The Microsoft Office 365 productivity suite counts around 200 million active users per month, making it an incredibly attractive target for cybercriminals. In fact, 85% of security incidents investigated by the Kudelski Security Incident Response team in 2019 can be attributed to an Office 365 email compromise.
Of course, email isn’t the only asset at risk. The Office 365 suite hosts critical documents and information for the entire organization in tools like Sharepoint, Teams, and OneDrive. In many cases, it’s a single source of truth, especially with Office 365’s reliance on Azure Active Directory and the integrated SSO capabilities for 2,800+ SaaS applications.
This interconnectivity creates a high-risk environment where a compromise of a user’s “email account” can result in widespread access to sensitive data and systems. Increasing the costs (either in terms of financially or in terms of effort) required to attack office 365 tenants is critical. We’ve compiled five actionable steps that security teams can take to prevent Office 365 attacks across the (abridged) kill chain—reconnaissance, compromise, persistence, and action on objectives.
Note: Conducting reconnaissance against an Office 365 tenant is fairly easy. Through DNS and TLS certificate transparency logs, you should assume that an attacker will be able to find out whether or not your organization uses Office 365. Additionally, there are several tools that enable attackers to enumerate valid user accounts ever attempting to authenticate (via timing attacks). Therefore, instead of looking for signs of potential recon, we recommend organizations focus on identifying signs of compromise and/or post-exploitation activity.
Turn on audit logging for your Office 365 tenant as soon as possible.
This may come as a surprise, but detailed audit logging is not turned on by default in Office 365 tenants. It’s an incredibly valuable source of information that can help you identify Office 365 attacks. If possible, send the logs to a SIEM, so you can start to build detection capabilities around it.
Turn off / restrict access to legacy protocols.
Legacy protocols (POP3, SMTP, etc.) allow attackers to perform brute-force attacks without being prompted for multi-factor authentication. This is by design. Legacy protocols exist for devices like office printers, legacy chat applications like Lync and Skype for Business, or older versions of Outlook that do not support the latest communication protocols that can prompt users for MFA.
There are a couple of options to disable legacy protocols for your Office 365 tenant. By using Azure Active Directory, you can set up conditional access rules to limit which IP addresses or accounts can authenticate, leveraging legacy protocols for devices that don’t support more modern protocols. We recommend that organizations create a set of service accounts that are used exclusively to send email from devices that don’t support modern email protocols and closely monitor those accounts.
Pre-approve applications that can request OAuth grants.
OAuth is the protocol that powers the “sign in with Facebook/Google” capabilities as well as other SSO and Active Directory integrations. These requests specify the type of access you want to grant an application—e.g. your email address and account name. However, attackers have started creating fake applications that request email read and write access without a user ever providing a password and it allows attackers to retain access even if account credentials are changed. This is especially problematic if a global admin is the target of an attack. Without knowing it, the admin could grant access to the entire Office 365 tenant (including all files, applications, etc).
Microsoft Office 365 has built-in tools that enable organizations to look for these fake applications used to generate Illicit OAuth grants. Additionally, as an admin, you can create a pre-approved list of applications that are able to request OAuth access to avoid illicit grants.
Clear outlook mail rules immediately if an attack is suspected or identified.
Attackers use email forwarding (and other) rules to persist in an environment even after an attack has been detected and “mitigated”. An attacker can create rules that could automatically forward emails to a third party or auto-delete “red flag” emails or replies. For example, if a user notices a suspicious email and emails the owner of the account, the rule could automatically delete that email, leaving the account owner none the wiser.
Complicating matters, there are tools that can abuse exchange message APIs to hide email rules from admins and users. This is why in addition to changing email passwords, it’s important to also clear all email rules after an account has been compromised.
Closely monitor access to eDiscovery and set up alerts that trigger every time the tool is used.
eDiscovery allows users to search for data across all applications in the Office 365 tenant using keywords or a specific set of criteria. This access, coupled with a tool like Microsoft Flow, which enables the automatic download and upload of eDiscovery results, can allow attackers to automate the discovery and exfiltration of sensitive data.
By default, global admins do not have access to the eDiscovery tool. You must request to be added to the user group that has access. Once you have access, monitor every addition to that tool. A new addition to user groups used to grant access to eDiscovery should be investigated as it’s possible an attacker is attempting to abuse the tool to find sensitive data. The easiest way to do this is to set up alerts that trigger every time eDiscovery is used. Over time, you can tune the alerts to specific scenarios.
Last, but not least, it’s safe to assume that attackers know more about Office 365 than you. They know about all the capabilities, the legacy protocols, eDiscovery, and other above and below board services that can be leveraged to enumerate users and automate data exfiltration