PROTECT YOUR ORGANIZATION

Hardening Microsoft 365
Crop unrecognizable developer using laptop and smartphone

Posted By:

Posted Date:

Introduction

Microsoft 365 (M365) is the backbone of many organizations, with over one million companies in the United States1 alone relying on it for collaboration, communication, and productivity. Globally, M365 accounts for approximately 46% of the market, and earlier this year, Microsoft announced it had reached over 400 million seats. While this widespread adoption is impressive, it also makes M365 a prime target for cyberattacks.

This post explores the critical steps for hardening M365 to protect your organization from common security threats. We’ll explore the importance of implementing multi-factor authentication (MFA), balancing security with usability, and following recommended hardening guidelines.

Background

Microsoft 365 (M365) is a crucial tool for organizations, offering core productivity apps like Word, Excel, and Outlook that streamline daily operations—from document creation and data analysis to internal and external communication. SharePoint is often utilized for document management and collaboration, enabling teams to store, share, and co-author files in real-time. Outlook and Exchange power communication, while Teams brings together meetings, chats, and collaborative workspaces, ensuring everyone stays connected. The seamless integration of these tools into one platform helps organizations boost productivity, improve communication, and manage workflows more efficiently, all within a secure and scalable environment.

By default, an M365 account is designed to be functional and user-friendly, not necessarily secure out of the box. While M365 provides a wide array of features and capabilities, the initial setup is configured with minimal restrictions to ensure ease of access and usability. This default configuration can leave organizations vulnerable to security risks if not properly hardened. Essential protections like multi-factor authentication (MFA) are not enabled by default, and admin accounts might have overly broad permissions. While M365 will operate with limited modification, these default settings do not provide the level of security needed to protect against today’s sophisticated cyber threats. It’s crucial for organizations to take proactive steps to configure and secure their M365 environment, tailoring settings to meet specific security needs and compliance requirements.

Securing M365

Securing M365 involves not only mitigating a wide range of potential threats but also navigating the complexities posed by different licensing levels. M365 offers various plans—ranging from Basic to Premium—each with varying degrees of security features and controls. This diversity can create significant challenges, as not all security controls are available across all licensing levels, making it crucial for organizations to understand what protections they have in place and where gaps may exist.

Below is a high-level list of the most significant threats, along with corresponding mitigation strategies (this list is not all-inclusive and may vary depending on your specific organizational risks):

  • Unauthorized Access to Administrative Accounts
  • Threat: Administrative accounts are often targeted by attackers due to their elevated privileges.
  • Mitigation: Ensure administrative accounts are separate from regular user accounts and use cloud-only accounts without unnecessary application licenses.
  • Lack of Multi-Factor Authentication (MFA)
  • Threat: Without MFA, user accounts are highly vulnerable to phishing attacks, brute force attempts, and unauthorized access. MFA adds an essential layer of security by requiring a second form of verification beyond just a password.
  • Mitigation: Implement MFA across all user and administrative accounts to significantly reduce the risk of unauthorized access.
  • Lack of Anti-Phishing Policies
  • Threat: Phishing attacks can lead to data breaches and unauthorized access.
  • Mitigation: Create and enforce anti-phishing policies within Exchange Online, and regularly update SPF, DKIM, and DMARC records.
  • Email Phishing and Malware
  • Threat: Email remains a common vector for phishing and malware.
  • Mitigation: Implement Safe Links and Safe Attachments policies in Office 365, and enable advanced threat protection measures like anti-phishing and anti-malware filters.
  • Insufficient Data Loss Prevention (DLP)
  • Threat: Sensitive data can be inadvertently or maliciously shared without proper controls.
  • Mitigation: Enable and configure DLP policies across all M365 services, including Teams and SharePoint.
  • Mismanaged External File Sharing
  • Threat: Unauthorized external sharing can expose sensitive files to public access.
  • Mitigation: Restrict external file sharing to approved domains and enforce domain whitelisting/blacklisting in SharePoint and OneDrive.
  • Inadequate Emergency Access Accounts
  • Threat: Loss of access to administrative accounts during emergencies can cripple an organization.
  • Mitigation: Define at least two emergency access accounts with strong passwords or FIDO2 security keys, and exclude these accounts from conditional access policies.
  • Overprovisioning of Global Administrators
  • Threat: Having too many global administrators increases the risk of account compromise.
  • Mitigation: Limit the number of global administrators to between two and four and ensure each is closely monitored.

While it’s essential to secure your Microsoft 365 environment, it’s also important to strike the right balance between security and usability. Overly aggressive hardening can inadvertently hinder productivity, limit functionality, and frustrate users, leading them to find workarounds that could undermine your security efforts. The goal should be to implement robust protections that safeguard your organization without compromising the efficiency and user experience that M365 is designed to deliver. A thoughtful approach to hardening ensures that security measures are effective yet unobtrusive, allowing your teams to work securely and efficiently.

Several comprehensive hardening guidelines are available to help organizations enhance their M365 security posture:

  • The Cybersecurity and Infrastructure Security Agency (CISA) Advisory AA20-120A2:
  • Provides detailed recommendations for securing M365 environments.
  • Focuses on mitigating common threats, such as unauthorized access and data breaches, through practical configuration steps.
  • Emphasizes the importance of implementing MFA, securing administrative accounts, and monitoring user activity.
  • CIS Microsoft 365 Foundations Benchmark3:
  • Offers best practices for securing M365 across various licensing levels.
  • Covers key areas like identity and access management, threat protection, and data governance.
  • Designed to help organizations configure M365 to meet security standards while maintaining operational efficiency.
  • Microsoft Defender for Office 365 Tenant-Wide Setup4:
  • Provides specific configurations to enhance the security of Office 365 tenants.
  • Focuses on tenant-wide settings that can increase security, such as email protection, anti-phishing measures, and data loss prevention (DLP).
  • Tailored for organizations using Microsoft Defender to protect their M365 environment.
  • NIST Security Configuration Checklist5:
  • Aligns with federal standards to provide a robust approach to M365 security.
  • Includes guidelines for secure configurations based on NIST’s widely recognized cybersecurity framework.
  • Helps organizations implement security controls that meet federal and industry standards.

When securing your Microsoft 365 environment, it’s important to review all available hardening guidelines carefully and choose the ones that best fit your organization’s specific needs. Not all controls are available or appropriate for every environment, depending on your licensing level and operational requirements. Implementing unnecessary or incompatible controls can lead to reduced functionality and user frustration. Therefore, it’s crucial to tailor your security measures to your unique circumstances, ensuring that your chosen configurations effectively protect your organization without compromising productivity.

Industry Insights

Our findings reveal that MFA implementation offers outstanding protection, with over 99.99% of MFA-enabled accounts remaining secure during the investigation period. Moreover, MFA reduces the risk of compromise by 99.22% across the entire population and by 98.56% in cases of leaked credentials (Source: Microsoft).6

Business email compromise (BEC) is one of the most financially damaging online crimes, exploiting the fact that most of us rely on email to conduct both personal and professional business (Source: Federal Bureau of Investigation).7

EvilProxy Phishing

In a 2023 EvilProxy phishing campaign, attackers targeted Microsoft 365 (M365) accounts, particularly those of C-suite executives, by sending over 120,000 phishing emails to more than 100 organizations worldwide. Despite many organizations having multi-factor authentication (MFA) enabled, the attackers used a sophisticated reverse proxy technique to bypass MFA and gain unauthorized access to executive accounts. Once inside, the attackers quickly added their own MFA credentials to maintain access and proceeded to launch further attacks within the organizations, leading to significant breaches.

Key Lessons:

  • Email Security: The phishing emails successfully evaded existing security measures, underscoring the need for advanced email threat protection.
  • MFA Bypass: While MFA provides significant protection against most attacks, sophisticated tools can exploit gaps, highlighting the importance of complementary security measures.
  • Proactive Monitoring: Enhanced monitoring and threat detection could have identified unusual activity sooner, mitigating the impact of the breach.

To effectively defend against sophisticated threats like EvilProxy, organizations need a layered security approach that combines multiple complementary controls. Here are some critical controls that, when used together, could have prevented the attack:

  • Advanced Email Threat Protection: Implementing tools like Microsoft Defender for Office 365 could have blocked or flagged the phishing emails before they reached the targeted executives.
  • Conditional Access Policies: Restricting access based on conditions such as device compliance, location, and risk level would have made it more difficult for attackers to access accounts, even with valid credentials.
  • Zero Trust Architecture: Adopting a Zero Trust model ensures continuous verification of identity and access, reducing the likelihood of unauthorized access through compromised credentials.
  • Continuous Monitoring and Threat Detection: Deploying advanced monitoring solutions to detect and respond to unusual activity in real-time could have caught the attackers in the act, limiting their ability to cause harm.
  • Multi-Layered MFA: Implementing additional layers of MFA, such as hardware tokens or biometric verification, could provide extra protection against sophisticated attacks that bypass standard MFA.
  • User Training and Awareness: Regular training on phishing recognition and secure behavior can empower users to identify and report suspicious activities, adding another layer of defense.

Future outlook

As technology continues to evolve, so do the threats to Microsoft 365 environments. Looking ahead, we anticipate several key developments that organizations should prepare for:

  • AI-Powered Attacks: Cybercriminals are likely to leverage artificial intelligence to create more sophisticated phishing and social engineering tactics. These highly personalized and convincing attacks will require organizations to enhance their AI-driven threat detection capabilities and continuously train employees to recognize and report suspicious activities.
  • Zero-Trust Architecture: The integration of zero-trust principles into M365 is expected to become the norm. Organizations should begin adopting these principles now, focusing on continuous authentication, least-privilege access, and strict verification processes to protect against unauthorized access.
  • Enhanced Automation: Future M365 security features will likely include more advanced automated threat detection and response capabilities. Organizations should explore how automation can reduce response times and improve overall security posture by addressing threats more efficiently.
  • Quantum Computing Threats: As quantum computing advances, it poses potential risks to current encryption methods. Organizations should stay informed about developments in quantum-resistant encryption and be prepared to update their security practices as necessary to protect M365 data.
  • Increased Integration of Security Services: We expect tighter integration between M365 and other security services, leading to a more cohesive and comprehensive security ecosystem. Organizations should consider how they can leverage these integrations to create a more unified and resilient security strategy.

Staying informed about these emerging trends and continuously adapting your M365 hardening strategies will be crucial for maintaining robust security in the face of evolving threats.

Conclusion

Securing Microsoft 365 is not a one-time task but an ongoing commitment to protecting your organization’s most valuable assets. As the digital landscape evolves, so too must your approach to safeguarding your M365 environment. By implementing multi-factor authentication, following comprehensive hardening guidelines, and embracing a layered security strategy, you can significantly reduce the risk of cyber threats.

However, the work doesn’t stop there. Staying ahead of emerging threats requires vigilance, adaptability, and a proactive mindset. Regularly reviewing and updating your security measures is essential to keep pace with the rapidly changing threat landscape. This means not only addressing current vulnerabilities but also anticipating future challenges, such as AI-driven attacks and quantum computing risks.

Your organization’s security is only as strong as its weakest link, which is why ongoing training, awareness, and engagement across all levels of your team are crucial. By fostering a culture of security, you empower your employees to become an active part of your defense strategy, helping to identify and mitigate risks before they can cause harm.

In the end, hardening your M365 environment is about more than just protecting data—it’s about ensuring the resilience, continuity, and future success of your organization. By taking a proactive, layered approach to security, you’re not only defending against today’s threats but also preparing for the challenges of tomorrow.

Next Steps

Don’t wait for a security breach to expose vulnerabilities in your M365 setup. Strengthen your defenses today by taking these essential steps:

  • Stay Informed: Subscribe to our blog for the latest insights on security best practices and emerging threats.
  • Consult with Experts: Schedule a consultation with our M365 security specialists to develop a tailored hardening strategy that fits your organization’s unique needs.
  • Engage with the Community: Join the conversation on our social platforms to share your experiences and learn from others about enhancing M365 security.
  • Share the Knowledge: If you found this article helpful, share it with your network to help others improve their M365 security posture.

Timothy J. Marley, CPA, CISSP, CISA, CISM, CIA, CDPSE

Founder and Principal Consultant, Prism One

Timothy J. Marley, founder and principal consultant of Prism One, is a seasoned cybersecurity executive with over two decades of experience in information technology, risk management, and compliance. Tim’s extensive expertise helps organizations navigate the complex landscape of cybersecurity and risk management.

Tim’s mission is to empower organizations to build resilient security postures in an ever-evolving threat environment. At Prism One, he continues to provide tailored, high-quality cybersecurity solutions to meet the unique needs of each client.

Similar Posts