Microsoft 365 Attacks

As the use of Microsoft 365 continues to grow, cyber attackers are increasingly targeting its cloud-based infrastructure. In this extensive post, we will delve into the realm of new Microsoft 365 attacks, exploring the attackers’ methods of gaining persistence within the Microsoft 365 cloud, and provide detailed countermeasures and best practices to enhance your organization’s security posture.

Unraveling Attackers’ Persistence in Microsoft 365 Cloud

To bolster our understanding of Microsoft 365 attacks, let’s explore how attackers establish persistence within the cloud.

According to the CSO Online article[^1], attackers employ various techniques to gain persistence, with one of the most intriguing being the abuse of connected apps. By utilizing legitimate applications that are authorized within the Microsoft 365 environment, threat actors can maintain persistent access while evading traditional security controls.

Connected apps, such as mail plugins, Microsoft Teams integrations, or third-party applications authorized to access Microsoft 365 APIs, can be exploited by attackers to establish a foothold. By compromising or creating malicious connected apps, attackers can bypass security measures and gain ongoing access to sensitive data.

Enhancing Microsoft 365 Security: Best Practices and Configurations

Now let’s explore countermeasures and best practices that can help secure your Microsoft 365 environment, addressing the threat of new attacks and eliminating the attackers’ ability to maintain persistence.

1. Enable Microsoft Audit Logs

Enabling Microsoft Audit Logs is a crucial step in identifying and investigating suspicious activities in your Microsoft 365 environment. Follow these steps to activate Audit Logs:

1. Sign in to the Microsoft 365 Security & Compliance Center.
2. Navigate to Search & Investigation → Audit log search.
3. Select Start recording user and admin activities.
4. Define the audit log settings based on your organization’s needs.
5. Click Save to enable audit logging in your environment.

2. Enable and Enhance Microsoft Security Logs

In addition to Microsoft Audit Logs, it is essential to enable and enrich Microsoft Security Logs to detect and mitigate security threats effectively. Here’s how to achieve that:

1. Access the Microsoft 365 Security & Compliance Center.
2. Go to Search & Investigation → Audit log search.
3. Click on Start recording user and admin activities.
4. Configure the audit log settings according to your security requirements.
5. Ensure that logs capture relevant security events such as sign-in activities, suspicious file activities, data exfiltration attempts, and administrator actions.
6. Click Save to apply the changes and activate the enhanced Microsoft Security Logs.

By enabling and leveraging these logs, you can gain comprehensive visibility into activities and events within your Microsoft 365 environment, facilitating effective incident response and threat hunting.

3. Implement and Enforce Conditional Access Policies

Conditional Access is a powerful feature that allows you to control access to your Microsoft 365 environment based on specific conditions and requirements. Configure the following steps to implement Conditional Access:

1. Navigate to the Microsoft 365 admin center.
2. Go to Azure Active Directory → Conditional Access.
3. Define the desired conditions and requirements for accessing your Microsoft 365 environment (e.g., enforcing multi-factor authentication, restricting access based on location or device type).
4. Carefully review the configured policies and ensure they align with your organization’s security needs.
5. Save the policies to enforce them in your environment.

4. Employ Cloud App Security and Threat Protection

Microsoft Cloud App Security (MCAS) is a crucial tool for enhancing security within your Microsoft 365 environment. By leveraging MCAS, you can gain deeper visibility into app usage, enforce security policies for cloud-based applications, and effectively combat potential threats. Some steps to implement MCAS are as follows:

1. Access the Microsoft 365 Security & Compliance Center.
2. Navigate to Threat management → Policies.
3. Enable and configure policy settings to leverage Microsoft Cloud App Security effectively.
4. Define required actions for potential threats, such as blocking suspicious activities, enforcing data loss prevention (DLP), or launching investigations.
5. Save the policy to activate Microsoft Cloud App Security within your environment.

Suggestions for Useful Applications

To further enhance the security of your Microsoft 365 cloud, consider integrating additional security applications and services. Here are some recommendations:

1. Cloud Access Security Brokers (CASB): CASB solutions, such as Symantec CloudSOC or Microsoft Cloud App Security, provide granular visibility and control over cloud applications, ensuring data protection and compliance.
2. Identity and Access Management (IAM): IAM tools like Okta or Azure Active Directory, help manage user identities, enforce strong authentication, and streamline access controls.
3. Email Security Gateways: Supplementing the built-in email security features of Microsoft 365 with solutions like Mimecast or Proofpoint adds an extra layer of protection against advanced email threats, including phishing attacks and malware.
4. Endpoint Protection: Deploying robust endpoint protection solutions such as CrowdStrike, SentinelONe, Yoroi Kanwa or Microsoft Defender for Endpoint helps defend against advanced threats, including those targeted at the endpoint devices accessing your Microsoft 365 environment.

Implementing these applications along with a robust security framework will provide layered protection and ensure comprehensive security within your Microsoft 365 cloud environment.

Conclusion

This post delved into the realm of new Microsoft 365 attacks and examined how attackers establish persistence within the cloud. By understanding their tactics, organizations can effectively defend against these evolving threats.

To safeguard your Microsoft 365 environment, it is crucial to implement countermeasures and adopt best practices such as enabling Microsoft Audit Logs, enhancing Security Logs, implementing and enforcing Conditional Access Policies, and employing tools like Microsoft Cloud App Security. Additionally, integrating useful applications like CASB, IAM, email security gateways, and endpoint protection solutions enhances the overall security posture.

Embrace a holistic approach to security, regularly update your defenses, educate users about security best practices, and keep abreast of the latest security trends and recommendations. By proactively protecting your Microsoft 365 environment, you can mitigate risks and safeguard your organization’s sensitive data.

PS: I’ve been using AI for editing and improving English reading, and it has been cool !

References:
[^1]: CSO Online. “The Most Dangerous and Interesting Microsoft 365 Attacks.” Link to Article
[^2]: Huntress. “Legitimate Apps as Traitorware for Persistent Microsoft 365 Compromise.” Link to Article
[^3]: Sherweb Blog. “Microsoft 365 Tenants: How to Protect and Secure Your Business.” Link to Article
[^4]: Microsoft 365 Security. “Microsoft 365 Security.” Link to Document

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts