It’s common in the cybersecurity world to note that anything that creates better convenience will also expose users and administrators to more risks. The easier it is to access things, in other words, the less secure those things are. If your organization uses all of the convenience and integration of Microsoft 365, then, what kind of security tradeoffs are you making? Today, we’ll take a look at some of the biggest threats facing 365 tenants.
Leadership by (being forced to set an) example
Earlier this year, an interesting story developed around an internal data breach at Microsoft. In a cybersecurity lapse, a purported cyberthreat group linked to the Russian state-sponsored hacking program was able to steal Microsoft’s internal emails about the group. Presumably, the group would have learned quite a bit about refining their strategies and tactics after gaining access to what one of the largest cybersecurity companies in the world knows about them. It also gave Microsoft the chance to suggest how to stop or mitigate data breaches in Exchange, 365, and their other cloud-hosted offerings.
The focus of these suggestions was 1) identity management, 2) XDR, and 3) SIEM. If you don’t recall what these products are, don’t worry-we’ll cover them next week. Each of these recommendations was specific to the group responsible for the data breach but implementing them would obviously apply to many other threats out in the cyber-world. While Microsoft does offer these services, they’re not the only player in the space, so it isn’t exactly promotional material for their own security offerings.
Other large companies who rely on Microsoft are high-level targets as well. For example, Hewlett Packard announced in the same week that the same group had attacked their Office 365 mail too, which is hosted by Microsoft. While not every size of company will not garner the same attention from state-backed attackers, the security concerns are still there for every organization.
Top 5 Security Threats Risks in 365
1) Email compromise
The issues with email compromise are usually around identity management. Many phishing attacks are looking for access to your email, with more valuable targets experiencing more sophisticated and elaborate attacks. For the most part, though, attacks only have to be as sophisticated as the controls that are implemented to protect identities. A typical phishing attack seeks to get user credentials-username and password-to be able to log in and steal data from an email inbox and use that email to launch impersonation attacks or phishing campaigns.
A compromised account will be used to launch new targeted attacks by asking coworkers to transfer funds or divulge proprietary information. Email addresses under the control of threat actors can also be used to send mass emails that passes through spam filtering, because it comes from a more reputable and trusted source than a rogue email server in a developing country. The majority of compromised email accounts probably don’t have MFA (multifactor authentication) installed, because it would stop an attacker from being able to log in with leaked or stolen usernames and passwords.
2) Permissions in OneDrive and SharePoint
Similarly, if an email account is compromised in this way, the attacker will be able to access any data stored in that user’s OneDrive files. Depending on your company’s data use policies-and how your organization actually uses files and holds employees accountable for adherence to the policy-you may have quite a bit of proprietary information stored in OneDrive. It would be even worse if there happens to be sensitive business or client information stored there.
Compromising an account would also give an attacker access to any Teams and SharePoint data that the user has access to. In a lot of small and medium businesses, this could just be carte blanche access to all of the data shares if it isn’t well designed. It’s important to keep in mind that a classic cause of account compromise is having old accounts stick around without being deactivated and without their permissions and access revoked when an employee moves on from the company. For this reason, permissions for every user need to undergo consistent and regular review to minimize the chance that disused accounts can be used to access company data.
3) Data loss
If you use SharePoint to store your business’ data, then you need to know that just being “in the cloud” doesn’t protect against data loss of various kinds. According to Proofpoint’s new 2024 Data Loss Landscape report, the leading cause of significant data loss is “careless users.” This signals that a great deal of data is lost every year to accidental deletion, or leaked accidentally by users in, for example, an erroneously sent email with sensitive data attached or included.
Their report claims that just 1% of users are responsible for “90% of [data loss prevention alerts],” indicating that some users just don’t get how to securely store, transfer, and delete information according to their own company’s data use policies and compliance requirements. This indicates that the biggest threat to your data, in terms of volume of alerts and incidents, is actually internal to your organization. Of course, the outcomes of a data loss event from an external source are very different, because they aren’t so much about a leak or deletion, but rather, the theft of your data.
4) Data exfiltration
If a threat actor gains access to the data that’s shared in your SharePoint or SharePoint Online instance, they may be looking to steal the data. Data exfiltration refers to the unauthorized copying of your data, and in 365, this can be done from any user account that has access to that data. Typically, an attacker will download files that they have access to, but in some cases, they can use automation tools to build an app inside of a compromised environment that clandestinely sends the information to a threat actor’s server.
Similarly to the data loss threat, exfiltration can be a risk with internal users too. If there’s proprietary data that one of your users would like-for whatever nefarious reason-to have personal copies of, then that data should be monitored to make sure that it isn’t being offloaded to a personal account or copied en masse.
5) Malware
While malware attacks are usually related to phishing attacks and compromised email accounts, they deserve their own section here because they can spread through the sharing of attachments inside of the 365 and Office apps. Ideally, all of these attacks would be stopped by not clicking on attachments that are unexpected or unsolicited, and 365 has defenses built-in to stop malicious code from being run as a result of an email being sent to your inbox.
The problem is that no security can be total when it comes to the files that deliver malicious code to unsuspecting users. While 365 can block malicious emails with its spam and phishing policies (by default), scan attachments for malicious code and block them from running, and can even sandbox all of your attachments to stop illegitimate code from affecting your system… there are still attacks out there that can get around these and exploit flaws in the defenses.
When we continue…
If this all sounds a bit fear-inducing, then don’t worry too much-as long as it doesn’t affect your vigilance. Next week, we’ll explore some of the remedies and best practices to do the best you can in preventing loss, intrusion, and attacks in your 365 environment.
-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team