The truth behind MFA and 365 security

An example of how MFA didn’t save the day, and an account with MFA was compromised.

MFA and 365 security is part of a journey. The first step of that journey is the discovery that security isn’t an binary situation. The question shouldn’t be “are we secure?”, rather “how secure are we?”. Seeing security from this perspective is critical to maintaining a healthy level of safety. MFA (Multi-Factor Authentication), involves extra steps to help prove that it is really you trying to access a system. This is part of the security process, but it isn’t the only process, and it is far from bullet-proof.

When undertaking a security review, we often hear comments along the lines of: “We have MFA, so we should be good”. The first comment I need to make to this type of statement is that from experience it is almost always incorrect. Many times some users in an organisation have coverage, but it is almost always never complete. At the time of writing, upon initial engagement we are yet to find an organisation that has MFA setup and activated, and enforced on every account. Even when enforced, there are often accounts that have not logged in to and set it up. CatchBefore is fantastic at raising awareness of gaps within MFA, and helping to achieve complete MFA coverage.

Once 100% MFA coverage is achieved, the security task is not yet complete. There are other areas that can provide access to data (bypassing MFA) – and, even accounts with MFA enabled and enforced are not completely secure. As an example of this: One of our clients had MFA setup on all their users, and they still ended up with a compromised account. A notification of a suspicious login was promptly detected by CatchBefore. This turned in to an notification for the client to review, and at this point it was clear that there was unapproved activity on the account. Our team helped regain control, and restored the account to health. How did this attack happen? It appears that the password used by the client was compromised, and a MFA authentication request may have been inadvertently (accidentally) approved by the end user.

The compromise was only discovered due to the suspicious login detection features of CatchBefore. Another benefit of early detection was the speed in which the situation was corrected, limiting further impact.

What is the lesson from this issue? MFA and 365 security is fantastic, but it isn’t a complete security solution. Undertaking regular security monitoring can also play a critical role in helping you manage your 365 security risks.


365 Security in 2023

Highlights and security lessons from 2022, and what needs to happen in 2023


After years of development, CatchBefore was released early in 2022. A big thank you to the many clients that have joined our journey. Each sign-up represents another organisation prepared to take a positive step, and shine light on an area that in many cases they didn’t previously have any real understanding about. The demand for security improvements is coming from a broad range of sectors. Our client range includes organisations from professional service industries, construction, manufacturing, not for profit, and other areas. There is no sector immune from being targeted by those with malicious intent.

What are our biggest take-outs from the year?

  • We have yet to see a client join that has 100% Multi-Factor-Authentication (MFA) coverage. In fact, many thought they had everyone with MFA, only to find they had dramatically low coverage
  • Most clients are not aware that there are a raft of other security issues besides MFA
  • Those that were least convinced that they needed to improve their security often had the largest gaps and needed the most improvements
  • Information and understanding is critical – unfortunately a lot of organisations are not aware of the risks that need to be managed and mitigated
  • Detected attack attempts tend to increase when we are away from work (especially on weekends and major public holidays periods).

What kind of situations has CatchBefore commonly helped with?

  • Improving the security position of clients. The proactive security configuration checks help our client improve their security score, lowering the risk of an incident.
  • Discovering compromised accounts. We have picked up a number of accounts that had unauthorised logins. This information enabled our clients to take proactive steps to close down weaknesses, and take proactive steps to prevent a repeat.
  • Discovering almost compromised accounts. CatchBefore has a fantastic feature that helps detect logins where the username and password have been successful, but MFA failed. This situation typically means that the username and password have been compromised, and the only thing stopping a complete account compromise is the MFA feature. In this situation we have been able to guide our clients through the safe change of password.
  • Discovering excess licences and old users. It is not uncommon that clients have more inactive users than active ones, and in many cases wasted/excess licenses. We have hit situations where CatchBefore can almost pay for itself due to excess licence discoveries.
  • Discovering previously forgotten external email forwarders and rules. Some email rules can be ‘malicious’ in nature, deliberately forwarding email and hiding their tracks. Others are meant as temporary, and then forgotten about. In both situations it can result in email data being silently forwarded outside your organisation without alert. CatchBefore helps detect emailbox rules, including to external addresses.
  • Quota issues, where clients are running out of space. Perhaps one of the most easily preventable emergencies. Every service has its storage limits, and it is important to know when your accounts are approaching their capacity. CatchBefore actively monitors and alerts when space is becoming a tight.

What in store for CatchBefore and 365 security in 2023?
Additional features and checks are in the development stage. CatchBefore plans to release enhancements during 2023. In addition to the planned improvements, we will continue to monitor the evolving threat landscape.


Welcome, and what a time to launch

Years of experience with cloud products have come together for a positive goal.

A brief history of how we ended up here

CatchBefore was an idea long before it became a service. Our team has been helping corporate clients move to the cloud for many years. As the cloud products matured, the (optional) security features have also improved.

The age-old problems were there however. The system that you are using is only as secure as its configuration (the same problem that existed with onsite servers). Clients were removed from the restraints of having an onsite servers. No more rolling server upgrades every 4-5 years. No more outdated server software, or worrying about a hardware failure in the office. You can add 100 new accounts and not have to worry about buying a new server.

Instead of your data being accessible just in your office, it is now accessible globally. This is great when you are travelling, however it also means that anyone in the world can also try to access your data in the cloud.

365 does provide the tools to help you protect your data. But this is just part of the problem, you have to enable and use the tools correctly. You need to make sure they are applied to every account. There are still limits (quotas) in place, you still need to make sure you are not wasting licenses, or having more accounts than you require. If an account is compromised, you need a way to find out (and quickly!).

Overtime we have developed a reliable tool-kit of configuration and general health checks. We hit three problems however:

  1. The checks were only good up to the time we run them.
  2. The checks were time intensive to run.
  3. It can be difficult to maintain a best-practice configuration over time.

CatchBefore was created to make it possible to run regular health checks, and alert on any suspicious activity, or sub-standard configuration. This enables us to deliver levels of protection that would not be feasible with manual health checks. CatchBefore automates hours worth of checks and reviewing each day, bringing discovered issues to your attention.

Launch timing

Many years ago a number of nation/state actors tried to be reasonably discrete when attempting cyber-attacks. For a number of years western governments have been ringing alarm bells about the risk to business. The frequency of attack attempts is only increasing. Some foreign governments appear to be involved, or at least not doing anything to reign in attacks from their countries.

At the same time many organisations have moved to the cloud, and unfortunately have not taken adequate steps to prevent or detect an intrusion in their 365 tenancy.

CatchBefore is here to help organisations minimise risk, and utilise the fantastic benefits of the cloud with confidence.

Where we are heading

We initially had a short list of checks (under 10) that we wanted to have ready at launch time. Each check is designed to alert on a specific problem. For example, check and an alert if an account is missing Multi-Factor Authentication. Another example is check and alert if an overseas login is detected. We kept on finding additional important items to add to the list, and we have ended up releasing with 29 active checks!

We have plans to continue to add useful checks. Each time we see a problem, it may be the inspiration for another check.

Author, Category