In our last blog, we explored the risk of receiving sensitive data unauthorized via email, the sharing sensitive information internally across departments, and the need for advanced data protection features within both on-premise email systems and Microsoft Office 365 (MO365) environments to mitigate these risks. However, it is not just the threat of unwanted or accidental sensitive data acquisition that organizations should be wary of when it comes to information security. Because Microsoft Office 365 has been rapidly adopted across so many sectors and organizations of all sizes, it has become a prime target for cybercriminals.
The National Cyber Security Centre (NCSC) has recently published an advisory report that explores the ways MO365 can be compromised by malicious parties, explaining how cybercriminals can use compromised MO365 accounts to obtain financial profit. It reports that attacks on business email, including MO365, cost businesses over $5.3 billion dollars in losses between 2013 and 2016.
Research conducted by Clearswift found that phishing emails are seen as the most dangerous threat to businesses across all email platforms. In fact, the most common way hackers gain access to MO365 accounts is through targeted phishing attacks – also known as spear phishing.
In order to execute a spear phishing attack, a cybercriminal sends an email (or emails) to employees, seemingly from a trusted source – often C-suite and suppliers – requesting them to click on a malicious link. Once the employee clicks on the link, it redirects them to a spoofed login page where the hacker is then able to harvest sensitive information including log-in credentials that the unsuspecting employee provides. Having access to log-in details enables cybercriminals to steal sensitive information held in the cloud, impersonate an account holder, distribute further spear phishing emails from a legitimate account or deliver a Ransomware payload into the network. These kinds of attacks often go undetected long enough to allow the hacker to steal the information they need to cause major disruption to any business.
Another common way of accessing a MO365 environment is for cybercriminals to force their way into accounts using a sequence of obvious passwords. While one of the benefits of the MO365 cloud platform is its widespread accessibility for employees, this can also pose a threat to security, offering this same access to cybercriminals. If a hacker harvests an employee’s password, they will have instant access to the account and broader environment.
Because MO365 is designed for remote access, identification of unauthorized access to accounts is not instantly detected, making it much easier for hackers to attempt multiple log-ins and be granted access. In addition, targeting one employee at a time – rather than everyone within an organization – reduces the chance of detection further and once a cybercriminal has access to one account, it makes it extremely easy to infiltrate from the inside.
Access to one individual’s account could allow a maliciously motivated individual to gain access to documents and databases and steal sensitive information that resides in the platform and within emails. Hackers could also set up auto-forwarding rules so that the compromised account sends copies of emails to another email address without detection.
Steps to mitigate threats and risks
With many employees using a password across multiple platforms and services, hackers have a much better chance of stealing or guessing one password and gaining access to a whole host of information. Multi-factor Authentication (MFA) adds an extra layer of protection to a MO365 platform by implementing a second, or – in some cases where the information is of greater sensitivity – a third password, to ensure that even if a hacker gains one authentication method, they still won’t gain access to an account. A second factor is then used to help further authenticate that logins are genuine. This could be another password, or characters from a pass-phrase, a fob or an app with an ever-changing number, a fingerprint, facial recognition or even an iris scan.
Training and Education
Training employees on the signs of malicious activity through email will reduce the risk of employees clicking on malicious links that lead to phishing attacks. Lunch and learn sessions, webinars and Threat Guides for staff are great ways to educate and upskill staff. Combining threat prevention sessions with best practice sensitive data handling will help improve an organization’s overall security posture. Building in a cyber-security session with the IT Team into new employee inductions will mean that all new staff members who join an organization will be off to a great start in terms of understanding and complying with company security policies and procedures.
Enhance Security in MO365 with advanced features
Integrating advanced threat prevention and data protection features to a MO365 platform can enhance the existing security capabilities it offers. Clearswift’s bolt-on solution for MO365 be seamlessly implemented to enable deep content inspection of all email traffic through the platform – inbound, outbound and internal – in both email messages and attachments. The solution automatically detects and redacts malicious URLs in real-time, as well as sensitive data (eg. PII, PCI etc), allowing a safe version of the communication to be delivered (rather than being ‘stopped or blocked’). The Adaptive Redaction functionality removes embedded malware or sensitive information before it’s delivered into an employee’s inbox, mitigating the risk of employees clicking on a link in a phishing email or sending/receiving sensitive information in error, that could cause an organizational data breach.
Taking advantage of the ability to plug in third-party applications to improve the security of a MO365 platform will enhance the protection of critical data being stored across the cloud service while allowing employees to go about their day-to-day business without disruption.