365 5-Point Check Explained

Introduction

This page provides additional information on the CatchBefore 365 5-Point check. The report is a tiny sample of what CatchBefore reporting can provide. Please remember that there are multiple parts to CatchBefore, with reporting being only one of the benefits. We hope that your 365 5-Point check helps to shine light on an area that you might not otherwise be aware of. It is important to note that the information presented in the report is utilising what is available at the time of creation. The 365 5-point check will not dynamically update or change over time. We advise against using the report as the sole basis for decision making.

The points:

  • Secure Score.

    We have represented your Secure Score (as established by Microsoft) – as a percentage of what is possible. The higher the score, the better. Microsoft raises your secure score depending on your configuration. The more security measures that you have implemented, the higher your score will be. It is important to note that your score percentage can decrease over time (as new security features become available). It is also important to note that the Secure Score is not calculated every day. If you have made changes recently, the impact on the secure score may take some time to show.
  • MFA Coverage.

    This is the percentage of accounts with logins enabled that have Multi Factor Authentication (MFA) setup. Guest accounts are included in the count. It is important to have all accounts configured with MFA. It is also important to note that for us to obtain the information in this report from Microsoft that your tenancy requires “AADP1” level licencing. This is commonly found in Microsoft 365 Business Premium, some higher level licences, or optionally as an additional (add-on) to product that can be applied against lower level licencing. We strongly advise clients to adopt AADP1 licencing to unlock the benefits of additional security and reporting improvements.
  • Email accounts containing a forward or delete rule.

    This is the number of accounts that have either an email forward or delete rule. This is a non-exclusive count/report ‘or’ (ie, having one or both conditions met on an account will result in the count being increased). It is important to investigate email rules to ensure that they are not malicious. Forwarding and Delete rules can be utilised in malicious rulesets to send copies of emails externally, and/or to hide specific emails.
  • Enterprise Application count.

    Enterprise Applications are systems that have been given permission to access data within your 365 environment. Often access can be granted by the end-user, without administrative permission. Typically they are used by integration with helpful 3rd party systems, however they can also be utilised for malicious purposes. Once permission is granted by a user (which can be done with a few clicks either on purpose or accidentally), there is no MFA or other log-in action required by the end user to give permission for access. This means the application can have access even if you change your password, and without you being logged in.
  • 365 Alerts, with status “New”.

    These alerts are Microsoft trying to tell you something. It may be a minor issue or alert, or it may be an important security notice about suspicious activity. It is critical that there is a path for these alerts to be brought to your attention so that they can be individually evaluated.

Where to from here?

This is a tiny example of the information and configuration that needs to be actively reviewed. Reach out to our team for further information on how we can help your organisation improve your 365 security posture.