Office 365 has soared in popularity since its release in 2011. Many organizations transitioned to Office 365 to save costs on infrastructure and maintenance due to the service being offered through a cloud platform. While the cloud has its benefits, it also has its risks. The on-premise security controls which limited access to your email and supporting resources (e.g. SharePoint) are no longer active and require Office 365 security implementations to protect them.

The need for Office 365 security assessments are becoming a common request among many organizations due to the applications inherit complexity and potential for unseen security misconfigurations. Organizations lacking skilled staff tend to only focus on configuring the minimum requirements to complete and implement the deployment of the service. In many cases, only after a successful phishing attack would an organization begin investigating their Office 365 suite for signs of compromise. Unfortunately, for organizations without the most basic security controls, visibility into the attack would be difficult.

Below is a list of improvements, in order of criticality, that was compiled based on results from our Office 365 assessments. The list, if implemented correctly, will lower the risk of account takeovers which have exploited numerous organizations and led to financial losses.

1. Office 365 Security: Authentication and Authorization

a. Multi-Factor authentication

Multi-factor authentication (MFA) is a method of authentication that requires the use of more than one verification method and adds a second layer of security to user sign-ins and transactions. It works by requiring any two or more of the following verification methods:

  • A randomly generated pass code
  • A phone call
  • A smart card (virtual or physical)
  • A biometric device

Requiring multi-factor authentication (MFA) for all user accounts helps protect devices and data that are accessible to these users. Adding more authentication methods, such as a phone token or a badge, increases the level of protection in the event that one factor is compromised.

b. Risky user analysis

With the user risk policy turned on, Azure AD detects the probability that a user account has been compromised. You can configure a user risk conditional access policy to automatically respond to a specific user risk level. For example, you can block access to your resources or require a password change to get a user account back into a clean state.
Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multi-factor authentication.

c. Password policy

The primary goal of a more secure password system is password diversity. Here are a few recommendations for keeping your organization’s password requirements as strong as possible.

  • Maintain an 8-character minimum length requirement
  • Don’t require character composition requirements. For example, *&(^%$
  • Don’t require mandatory periodic password resets for user accounts
  • Ban common passwords, to keep the most vulnerable passwords out of your system
  • Educate your users to not re-use their organization passwords for non-work related purposes
  • Make sure to let your users know about the recommendations below and enforce the recommended password policies at the organizational level.
  • Don’t use a password that is the same or similar to one you use on any other websites
  • Don’t use a single word, for example, password, or a commonly-used phrase like Iloveyou
  • Make passwords hard to guess, even by those who know a lot about you, such as the names and birthdays of your friends and family, your favorite bands, and phrases you like to use

d. Controlled use of administrative access

The security of most or all business assets in the modern organization depends on the integrity of the privileged accounts that administer and manage IT systems. Malicious actors including cyber-attackers often target admin accounts and other elements of privileged access often in an attempt to rapidly gain access to sensitive data and systems using credential theft attacks.

Traditional approaches that focus on securing the entrance and exit points of a network as the primary security perimeter are less effective due to the rise in the use of SaaS apps and personal devices on the Internet. The natural replacement for the network security perimeter in a complex modern enterprise is the authentication and authorization controls in an organization’s identity layer.

It is critical to protect privileged access, regardless of whether the environment is on-premises, cloud, or hybrid on-premises and cloud hosted services. Protecting administrative access against determined adversaries requires you to take a complete and thoughtful approach to isolating your organization’s systems from risks. Securing privileged access requires changes to:

  • Processes, administrative practices, and knowledge management
  • Technical components such as host defenses, account protections, and identity management

e. Information rights management

To help prevent information leakage, Exchange Online includes Information Rights Management (IRM) functionality that provides online and offline protection of email messages and attachments. IRM protection can be applied by users in Microsoft Outlook or Outlook on the web, and it can be applied by administrators using transport protection rules or Outlook protection rules. IRM helps you and your users control who can access, forward, print, or copy sensitive data within an email.

Activating IRM services lets your users implement encryption and data leakage policies on specific documents and emails. Applying these protections limits the ability to access and distribute files, making it more difficult for an attacker to steal valuable data.

Using IRM protections on email and document data prevents accidental or malicious exposure of data outside of your organization. Attackers targeting specific, high value data assets are blocked from opening them without user credentials.

2. Office 365 Security: Maintenance, Monitoring, and Analysis of Audit Logs

Turning on audit data recording for your Office 365 service ensures that you have a record of every user and administrator’s interaction with the service, including Azure AD, Exchange Online, and SharePoint Online/OneDrive for Business. This data makes it possible to investigate and scope a security breach, should it ever occur. All activity is recorded and retained for 90 days.

Turning on mailbox audit logging for all users with mailboxes allows you to discover unauthorized access of Exchange Online activity or if a user’s account has been breached.

Evaluate your audit data either through the audit log search or through the Activity API to a third-party security information system at least every week. This data allows for a wide range of illicit activity detection, security breach scoping, and investigation capabilities.

3. Office 365 Security: Data Loss Prevention

To comply with business standards and industry regulations, organizations need to protect sensitive information and prevent its inadvertent disclosure. Examples of sensitive information that you might want to prevent from leaking outside your organization include financial data or personally identifiable information (PII), credit card numbers, social security numbers, or health records. With a data loss prevention (DLP) policy in the Office 365 Security & Compliance Center, you can identify, monitor, and automatically protect sensitive information across Office 365.

With a DLP policy, you can:

  • Identify sensitive information across many locations, such as Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams.

Identify any document containing a credit card number that’s stored in any OneDrive for Business site, or you can monitor just the OneDrive sites of specific people.

  • Prevent the accidental sharing of sensitive information.

Identify any document or email containing a health record that’s shared with people outside your organization, and then automatically block access to that document or block the email from being sent.

  • Monitor and protect sensitive information in the desktop versions of Excel, PowerPoint, and Word.

Just like in Exchange Online, SharePoint Online, and OneDrive for Business, these Office desktop programs include the same capabilities to identify sensitive information and apply DLP policies. DLP provides continuous monitoring when people share content in these Office programs.

  • Help users learn how to stay compliant without interrupting their workflow.

Educate your users about DLP policies and help them remain compliant without blocking their work. For example, if a user tries to share a document containing sensitive information, a DLP policy can both send them an email notification and show them a policy tip in the context of the document library that allows them to override the policy if they have a business justification. The same policy tips also appear in Outlook on the web, Outlook, Excel, PowerPoint, and Word.

  • View DLP reports showing content that matches your organization’s DLP policies.

Assess how your organization is complying with a DLP policy, you can evaluate the number of successful matches for each policy and rule has over time. If a DLP policy allows users to override a policy tip and report a false positive, you can also view what users have reported.

4. Office 365 Security: Mobile Device Policy

Mobile Devices are everywhere and can be a vulnerable area across many organizations. Access to business resources needs to be protected appropriately. Setup a mobile device policy which would include the following:

  • Mandate the use of a password to unlock mobile devices making it harder for attackers to obtain credentials and data, or install malware, if the device is stolen.
  • Block network access to mobile devices that violate your specific organizational policies, while generating reports of violations. Help prevent vulnerable devices from connecting to your data. Configure your mobile device management policies to prevent users from connecting with non-compliant devices.
  • Require the use of complex passwords to unlock mobile devices decreases the risk that they can become compromised. If a device with a simple password is stolen by an attacker, they can more easily access account credentials and data or install malware on the device.
  • Require your users to encrypt their mobile devices lessening the likelihood that a stolen device leads to a compromise.
  • Require your users’ mobile devices to be locked after a period of inactivity making it harder for attackers to gain full access to open phones. Attackers can steal unlocked devices and access data and account information.
  • Require the contents of mobile devices to wipe after 10 sign-in failures or less decreasing the risk that they can be compromised. If a device without this protection is stolen by an attacker, they can more easily access account credentials and data, or install malware on the device.

5. Office 365 Security: Access Review

a. Data forwarding rules

Prohibiting mail forwarding to domains outside your organization prevents attackers from creating rules to exfiltrate data. Setting your Exchange Online mail transport rules to not whitelist specific domains prevents any domains from bypassing regular malware and phish scanning. Whitelisting can enable an attacker to launch attacks against your users.

Setting up mail forwarding rules to external domains is a popular data exfiltration tactic used by attackers. Your users may not know the rule was set up unless they check.

If anonymous calendar sharing is allowed, your users could share the full details of their calendars with external, unauthenticated users. Publicly available calendars can help attackers understand organizational relationships, and determine when specific users may be more vulnerable to an attack or traveling.

b. Non-owner mailbox access

Mailboxes often contain highly sensitive business data or personally identifiable information, it’s critical for you to stay on top of what is happening to your Office 365 mailboxes, including who is accessing them and what changes are being made to them. Mailbox auditing in Office 365 is critical to quickly detecting insider threats and outsider attacks that could otherwise result in a security breach.

If your users do not delegate mailboxes, it is harder for an attacker to move from one account to another and steal data. Mailbox delegation is the practice of allowing someone else to manage your mail and calendar, which can precipitate the spread of an attack.

c. Attestation of current privileged users

Global Administrator is the Office 365 admin role which has access to all administrative features in the Office 365 suite of services in your plan. By default, the person who signs up to buy Office 365 becomes a global admin.

Global admins are the only admins who can assign other admin roles, and only global admins can manage the accounts of other global admins. You can have more than one global admin in your organization. As a best practice, we recommend that only a few people in the company have this role. It reduces the risk to your business.

Having more than one global administrator helps if you are unable to fulfill the needs or obligations of your organization. It’s important to have a delegate or an emergency account with such access when necessary. It also allows admins the ability to monitor each other for signs of a breach.

Reducing the number of global admins limits the number of accounts with high privileges that need to be closely monitored. If any of those accounts are compromised, critical devices and data are open to attacks. Designating less than five global admins reduces the attack surface area.