PROTECT YOUR ORGANIZATION
Hardening Microsoft 365Posted By:
Posted Date:
Introduction
Microsoft 365 (M365) is the backbone of many organizations, with over one million companies in the United States1 alone relying on it for collaboration, communication, and productivity. Globally, M365 accounts for approximately 46% of the market, and earlier this year, Microsoft announced it had reached over 400 million seats. While this widespread adoption is impressive, it also makes M365 a prime target for cyberattacks.
This post explores the critical steps for hardening M365 to protect your organization from common security threats. We’ll explore the importance of implementing multi-factor authentication (MFA), balancing security with usability, and following recommended hardening guidelines.
Background
Microsoft 365 (M365) is a crucial tool for organizations, offering core productivity apps like Word, Excel, and Outlook that streamline daily operations—from document creation and data analysis to internal and external communication. SharePoint is often utilized for document management and collaboration, enabling teams to store, share, and co-author files in real-time. Outlook and Exchange power communication, while Teams brings together meetings, chats, and collaborative workspaces, ensuring everyone stays connected. The seamless integration of these tools into one platform helps organizations boost productivity, improve communication, and manage workflows more efficiently, all within a secure and scalable environment.
By default, an M365 account is designed to be functional and user-friendly, not necessarily secure out of the box. While M365 provides a wide array of features and capabilities, the initial setup is configured with minimal restrictions to ensure ease of access and usability. This default configuration can leave organizations vulnerable to security risks if not properly hardened. Essential protections like multi-factor authentication (MFA) are not enabled by default, and admin accounts might have overly broad permissions. While M365 will operate with limited modification, these default settings do not provide the level of security needed to protect against today’s sophisticated cyber threats. It’s crucial for organizations to take proactive steps to configure and secure their M365 environment, tailoring settings to meet specific security needs and compliance requirements.
Securing M365
Securing M365 involves not only mitigating a wide range of potential threats but also navigating the complexities posed by different licensing levels. M365 offers various plans—ranging from Basic to Premium—each with varying degrees of security features and controls. This diversity can create significant challenges, as not all security controls are available across all licensing levels, making it crucial for organizations to understand what protections they have in place and where gaps may exist.
Below is a high-level list of the most significant threats, along with corresponding mitigation strategies (this list is not all-inclusive and may vary depending on your specific organizational risks):
While it’s essential to secure your Microsoft 365 environment, it’s also important to strike the right balance between security and usability. Overly aggressive hardening can inadvertently hinder productivity, limit functionality, and frustrate users, leading them to find workarounds that could undermine your security efforts. The goal should be to implement robust protections that safeguard your organization without compromising the efficiency and user experience that M365 is designed to deliver. A thoughtful approach to hardening ensures that security measures are effective yet unobtrusive, allowing your teams to work securely and efficiently.
Several comprehensive hardening guidelines are available to help organizations enhance their M365 security posture:
When securing your Microsoft 365 environment, it’s important to review all available hardening guidelines carefully and choose the ones that best fit your organization’s specific needs. Not all controls are available or appropriate for every environment, depending on your licensing level and operational requirements. Implementing unnecessary or incompatible controls can lead to reduced functionality and user frustration. Therefore, it’s crucial to tailor your security measures to your unique circumstances, ensuring that your chosen configurations effectively protect your organization without compromising productivity.
Industry Insights
Our findings reveal that MFA implementation offers outstanding protection, with over 99.99% of MFA-enabled accounts remaining secure during the investigation period. Moreover, MFA reduces the risk of compromise by 99.22% across the entire population and by 98.56% in cases of leaked credentials (Source: Microsoft).6
Business email compromise (BEC) is one of the most financially damaging online crimes, exploiting the fact that most of us rely on email to conduct both personal and professional business (Source: Federal Bureau of Investigation).7
EvilProxy Phishing
In a 2023 EvilProxy phishing campaign, attackers targeted Microsoft 365 (M365) accounts, particularly those of C-suite executives, by sending over 120,000 phishing emails to more than 100 organizations worldwide. Despite many organizations having multi-factor authentication (MFA) enabled, the attackers used a sophisticated reverse proxy technique to bypass MFA and gain unauthorized access to executive accounts. Once inside, the attackers quickly added their own MFA credentials to maintain access and proceeded to launch further attacks within the organizations, leading to significant breaches.
Key Lessons:
To effectively defend against sophisticated threats like EvilProxy, organizations need a layered security approach that combines multiple complementary controls. Here are some critical controls that, when used together, could have prevented the attack:
Future outlook
As technology continues to evolve, so do the threats to Microsoft 365 environments. Looking ahead, we anticipate several key developments that organizations should prepare for:
Staying informed about these emerging trends and continuously adapting your M365 hardening strategies will be crucial for maintaining robust security in the face of evolving threats.
Conclusion
Securing Microsoft 365 is not a one-time task but an ongoing commitment to protecting your organization’s most valuable assets. As the digital landscape evolves, so too must your approach to safeguarding your M365 environment. By implementing multi-factor authentication, following comprehensive hardening guidelines, and embracing a layered security strategy, you can significantly reduce the risk of cyber threats.
However, the work doesn’t stop there. Staying ahead of emerging threats requires vigilance, adaptability, and a proactive mindset. Regularly reviewing and updating your security measures is essential to keep pace with the rapidly changing threat landscape. This means not only addressing current vulnerabilities but also anticipating future challenges, such as AI-driven attacks and quantum computing risks.
Your organization’s security is only as strong as its weakest link, which is why ongoing training, awareness, and engagement across all levels of your team are crucial. By fostering a culture of security, you empower your employees to become an active part of your defense strategy, helping to identify and mitigate risks before they can cause harm.
In the end, hardening your M365 environment is about more than just protecting data—it’s about ensuring the resilience, continuity, and future success of your organization. By taking a proactive, layered approach to security, you’re not only defending against today’s threats but also preparing for the challenges of tomorrow.
Next Steps
Don’t wait for a security breach to expose vulnerabilities in your M365 setup. Strengthen your defenses today by taking these essential steps:
References
- https://www.statista.com/statistics/983321/worldwide-office-365-user-numbers-by-country/ ↩︎
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-120a ↩︎
- https://www.cisecurity.org/benchmark/microsoft_365 ↩︎
- https://learn.microsoft.com/en-us/defender-office-365/tenant-wide-setup-for-increased-security ↩︎
- https://ncp.nist.gov/checklist/953 ↩︎
- https://query.prod.cms.rt.microsoft.com/cms/api/am/
binary/RW166lD?culture=en-us&country=us ↩︎ - https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/business-email-compromise ↩︎
Timothy J. Marley, CPA, CISSP, CISA, CISM, CIA, CDPSE
Founder and Principal Consultant, Prism One
Timothy J. Marley, founder and principal consultant of Prism One, is a seasoned cybersecurity executive with over two decades of experience in information technology, risk management, and compliance. Tim’s extensive expertise helps organizations navigate the complex landscape of cybersecurity and risk management.
Tim’s mission is to empower organizations to build resilient security postures in an ever-evolving threat environment. At Prism One, he continues to provide tailored, high-quality cybersecurity solutions to meet the unique needs of each client.