By Alex Ammons   /   Aug 3rd, 2021

Office 365 Security Best Practices

Office 365 Security best practicesImagine being forwarded an email that you never sent. Even worse, that email was you approving the transfer of a large sum of company money to an account that you never set up or knew about. This grim situation and many like it happen more often than most would expect and can be the source of incredible frustration, financial impacts and even litigation. What can you do to help prevent this type of attack? Start by incorporating Office 365 security best practices into your environment.

Business Email Compromise Attacks

This type of business email compromises (BEC) also known as email account compromise (EAC) can have devastating effects to the confidentiality, integrity, and availability of a network. Because phishing is the most popular attack vector for a malicious actor, the security of your email provider deserves a second look. Since Microsoft has the most popular solution for organizations, let’s start by looking at Office 365 security best practices.

Cloud Services Continue to Grow

According to Microsoft’s chief financial officer, Amy Hood, revenue in its Cloud services increased 36% this year, growing to $19.5 billion. For years, IT teams have been working to migrate from on-premises hosted Exchange services to Office 365. This migration to cloud-based email providers such as Office 365, which includes a wide variety of functionality and built-in security, has accelerated in light of recent on-premises Exchange vulnerabilities related to Hafnium. While cloud-based services such as Office 365 can have an appeal as an easy solution for companies to get up and running or transitioning from obsolete services, there are many security settings that should be manually reviewed and configured to lower the risk of a cloud-based compromise.

Office 365 Security Best Practices

To reduce your organization’s risks, we have prepared a list of the top Office 365 security best practices that users and administrators should consider in order to reduce the risk of a compromise.

  • Enable Audit Logging. Perhaps one of the worst positions a company can find themselves in is identifying that an incident or breach has occurred involving their Office 365 accounts, and when IT security staff or an attorney asks to examine of the audit logs…they are not enabled. Ensuring audit logging is enabled allows scrutiny of questionable activity that may have occurred leading up to, during, and after a possible account or cloud compromise. Equally important is developing a plan to regularly review your organization’s logs.
  • Require Multifactor Authentication (MFA) For All Users. Even Office 365 is susceptible to user enumeration and brute force attacks. These attacks occur when a hacker runs automated programs to “guess” active account names and passwords, so it is only a matter of time before a would-be attacker targets your organization’s Office 365 account. The risk of account compromise due to user enumeration and brute force attacks can be greatly reduced by using Multi-factor Authentication (MFA). MFA uses at least two authentication mechanisms such as a token and a password rather than just a password. This means that even if someone guesses the correct password, they will not have the additional token to gain access to an account. Read our MFA blog to learn more.
  • Block Legacy Authentication. In addition to ensuring MFA is enabled for all accounts, you should block or disable “basic” authentication protocols that do not support interactive sign-in. Interactive sign-in is required for security challenges such as device authentication and MFA. Some examples of basic protocols that should be blocked are POP3 and IMAP4. Settings to block applications that do not use modern authentication can be configured within the SharePoint Admin center. These should be enabled for Exchange Online and SharePoint.
  • Enable Password Protection for Active Directory. A malicious actor’s first step in attacking services like Office 365 is to build password lists that include known “breach compilation” data. This is data that may be leaked from the targeted organization. An additional step would be adding in simple passwords such as “july2021” or “20212021” which are commonly used in organizations that don’t train users on the importance of password complexity. A quick win for any organization is to enable Azure Active Directory Password Protection which prohibits users from using simple passwords. To prevent the use of credentials that have been identified in prior leaked data, tools like haveibeenpwned and Specops Password Auditor should be reviewed regularly. These tools assure that no passwords identified in leaked data are being used.
  • Enable O365 ATP for SharePoint, OneDrive, and Microsoft Teams (E5). Advanced Threat Protection is capable of scanning services including SharePoint, OneDrive, and Microsoft teams for any malicious files and then blocking them from being shared until the organization can take steps to evaluate and eradicate the malicious file. This setting can be found within the Office 365 Security Center under ATP safe attachments and can be turned on for SharePoint, OneDrive, and Microsoft teams. This feature is available within Microsoft’s E5 licensure.
  • Regularly Review Mail Transport Rules. If an attacker gains access to an email account, they will typically setup mail transport rules to forward email to other external domains. This helps them maintain awareness of the compromised account and exfiltrate data. Any forwarding rules within the Office 365 tenant should be regularly inspected and carefully vetted. These rules can be reviewed within the Exchange Mail Flow Rules.
  • Enable ATP Safe Links Policy (E5). URLs embedded in emails that redirect, or contain malicious scripting are the most common method of account compromise. Office 365’s Advanced Threat Protection ensures that any hyperlinks within office documents and emails are scanned and evaluated for threats. While this feature is only available within Microsoft’s E5 licensure, it is a key technical defense against common phishing techniques.
  • Use SPF/DKIM/DMARC to Reduce Spoofing. Another common tactic for attackers is to pretend to be someone they’re not and “spoof” an email. This is a popular tactic hackers employ to get users to click on malicious links in an email or to provide sensitive information. Defenses for this are using Domain Keys Identified Mail (DKIM) along with Sender Policy Framework (SPF), and Domain-based Message Authentication (DMARC) to prevent spoofing. DKIM involves cryptographically signing emails sent from an organization so that they are validated as really being from where they claim to be from. SPF is a safeguard that allows mail systems to determine if messages sent from a specific domain are allowed to originate from a particular IP address. And DMARC works in tandem with DKIM and SPF to ensure destination email servers are trusted and that senders are properly authenticated.

While there are many settings within Office 365 that can greatly improve an organization’s security posture, these Office 365 security best practices are some of the top recommendations for minimizing risk and bolstering any organization’s confidentiality, integrity, and availability.

Please contact us if you need help with and Office 365 configuration review or policy recommendations. Our expert team will be happy to help!

About the Author

Alex Ammons

Alex Ammons manages the incident response team at LMG Security. From ransomware to business email compromise, Alex leads teams and provides hands-on triage, investigation, and remediation activities for a wide variety of cybersecurity attacks. Before joining LMG Security, he worked on the NOAA Computer Incident Response Team as a primary investigator for incidents across Department of Commerce networks. Alex has completed certifications such as the Department of Defense Joint Cyber Analysis Course (JCAC), as well as receiving certifications from the NSA and the Joint Special Operations Command for operations within the cyber domain. Alex is a seasoned Incident responder and has experience in both offensive and defensive cyber operations.