1. Disable email forwarding to third party domains
The most common form of attack seen by BSI’s Incident Management team usually results in email traffic being forwarded to another address. This is always a third-party domain, usually a free service such as Gmail, Hotmail, Yahoo, etc. but sometimes another organization that has also been compromised. When an attacker puts an auto-forward in place, it can often go unseen for days, if not weeks or months, as users rarely examine these settings or notice their impact. During this time, the attacker receives and stores a copy of everything sent or received from the mailbox – naturally a privacy and security disaster!
O365 provides a simple way to prevent this from happening. A system administrator can easily disable the ability of any user to forward all emails to a third party domain. This means that such a bulk forward rule will be blocked by the Exchange server and no emails will leave your organization.
To do this, the simplest way is to create a remote domain rule. Create a new rule which covers the remote domain “*” and disable the option for “Allow automatic forwarding”. For more information on setting up remote domain rules click here.
2. Enable multi-factor authentication
The single best control for protecting against phishing attacks is to enable multi-factor authentication. With proper multi-factor controls in place, a phishing attack resulting in breached passwords will still mean that the attacker has no access to your email systems.
There are many different options for the second factor to use, from text messages, smartphone apps, RSA token fobs, and security keys. Consideration should be given to the value of the account you are protecting compared to the security you are employing. Security keys in particular are so secure that Google confirmed that not one member of its 85,000+ employees has been compromised since requiring security keys as a second factor to login since 2017*.
Typically, attackers target senior board members and executives, members of the finance team or members of the IT team. These users should, therefore, have the tightest controls on their login methods. Ideally, multi-factor authentication should be enabled for all users, but where other considerations limit its rollout ensure you secure the most likely targeted members of your organization first.
For more information on multi-factor options for O365 please click here.
3. Conditional access for Office 365
Azure Active Directory, which is the mechanism that often manages logins for O365, has many options for restricting and further securing login attempts. Conditions are defined, and when certain rules are triggered a multi-factor authentication will be required, or indeed a request will be blocked outright. For example, rules could be created to allow direct login for requests from within your organization’s IP range, require multi-factor authentication for logins from your home country but not on your network, and block access to all logins from other countries. Different rules can be applied to different applications such as Exchange and SharePoint, and indeed the type and status of the connecting device.
Combining conditional access rules together with a multi-factor authentication regime can significantly improve your Office 365 security. For full details click here.
4. End-user security awareness training
Most attacks originate at the end-user level. In fact, 90% of data breaches or hacks originate from phishing*. However, organizations are still hesitant to investing much in training employees on working securely online*. To system administrators out there, it’s vital you push for a dynamic, engaging, and measurable training programme for your staff. Attacks will always evolve, and to stay ahead of the latest trends in security technology solutions can be a challenge. A well-versed workforce who knows the do’s and don’ts of web security can be the last line of defence for your organization.
BSI works with some very innovating software platforms that provide engaging, interactive training material. This is combined with the ability to test your users by creating mock phishing attacks and measuring their success. When these tests are paired with further training clients always see a measurable decrease in the user’s succumbing to the next test – which in turn protects your organization against the real thing.
Following our four tips above will help you keep your Office 365 secure from breaches but in the event that the worst happens, our team are here to help you!