Office 365 now boasts over 155 million users and is growing at a rate of 3 million users a month. There is no doubt that a lot of IT executives and managers think Office 365 is a good product that adds greater value to their organization versus a traditional on-premise solution. Unfortunately, as Office 365 attracts more and more users, it progressively attracts the interest of hackers and scammer. Office 365 is the largest pool of email boxes in the world. For that reason, it is the largest target for cybercriminals as well. A recent study reported a 13% increase in the first quarter of 2018 of email attempts to infiltrate Office 365 hosted customers.
Unfortunately, a small number of those 155 email boxes are owned and operated by hackers. Yes, hackers subscribe to Office 365. They do so for one simple reason – to constantly probe its security stack. Once they find a cleverly designed phishing email that gets through the system, it can then be launched against the masses. If this attack gets through to one user, it can get to the rest of the 155 million. The window of opportunity is very brief for these kinds of attacks as Microsoft discovers them quickly. However, it only takes one of these malicious emails to launch an attack that attempts to steal user login credentials or worst, may incapacitate your network.
What’s more, hackers can easily find out if you are an Office 365 organization. They can do so because you broadcast it to the world on your public DNS MX records. Knowing that you are an Office 365 subscriber can influence how they go about launching an attack on your network. This gives a huge advantage from the outset.
It all starts with a secure password. Passwords should be a minimum of 8 letters but password experts encourage the use of longer passwords if possible. Mark Burnett, author of Perfect Passwords states passwords should ideally be between 12 and 15 characters in length. In fact, a 12 random character password consisting of only lower case letters can be more difficult to crack than an 8-character password that enforces complexity rules such as the inclusion of upper/lower case, numbers and non-alphanumeric characters. Hackers are constantly launching credential stuffing and brute force attacks on Office 365 customers in order to steal their credentials. This is because an email from your boss or company executive is taken more seriously than an email from a third party.
Office 365 accounts are compromised all the time. It’s bad enough if one of your end users gets compromised, but imagine the potential harm a hacker could do if the Office 365 account for one of your email or domain administrators was compromised? Hackers can get the names of your administrator and privileged accounts from your organization’s website or through LinkedIn or other social media. This is why your Office 365 administrator accounts should never be tied to personal accounts. You should create designated Office 365 administrator accounts and use them only for administration. Admins should have a separate user account for regular, non-administrative use and only use their administrative account when necessary to complete a task associated with their job function. Microsoft recommends no more than 5 administrator accounts.
You cannot rely on a password to protect user accounts. You need to supplement your login processes with multifactor authentication. A very popular MFA method for Office 365 is to issue a short SMS code that the user must provide during the login process when they access Office 365 from off-premise.
We mentioned how attackers can run actual emails through their own Office 365 accounts to test their effectiveness to usurp Microsoft’s ability to block them. Hackers are very clever, but you can be clever too. While these malicious attackers may know your organization uses Office 365, you can outwit them and use a third party security gateway to supplement the basic spam filtering that Office 365 provides.
Many organizations are utilizing this multi-layer security approach for their email as they find the solutions offered by dedicated email security vendors to be more effective, flexible and less expensive than Microsoft’s Advanced Threat Protection which requires additional licensing and costs.
Sign-up for email updates...