With over 250 million monthly users in 2020, Microsoft 365 (formerly Office 365) is one of the most widely used cloud productivity suites. But the popularity of Microsoft 365 — as well as the valuable data that is stored within those environments — makes it an appealing target for cybercrime. In fact, adversaries attack Microsoft 365 more than any other software environment (Statista).
In 2021, one in five organizations experienced at least one account compromise in Microsoft 365, according to a Barracuda Networks report.
As adversaries continue to target Microsoft 365 environments, it’s important to be aware of common security concerns — and understand what you can to protect your organization.
Learn about five common Office 365 security issues.
Privilege escalation is a common attack technique in which a threat actor attempts to elevate permissions — ideally to domain administrator — to launch attacks. To do this, adversaries can use legitimate tools already in an environment to evade detection from most antivirus and endpoint detection and response (EDR) software, a technique called living off the land. For example, threat actors can use Scheduled Task, a built-in functionality in Windows, to escalate their level of privilege.
Privilege escalation was the most popular type of Microsoft vulnerability in 2021 according to a BeyondTrust report, with nearly three times more than the previous year. In January 2021, CISA reported the Russia-based advanced persistent threat (APT) actor behind SolarWinds using privileged access in Microsoft 365 environments.
It’s important to be able detect suspicious activity associated with privilege escalation, such as creating inbox rules or external email forwarding rules.
2. Bypassing Multi-factor Authentication
Multi-factor authentication (MFA) is a built-in security feature of all Microsoft 365 editions, but threat actors commonly circumvent those controls. Legacy authentication protocols such as IMAP/POP3 don’t support MFA, so threat actors can circumvent MFA when victims fail to restrict legacy authentication.
Another way is to use social engineering to change a victim’s registered phone number so that attackers receive the authentication text message. Adversaries can also circumvent MFA using OAuth, the authorization feature that allows users to sign in using Google or Facebook instead of creating a new account.
No matter what method an attacker may use, it’s crucial to be able to detect when MFA is disabled on a Microsoft 365 account.
Phishing, when a threat actor sends emails disguised as legitimate companies to obtain information, is the top attack vector for ransomware. And Microsoft is the most impersonated brand, according to Barracuda’s report.
Phishing is often the one of the first actions an attacker will take to gain initial access into an environment. Phishing emails usually prompt the victim to click on a malicious link or attachment that may execute code, run a command, or give consent to access their mailbox.
Microsoft 365 has an email protection feature that can detect and neutralize phishing campaigns — but it can only go so far. It doesn’t actively scan all email content, and the Safe Attachments feature detects malware using sandboxing rather than with more sophisticated methods.
To prevent phishing, it’s important to apply additional layers of email security and be able to detect suspicious email sending patterns.
4. Malicious Macros
A macro is an automated sequence that imitates keystrokes or mouse actions, typically used to replace a set of repeated tasks in applications such as Office or Word. Threat actors embed malicious macros into those same applications to hijack programs and automatically run commands. For example, a threat actor can use malicious macros in conjunction with phishing emails to prompt a user to open an attached Word file that then launches malware.
Fortunately, Microsoft recently announced plans to automatically block Visual Basic for Applications (VBA) macros by default. Rather than simply clicking one button to enable macros, Office users will need to tick an unblock option on the properties of a file.
5. Data Exfiltration
Data exfiltration is when an adversary is attempting to steal an organization’s information. Researchers at Varonis recently discovered that attackers can exploit Power Automate, a built-in Microsoft application, to exfiltrate emails and data. Using Power Automate, adversaries can automate workflows to exfiltrate data from other Microsoft applications such as SharePoint and OneDrive.
Data exfiltration is one of the later (and more devastating) stages of an attack. If a threat actor successfully exfiltrates data, it can have a massive financial impact on a company — as well as a blow to reputation and company trust.
To prevent data exfiltration, it’s important to be able to detect behaviors such as file sharing with personal email addresses, mass downloading of files, and exceeding send limits.
Is Microsoft 365’s Built-In Security Enough?
Out of the box, all Microsoft 365 plans come with security settings that can provide basic security protection at no extra cost. Any Microsoft 365 admin can:
- Enforce Azure MFA
- Force admins to use MFA
- Block legacy authentication protocols such as IMAP/SMTP/POP3
- Require all users to perform MFA when necessary
- Protect privilege access
Those protections improve with certain add-on features, such as Microsoft Advanced Threat Protection, which includes malware protection via Microsoft Defender Antivirus, information rights management, remote wipe via Intune, and more.
Advanced Threat Protection also includes Microsoft Defender for Office 365, which helps protect against more sophisticated attacks such as zero-day threats, advanced malware, and ransomware. But even Microsoft Defender — which is certainly a solid product that gets better with every iteration — isn’t enough to protect against Microsoft 365 cyberattacks. Its malware detection rates are lower than many third-party competitors, the user interface is clunky, and it often doesn’t protect against emerging threats such as zero-day vulnerabilities.
Many Office 365 attackers use living off the land techniques. OAuth, Power Automate and eDiscovery were the most common legitimate tools used for malicious purposes, according to a Vectra AI report.
Using living off the land techniques, an attacker can go undetected by endpoint detection and response (EDR) and Microsoft’s built-in security features because the attacker is not using anything that is known to be malicious. Even when EDR does alert on questionable behavior, it’s very easy for an admin to miss or dismiss an alert that looks like normal behavior without additional context.
How Blumira Protects Microsoft 365 Environments
Blumira offers the industry’s only free threat detection and response platform for Microsoft 365 environments — with no limits on users or data.
Using Cloud Connectors, you can set up Blumira in a matter of minutes, and you’ll automatically get pre-tuned detection rules applied automatically to your integration; no additional infrastructure, agent or sensor required. Each finding is accompanied by playbooks that guide you through response steps, making remediation easy for IT teams of all experience levels.
Get your free account with Blumira and get instant visibility into your Microsoft 365 environment.
Sign Up For Your Free Account Today
Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.
Get more detail on common Office 365 security issues with Matthew Warner, CTO and Co-Founder of Blumira. In this webinar, you’ll learn easy ways to protect yourself against the rise in Microsoft 365 attacks.