Office 365 Security Issues

Office 365 Security Issues are real. Any implementation error or account breach if unnoticed can result in a negative impact on your business. CatchBefore is solely developed for the purpose of minimising such implications by proactively monitoring your 365 tenancy and alerting you on various aspects of improvement. At CatchBefore, we believe it is important for the organisations to understand some of the key security items and take appropriate steps to counter the risks.

1. Stolen passwords

This is a very common source of account compromise. This happens when an intruder obtains credentials (username and password) which can be used to gain access to a 365 account. There are many ways in which credentials can be obtained, including:

  1. Phishing” (Fish-ing). This is a reasonably straight forward method in by which a user is tricked in to handing over their username and password to a website that looks genuine.
  2. The reuse of passwords between systems. It is a common mistake to use the same password for multiple accounts with different providers. If one of these providers becomes compromised and gains access to the password, then it may be possible to log in to other accounts using the same password.
  3. Weak passwords. Good passwords are difficult to remember. Unfortunately there are lists with millions of known common weak passwords that threat-actors will try against usernames to see if they work.
  4. Malware. Infections (Virus’) can record key strokes. Usernames and passwords may be captured if entered on an infected system.
  5. Social engineering. If you can’t work out the password, then sometimes the best way is to ask. Communication normally comes from someone in a position of power or authority, and can be very convincing. Sometimes they might not ask for a password, but rather gain information that they can use to reset your password.
  6. Shared Passwords. This is when multiple people access a system using shared access. With no individual responsibility or secrecy attached to the password it is at risk of being inadvertently shared, and not changed when team members depart.

2. Excessive administrative permissions

User accounts can be grouped in to two primary types, “Users” and “Administrators”. As the name implies, Administrator accounts have greater access to information and configuration settings.

When a User account is compromised, the damage is typically limited to the account (and information that User account has access to). A compromised user account can be very damaging, however the damage does become contained. If an Administrative account becomes compromised, then the implications may be far more broad, to the extent that complete control of the tenancy may be lost.

Administrative accounts should be separate from normal users accounts, and dedicated to only undertaking administrative tasks.

3. Hidden email rules

A hidden email rule is where all incoming email for a user account is unknowingly forwarded to an external address. The threat-actor then has effective access to all incoming email for that user. This can be then leveraged for further malicious activities. In many cases it may be possible for account password resets to be undertaken on other services, and the threat-actor gaining access to additional services.

This type of rule can be in place for a long time without detection.

A hidden email rule is a symptom of an account that has been compromised, however it should be noted as a security threat by itself due to the nature for extended exploitation without detection.

4. Untrustworthy applications

You might not be aware, but it is possible to access your 365 Tenancy via 3rd party applications. These applications can be very useful, undertaking numerous useful tasks. Being granted tenancy wide access, it is important to understand which applications have access to your data, and have the know-how to be aware when new one are added.

Applications can be granted access with a relatively simple process, and the implications may not be fully understood at the time of permission. Once access is granted, no other notification is easily visible about the application is running. Multi-Factor Authentication (MFA) is not required for applications to gain access. This means that they could be quietly operating in the background without you being aware.

5. Application role assignments

Application role assignments are applications with permissions granted at the end-user level (by end-users). There are numerous types of applications out there to help end-users undertake tasks, such as managing calendar bookings, integrating with 3rd party applications for access to data, and retrieving contacts from your address book.

Application role assignments are quick and easy to approve, and are at high risk of being inadvertently approved by an unsure end-user. Once approved, the application role assignments do not require Multi-Factor Authentication (MFA) for access, and there is no obvious way to note that access is being used.