As many organizations continue to adjust to an extended and potentially permanent remote workforce, dependency on cloud services has increased rapidly – as Microsoft CEO Satya Nadella stated in a recent earnings release – “We’ve seen two years’ worth of digital transformation in two months.” The following post is intended to help organizations that may have recently begun using or have increased their usage of Office 365.
Please note Microsoft continues to evolve their platform and these recommendations are current as of this posting.
This blog post presents 12 foundational security controls that should be implemented for every Office 365 environment to deter business email compromise (BEC), account takeover (ATO) attacks, and unauthorized data access. The diagram below illustrates how the security configuration controls can disrupt the sequence of steps used by cyber-criminals to compromise office 365 environments. The numbers in this cyber-attack lifecycle illustration correspond to the 12 foundational security controls and indicate the primary stage of a cyber attack in which the security control disrupts the cyber-criminal objectives.
Cyber Kill Chain® developed by Lockheed Martin
While every Office 365 environment has unique attributes, and organizations utilize Office 365 capabilities in different ways, these foundational security controls are essential for security in any organization. Higher-level licensing in Office 365 (for example E3, E5 Security or additional add-ons) provides even more security functionality to protect Office environments, however none of the controls listed here require any such advanced licensing.
Surprisingly, in delivering SecureSky’s cloud security posture management and incident response services, we find few organizations that have even these 12 basic controls fully implemented.
If you are familiar with Office 365 security, a number of these foundational controls will not be unexpected – many of the most critical steps to take for Office 365 security are well-known and documented by Microsoft and other organizations, like the Center for Internet Security.
SecureSky’s 12 foundational security controls for Office 365 environments are:
1. Implement Multi-Factor Authentication (MFA) for Privileged Roles – the best way to protect against account compromise is to enforce multi-factor authentication for all users in your environment. MFA requires multiple types of authentication (e.g., something you know plus something you have) to establish user identity. The most common Office 365 MFA combination is (1) a user password and (2) confirmation of access to a specific mobile device. If you cannot enable MFA for all users, at a minimum it should be enabled for all Azure Active Directory privileged roles. A breach of a privileged role account could lead to a complete compromise of the Office 365 environment.
2. Limit Number of Global Administrator Accounts – The number of global administrators should be kept to a minimum so there are a limited number of accounts with superuser privileges. SecureSky recommends reviewing accounts with global administrator privileges and identifying those that can be given less privileged permissions while retaining operability. Microsoft and other guidance recommend 3 to 5 global administrators per environment.
3. Limit Guest User Privileges – By default, all users can invite guests, guests can invite guests, and guest invites can be sent to any domain. Unmanaged guest creation multiplies the chances an attacker can remain a persistent threat in your environment. SecureSky recommends configuring the policy so that “Members” and “Guests” cannot invite guests, only Admins and Users in the “Guest Inviter” role can, guest user permissions are limited, and enabling “Collaboration Restrictions” so that only those from specific domains can be invited.
4. Restrict 3rd Party Application Integrations - By default, all users can register applications that can access organizational data. Attackers can create malicious applications and trick users into registering them. SecureSky recommends administrators control which applications are registered.
5. Add-in Permissions (Outlook) – Outlook add-ins are programs that run within Outlook and perform actions that Outlook does not provide. By default, users can install add-ins in their Outlook client, accessing emails and the data contained within them. SecureSky recommends controlling which add-ins are permitted and removing a user’s ability to install them by modifying the “Default Role Assignment Policy.” Administrators can select and deploy add-ins as required.
6. Outlook Add-in Permissions (Word, Excel, PowerPoint) - Office add-ins are programs that run within Microsoft applications (Word, Excel and PowerPoint) and perform actions that these applications do not provide. By default, users can install add-ins in their Word, Excel and and PowerPoint applications, accessing the data contained within them. SecureSky recommends controlling which add-ins are permitted and removing a user’s ability to install them by removing their ability to access the Office Store and preventing them from installing trial applications and services in the Microsoft Admin Portal.
7. SharePoint Legacy Authentication - Legacy authentication in SharePoint uses only user name and password for client access, effectively bypassing modern authentication mechanisms such as MFA. SecureSky recommends disabling legacy authentication in SharePoint to require modern authentication for client access requests.
“What about Basic & Modern Authentication for Exchange Online?” Last year, Microsoft announced they would decommission Basic Authentication on October 13th, 2020. However, in their April 2020 update, Microsoft announced they are deferring this effort in response to COVID-19. Microsoft will continue to disable Basic Authentication for newly created tenants by default and begin to disable Basic Authentication in tenants that have no recorded usage starting October 2020. As disabling Basic Authentication can affect multiple points of authentication, SecureSky recommends investigating if/where Basic Authentication is being used and establish a plan for disabling and transitioning to close this attack vector.8. Disallow Forwards Outside of Organization - It is common for attackers to set up mail forwarding rules to auto-forward messages to an external mailbox, as presented in the following screenshot:
Forwarding enabled in user account in Office 365
The intent of this forwarding is to ensure that the attacker can see and archive inbound emails to compromised accounts, including any potential responses to phishing emails the attacker sends.
Because of this risk, users should not be permitted to create auto-forwarding rules to inboxes that are not located within the organization. To learn about the best way to limit email forwarding in your environment, please refer to the SecureSky blog here.9. Email Flow Phishing Customizations – Mail flow policies should be enforced to protect end-users from suspicious emails indicating possible phishing attempts and can be customized for different environments. The following rules should be considered for implementation in Office 365 environments:
- Implement a mail flow rule that provides a notification to users when messages are received from outside the company, enhancing user awareness for messages that are internal vs. external.
- Where feasible, implement a rule that notifies the email recipient of the use of key words associated with phishing and Business E-mail Compromise attacks. For instance, user warnings can be prepended to emails with attachments with filenames that include keywords “remittance,” “invoice,” “bill,” or “payroll” to ensure that the recipient is aware that these messages could potentially be phishing attacks.
- Where feasible, implement a rule that notifies the email recipient of the use of URL shorteners, which are used frequently in phishing attacks. For instance, user warnings can be prepended to emails that include URL shorteners, including “bit.ly,” “goo.gl,” and “tinyurl.com” to ensure that the recipient is aware that these messages could potentially be phishing attacks.
11. Mailbox Auditing - Mailbox auditing will track users accessing and performing actions within their own mailbox. Other mailbox statistics and telemetry data are also collected. When mailbox auditing is turned on, actions performed by administrators, delegates, and mailbox owners are logged by default. SecureSky recommends reviewing the actions that can be audited to potentially identify common indicators or compromise; listed at the following URL: https://docs.microsoft.com/en-us/microsoft-365/compliance/enable-mailbox-auditing.
12. Office 365 Security Monitoring - Office 365 Security Monitoring enables response to security alerts that are generated. Default alert policies allow events to go unnoticed. SecureSky recommends creating custom alert policies that trigger on suspicious behavior and responding to alerts in a timely manner.
Configuring these security controls builds a foundation for your organization’s Office 365 security configuration standard. While numerous security controls can be configured (SecureSky Office 365 Security Configuration Assessment checks for over 100 individual configuration settings), we believe these 12 controls, available at all license levels, are essential to implement in any Office 365 environment.
SecureSky works closely with law enforcement, proprietary BEC threat sharing consortiums, leading security and compliance standards organizations, and has extensive experience helping clients secure and monitor Office 365 environments. To learn more about some of the work we have done for clients, and recommendations for improving Office 365 security, please see our website and blog series on Office 365 Business Email Compromise here.
Look to our next blogs in this series for guidance on how to enable and configure these 12 security controls to defend against growing and evolving cyber-attacks.