easiest yet effective ways to increase your organization’s security is to set-up a multi-factor authentication for all Microsoft accounts. All users receive mobile notifications when their account is accessed, keeping hackers on the fence when they gain access to your password.
Consider deploying conditional access policies to enforce the use of MFA. These policies can be configured to ensure that users are authenticating from trusted locations or compliant devices only. By defining a list of countries for MFA and blocking high-risk countries (where there is the least likelihood of staff and higher chances of attack attempts), conditional access policies would help security teams with less unwanted noise. However, this feature may be available to Azure AD premium subscribers only.
Moving to cloud-native authentication has loads of advantages due to new features. In hybrid environments, it is recommended to use native authentication against Azure AD rather than ADFS.
Use Dedicated Admin Accounts
Businesses that use administrative accounts can leverage better privileges, but the drawback is that it’s often a prime target for cybercriminals. It’s better to limit the admin accounts for administrators only as it has the highest vulnerabilities.
Admins should also have a separate, non-administrative account when completing tasks beyond their duties to restrict access and minimize damages if a hacker breaches the account. Not only security, but this is also an important tip as part of Office 365 administration best practices. It leads to reducing the likelihood of impact in case of an account compromise.
Of course, all admin accounts should also have a multi-factor authentication and must always be logged in or out of the browser session when completing tasks.
The following image shows office 365 best practices security in a graphical format that security teams can use as a basic checklist.
Protect Against Malware in EMails
Microsoft 365 has anti-malware programs in place, but you can increase its functionality by allowing it to block suspicious malware. Follow these steps to ensure maximum efficiency and minimum damage from malware-laden emails or sharing of potentially malicious links across Office desktop apps:
Email rules for ransomware
Add conditional rules for certain attachments with extensions known for ransomware spread. For instance, attachments with macros would be added as file extensions such as dotm, docm, xlsm, xla, xlam, sltm, xll, pptm,ppam,sldm. To create such conditional rules, go to Exchange – mail flow – Rules – Create a new rule and add conditions such as exceptions or notify the recipient with a message. This could be a reminder that they have been sent a mail with macros. You may want to add multiple rules under this category to utilise Microsoft Office 365 help your business protect against ransomware.
If a threat actor gains access to the email inbox, they can easily forward emails to forward sensitive information. Create a mail flow rule to stop auto-forwarding.
Discuss your concerns today
Increase protection against phishing attacks by refining the Office 365 threat management settings. Go to Office 365 admin portal, select Security – Threat management – Policy – ATP anti-phishing – Default policy. Click on Impersonation – edit that should take you to the editing window.
- You can then define anti-phishing impersonation conditions that would alert you, move the message to the junk folder or redirect messages to other mail address. For instance, the following screenshot shows an example of the domain to protect. Partners, vendors and third-party domains can be added under the custom domains list.
- Don’t forget to ‘turn on impersonation safety tips’ under the Actions tab (shown below in the screenshot).
- Mailbox intelligence – Microsoft uses AI to determine user email patterns based on your frequent contacts to identify a legitimate and spoofed email from those contacts. This is available for Exchange Online Mailboxes. Turn on ‘Mailbox intelligence-based impersonation protection’ that provides better handle over false positives and user impersonation detection. You can define further action settings such as redirecting messages to other email addresses or moving to the junk folder.
- Enter your trusted domain name into the ‘Add trusted senders and domains tab’.
ATP Safe Attachments
This is a feature that is available based on your Office 365 subscription. ATP safe attachments feature ensures your organisation is protected from malicious content in email attachments and files in OneDrive, Teams, Office Apps and SharePoint. You can define the policies here; for instance, the following screenshot shows a ‘block’ policy against malicious files shared via Office products mentioned earlier. Administrators can visit the reports page for further information.
ATP Safe Links
This feature helps stop users from opening and sharing links in email messages and Office desktop applications. You can define actions for unknown malicious URLs to be rewritten and checked against a list of known malicious links and select action against unknown or potentially malicious links being shared in Teams. You can define trust URLs/Domains under the ‘Do not write the following URLs’ feature.
Do not forget to include other security practices that are part of email server hardening processes. These include logging and monitoring, configure DMARC and SPF records for email validity and other hardening related items.
By implementing these suggestions, you would set up your business for good feedback (if Office 365 pen test reports cover good practices) when you provide an Office 365 security review.
Office 365 Compliance
- Data Loss Prevention – DLP controls to assist security teams with sensitive data transfer violations.
- Data Governance – This phase relates to defining content classification, retention rules and data policies.
- Classifications – Information labels can be added to enforce policies such as sensitive information restrictions.
- Data Privacy – This relates to data privacy regulations such as complying with GDPR requirements and personal data access.
- Threat Management – Threat management portal highlights how a business is protected with tracking and other supporting parameters.
Take advantage of Office 365 DLP.
Businesses must protect sensitive information and its disclosure by adhering to Office 365 DLP best practices. Sensitive information may include but not limited to:
- Credit card numbers
- Personally Identifiable Information (PII)
- National Insurance or Social security numbers
- Health records
With DLP available under security & compliance center, it is easier to tune DLP policies to help with the following:
- Prevent accidental information sharing outside the organisation.
- Protect information across Microsoft Office products such as Excel, Word, PowerPoint.
- DLP alerts management portal shows how your business is complying with DLP policies. These policies can be defined with conditions and actions and show if any users can override a policy and report a false positive.
It is recommended first to test the waters before the entire organisation is put through new DLP checks. You would require to add classifications and sensitive information under the compliance center to help you generate and test fake data.
Check out more details here on how to use endpoint DLP.
Above tips for exchange online best security practices are a great start without additional investments. The above is by no means a comprehensive list of security features or offers 100% (those believing in 100% security score!). Microsoft has introduced a concept known as Microsoft Secure Score to measure an organisation’s security posture based on improved actions. You can assess your organisation’s security score by visiting this URL https://security.microsoft.com/securescore or via Secure Score widget on the Security and Compliance Center page.
Cyber threats have always been present throughout the years, but the abruptness of COVID-19 and the sudden shift toward a work-from-home set-up bumped up the cybercrime rate by a whopping 300 per cent since the beginning of the outbreak. SME businesses and fortune companies alike are going remote to curb the spread of the virus. Still, the sudden uptick in cloud-based solutions come with another virtual pandemic to worry about.
How Can We Help Protect Your Office 365?
Dealing with cybersecurity issues can lead to costly consequences for your business, especially when your network and software run into a myriad of cybercrimes in this digitally-driven workforce. Our Office 365 Tenancy security review offers a good value on your investments where we perform Office 365 security review. We review and ensure that your setup includes Device Management, Account Policies, Application Permissions, Security Controls around authentication, exchange, auditing & storage. An Office 365 pen test is a different approach, as described earlier in this article. Our cybersecurity company can help protect UK businesses from different threats with penetration testing, managed security, threat intelligence, and data privacy services. Get in touch with us at 0333 050 9002 and let us find your company’s blind spots.