How to protect Office 365 from coronavirus-themed threats

Microsoft's new Office 365 security defaults and OAuth 2.0 support will help meet new US government recommendations to thwart COVID-related attacks, Make sure they are properly implemented.

A computer monitor displays code and a pixelated skull, surrounded by virus wireframes.
Calvin Dexter / Layritten / Getty Images

The National Cyber Awareness System, part of the US Cybersecurity and Infrastructure Security Agency (CISA), recently released an alert about Microsoft Office 365 with guidance and security recommendations for Microsoft’s cloud service. The recommendations include adding multi-factor authentication (MFA) to both administrator and user accounts. You can whitelist the static IPs of your offices so when users remote into the office, they will not be prompted for MFA. I have seen, though, that the minute you roll out Office 365 mailboxes, attackers start to use brute force attacks on the mailboxes using harvested passwords.

Microsoft 365 security defaults

Microsoft has rolled out a concept of “security defaults” for Office 365. However, they are not enabled retroactively on existing tenants and are only rolled out on new tenants. These defaults, as noted by Alex Weinert, include the following:

  • Requiring all users and admins to register for MFA.
  • Challenging users with MFA -- mostly when they show up on a new device or app, but more often for critical roles and tasks.
  • Disabling authentication from legacy authentication clients that can’t do MFA.

Due to COVID-19, Microsoft is slowing down the implementation of these defaults. Basic authentication will not be disabled as soon as originally announced. Now they will be phasing it out in the second half of 2021. However, I recommend that you disable basic authentication now.

The mechanisms you can use for MFA can be texting, an office phone, or preferably an authenticator application. It doesn’t have to be the Microsoft authenticator app; you can use the Google authenticator app as well.

Microsoft's OAuth 2.0 support

Microsoft has also rolled out support of OAuth 2.0 for IMAP and SMTP authentication protocols. They are working on supporting OAuth 2.0 POP support as well. Use Microsoft’s instructions or work with your vendors to support these protocols in your organization.

Enable auditing

Auditing is a key requirement to being able to determine what has happened and when it happened. Microsoft is in the process of rolling out logging by default, but it may not be ready for your tenant. Review your settings to ensure that auditing is enabled. To turn it on, perform the following steps:

  • Sign into the Security & Compliance Center with your Office 365 admin account.
  • Select “Search” and then select “Audit log search”.
  • Select “Start recording user and admin activity”. If you don't see this link, auditing has already been turned on for your organization.

If you’ve just turned on auditing, it may take some time to enable the ability to search.

bradley covid 365 Susan Bradley

Audit log search

Set up alerts

Next, the National Cyber Awareness System recommends that you set up alerts for suspicious activities. You need to ensure you have the proper Microsoft license for this process. As Microsoft notes:

“Alert policies are available for organizations with a Microsoft 365, Office 365 Enterprise, or Office 365 US Government E1/F1/G1, E3/G3, or E5/G5 subscription. Advanced functionality is only available for organizations with an E5/G5 subscription, or for organizations that have an E1/F1/G1 or E3/G3 subscription and an Office 365 Advanced Threat Protection (ATP) P2 or a Microsoft 365 E5 Compliance or Microsoft 365 E5 eDiscovery and Audit add-on subscription. The functionality that requires an E5/G5 or add-on subscription is highlighted in this topic. Also note that alert policies are available in Office 365 GCC, GCC High, and DoD US government environments.”

I recommend that you review whom attackers will target in your environment. Then add an advanced license and attach it to that person or persons who need additional protection. For example, I recommend that you add this license to tech administrators and key employees who would be targeted for phishing attacks such as high-level executives. You may also add alerting to assistants to these executives especially if you see attacks now. At a minimum, CISA recommends enabling alerts for logins from suspicious locations and for accounts exceeding sent email thresholds. Also, limit Outlook’s ability to set up email forwarding rules as attackers often use this to hide financial attacks, especially those relating to banking transfers.

Next, integrate the logs into your existing security information and event management (SIEM) solutions or investigate using Microsoft Azure Sentinel, its new logging platform. You can natively port the logs from 365 into Sentinel, which uses Log Analytics.

Review the Microsoft Secure Score to see how you can increase your security. As the FBI recently indicated, attackers are using COVID-19 related themes to obtain account credentials. Protect and educate your users so that they can protect your firm. Report any COVID-related attacks you see to the FBI.

Check out the daily videos from the IDG TechTalk channel to keep up to date with the latest.

Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)