The Microsoft 365 Security Series – Multi-Factor Authentication
Microsoft 365, formerly known as Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
One of its components, Office 365, is prevalent in the market. According to statista.com, as of February 2022, Microsoft's Office 365 had around 48 percent of the market share for major office suite technologies worldwide. As such, it’s one of the most sought-after targets by attackers.
Office 365 is a SaaS solution that combines the usual desktop Office applications, together with some new productivity services, which are available from Microsoft’s Azure cloud platform. This means organizations can provide email access to their employees if they have access to the internet.
Unfortunately, this comes with a host of cyber risks. Implementing best security practices is vital to keeping the risk associated low. Roberto Bamberger, Senior Principal Consultant at Microsoft, spoke at SANS 2022 Cloud Security Exchange this past week. He said, “Attackers are like water. They will look for any crack to infiltrate.”
Organizations want to be secure. Microsoft provides out-of-the-box controls as well as others that administrators need to implement themselves. However, one of the major pitfalls is implementing weakened controls. Most organizations resort to less effective ones that give them a false sense of security, since threats continue to evolve in response to the security measures and policies organizations put in place to defend themselves against potential attacks.
Let’s start today with…
Multifactor authentication means you and your employees must provide more than one way to sign into Microsoft 365 and it is one of the easiest ways to secure your business. This limits the impact that a compromised password has on enterprise cyber risk.
As it turns out, MFA is largely abused.
Researchers with Microsoft have uncovered a large-scale phishing campaign that attempted to target over 10,000 organizations since September 2021 using adversary-in-the-middle (AiTM) phishing sites to steal passwords, hijack a user’s sign-in session, and skip the authentication process, even if the user had enabled multifactor authentication (MFA).
While AiTM phishing attempts to circumvent MFA, MFA implementation continues to be an essential pillar in identity security. MFA is still very effective at stopping a wide variety of threats; its effectiveness is why AiTM phishing emerged in the first place.
Defenders can also complement MFA with the following solutions and best practices to further protect their organizations from such types of attacks:
Enable conditional access policies. Conditional access policies are evaluated and enforced every time an attacker attempts to use a stolen session cookie. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as compliant devices or trusted IP address requirements.
Invest in advanced anti-phishing solutions that monitor and scan incoming emails and visited websites. For example, organizations can leverage web browsers that can automatically identify and block malicious websites, including those used in this phishing campaign.
Continuously monitor for suspicious or anomalous activities:
Hunt for sign-in attempts with suspicious characteristics (for example, location, ISP, user agent, use of anonymizer services).
Hunt for unusual mailbox activities such as the creation of Inbox rules with suspicious purposes or unusual amounts of mail item access events by untrusted IP addresses or devices.
Gradient Cyber, as your trusted cybersecurity partner, will be happy to consult with you about the best ways to keep your organization watertight from attackers.