Implementing Foundational Security Controls for Every Office 365 Environment

In our previous post, we provided an overview of each of the 12 Foundational Security Controls that should be implemented for every Office 365 environment to deter business email compromise (BEC), account takeover (ATO) attacks, and unauthorized data access.

Foundational Security Controls for Every Office 365 Environment

As many organizations continue to adjust to an extended and potentially permanent remote workforce, dependency on cloud services has increased rapidly – as Microsoft CEO Satya Nadella stated in a recent earnings release – “We’ve seen two years’ worth of digital transformation in two months.” The following post is intended to help organizations that may have recently begun using or have increased their usage of Office 365. 

Please note Microsoft continues to evolve their platform and these recommendations are current as of this posting.

Attackers Exploit Gap in Office 365 Best Practice Guidelines

July 28, 2020 Update: Due to the complexities documented in this blog post, Microsoft is rolling out changes to e-mail forwarding configuration in Office 365. SecureSky is testing the changes that are documented at the following Microsoft URL, and will update this blog post after completion of testing to address these changes: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/external-email-forwarding?view=o365-worldwide.

With a six times increase in COVID-19 themed incidents, security professionals need to take advantage of every possible configuration and security control to protect against this growing amount of attacks.  Today we will discuss how attackers are leveraging a gap in Office 365 best practices that allows undetected eavesdropping on victim’s emails.

When attackers gain control of an account in Office 365, one of the first steps they often take is to configure email forwarding in the compromised environment. Attackers configure email forwarding in order to see new emails that arrive in the victim’s inbox – which can be responses to attacker phishing attempts sent to the victim contacts. In order to disguise their presence, the attacker does not want the victim to see those emails. 

Microsoft Security Defaults – A Step in the Right Direction, but Customers Should Do More

We understand that managing security for Office 365 can be difficult and complex. As we continue to see common identity-related attacks against authentication like password spray, replay, phishing and malware-based increasing into today’s uncertain world it's imperative that we understand Microsoft’s “Security Defaults”.