Our partners, colleagues, and other small businesses need to toughen up. Like a boxer who doesn’t protect his face, you’re not protecting yourselves from an Office 365 security breach.
Most small businesses, particularly non-geeky ones like marketing companies, set up their Office 365 subscriptions and forget about them. The only time they sign into the admin center is maybe to change a forgotten password. When asked about their Secure Score, the answer is usually, “huh?” It’s like the bad guys are in a battle of wits with aggressively unarmed victims. They don’t know what they don’t know, and they’re satisfied with that.
Here’s an example, and the reason I’m writing this article: Attackers recently hit one of our partners with an attack that cost almost $50,000. That’s a tough pill to swallow for any business, but it’s big enough to destroy most small businesses. The regrettable part is that this Office 365 security breach was preventable. However, I’ll get to that point after describing how the whole thing unfolded.
The Office 365 security breach steps
In our partner’s example, the attackers clearly knew what they were doing. They were very familiar with Office 365 and how to cover their tracks. It went something like this:
The attackers sent a phishing email, and a person in our partner’s company took the bait. According to Debraj Ghosh in an article called “How Office 365 learned to reel in phish,” 20% of users click malicious links in phishing emails within five minutes of getting them. So, our target isn’t alone. She clicked the link, typed her Office 365 credentials, and clicked Sign in. Nothing happened, but she never gave it another thought. Of course, the attackers had stolen her password.
The attackers didn’t realize until they signed into her account that they hit pay dirt. She was a Global Admin. From there, they used her Global Admin credentials to gain control of other Global Admin accounts. Still, everyone was completely oblivious that there was an Office 365 security breach happening right under their noses.
Once they had control of these accounts, they enabled auto-forwarding to send a copy of users’ emails to various Gmail.com addresses. The aliases would’ve been funny (e.g., firstname.lastname@example.org), had the damage they caused not been so devastating.
The trap was set. All the attackers did now was sit back and wait for an opportunity to strike. That didn’t take long. One of our partner’s vendors sent a legitimate invoice, which the attackers intercepted. They quickly registered a look-a-like domain (e.g., honeycutt.co instead of honeycutt.com) and set up a mail server for it. Then they replied to the original invoice thread with a message that said they had changed banks and were attaching updated wire instructions. Everything looked very legitimate. The only clue would have been catching the letter M missing from the domain name.
Yes, sadly, our partner transferred the payment using the new bank information. They discovered the attack a few weeks later when the vendor still hadn’t received the payment they were promised. Recovery was impossible. The attackers had used the banking system to reroute the wire transfer to an offshore account.
Before I move on to preventing this Office 365 security breach, there’s one thing about it that bothers me. At Honeycutt Inc., our policy is to require an electronically signed document to change banking information for payments. We’ll never change banking information based on an email alone. This should be a basic policy in every organization. At a minimum, changing bank information should at least require a brief phone call. Enough said.
Changing your attitude about security
Prevention is a mindset. To prevent this type of Office 365 security breach, your attitude has to change. First, get cynical. Cynicism is a good thing. Realize there are thousands of people out there who want to harm you. It’s not paranoia if it’s true. Their job is to take what’s yours and make it theirs.
Second, you can’t just create an Office 365 subscription and forget about it. You must maintain it. Realize that it’s your responsibility to keep up with the product’s capabilities even if you’re not a technical person. You’ll have to get outside of your comfort zone to learn about things like Exchange Online policies, multi-factor authentication, and Secure Score. Yes, you might be the greatest marketing wonk in the world, but you also need to be an IT guy.
If you’re not willing to do these things, then you have no business managing your subscription on your own. It’s irresponsible in the same way that feeding pigeons at an outdoor restaurant is irresponsible. Instead, sign up with a partner who can take on that burden and help you prevent an Office 365 security breach.
Prevent an Office 365 security breach
Fortunately for you, but too late for our partner, three easy steps can prevent this type of breach. I’m going to point you to some instructions in just a bit, but these are the steps ordered by importance:
Enable multi-factor authentication (MFA)
MFA requires a second form of authentication before Office 365 signs you into your account. Your password is something you know, which is easy to compromise, and the second form is usually something you have, like your mobile phone. You sign into Office 365 using your password, and it sends a text message to your phone that contains a code you must provide in order to continue. Without possession of the phone, you aren’t getting into the account. This alone will prevent our partner’s Office 365 security breach and most others. It’s so ridiculously easy that I’m confused why it’s not the default. (There’s something comforting knowing that without physical access to my phone, nobody is getting into my account, not even me.)
Create dedicated Global Admin accounts
There’s no reason for people who are doing regular user things to be a Global Admin. No account used for daily work like email should be a Global Admin. Instead, create dedicated Global Admin accounts reserved just for managing the subscription. For that matter, don’t even assign your Global Admin accounts a license. They shouldn’t have email access.
Block auto-forwarded mail to external domains
You get two things out of enabling this Exchange Online policy. The first is awareness. Users get a non-delivery report (NDR) when there’s an attempt to auto-forward a message. Second, the bad guys can’t spy anymore. I’m also confused why this policy isn’t the default, considering there are few good reasons to forward email to external domains. Of course, this policy has no teeth if a Global Admin is compromised, explaining why it’s a lower importance.
These are the three big changes that would have prevented our partner’s Office 365 security breach. MFA is the most significant. Additionally, Microsoft has a very nice support article called “Top 10 ways to secure Office 365 and Microsoft 365 Business plans from cyber threats” that does exactly what the title says. Read it. Do it. The instructions are easy.
I also recommend that you get very familiar with Secure Score. It’s gauges the security of your Office 365 account, similar to a fuel gauge. Of course, it makes recommendations for improving your score. It’s the easiest way I’ve found to discover security features in Office 365 that I’m not taking advantage of.
Summary of steps you should take now
Here’s a quick summary of the action items I’m suggesting you take to prevent an Office 365 security breach:
- Enable MFA immediately. Teach your users the benefits, and they won’t complain.
- Use a limited number of dedicated Global Admin accounts to manage the subscription.
- Block all auto-forwarded messages to external domains to prevent nefarious spying.
- Follow the remaining guidance that Microsoft provides for small businesses.
You do these things, and I’d be very surprised if you were a victim of an Office 365 security breach. Also, if you’re interested to learn more about these types of phishing attacks and how Office 365 will help to prevent them going forward, take a look at the article “How Office 365 learned to reel in phish.”
Have you been attacked? Are you following these recommendations? If not, why not? Leave your comments below. We’d love to hear from you.