Office 365 (now named Microsoft 365) features a line of cloud-based, online versions of Microsoft Word, PowerPoint, Excel and OneNote. It enables productivity and collaboration services, and is used widely by organizations and enterprises. As a result, it is also often targeted by attackers for access to company files and data.
Office 365 attacks are often making headlines, with the most recent incidents involving OAuth – the authorization feature that allows you to sign in using Google or Facebook instead of creating a new account across different third-party services.
The latest attack, reported this month, starts with a phishing email impersonating Coinbase, urging users to click a link to update their Terms of Service. Users are served an OAuth prompt to consent to granting access to their email – which then gives attackers access to their Office 365 email inboxes, according to Threatpost.
Proofpoint detailed a similar ongoing consent-based attack in the past year that leveraged OAuth2 to conduct account reconnaissance, steal data or intercept password reset messages. These attacks show the importance of being able to detect anomalous login behavior and any potential suspicious misuse of email accounts.
In September, a rise in Office 365 attacks against organizations involved in political elections was reported by Microsoft (as I wrote about in Protect Against the Rise in Office 365 Attacks). In this case, attacker tactics included brute-force attacks and password spraying instead of phishing.
Blumira integrates with Microsoft Office 365 to stream Office 365 security event logs and alerts to the Blumira service for automated threat detection and actionable response.
These are just a few examples of anomalous, suspicious and threat-like behavior and activity within Microsoft Office 365 that you should be able to quickly detect and alert on.
Office 365 Anomalous Access Attempts
To protect against unauthorized access to your Office 365 server, you should be able to detect login attempts using password spraying. Password spraying, an attacker method of attempting a few authentications against many users or many authentications against one user, is a way to avoid brute-force or lockout detections. Blumira detects this and provides guidance on response – block the source IPs immediately and consider resetting passwords for targeted users.
Office 365 Authentication Outside of U.S.
Another detection to protect against unauthorized access is based on geographical location. By detecting any user attempts to authenticate to your network outside of the U.S. (or any countries you don’t do business with or in), you can be alerted to a potential login risk. Blumira can detect and alert you to any anomalous logins from different countries, which can be remote users or a malicious attacker attempting to authenticate to the network with legitimate user credentials.
Office 365 Email Forwarding Enabled
Another potential risk is if you detect a user enabling email forwarding for another user, targeting an organization. Unless it’s known and approved, Blumira recommends immediately stopping email forwarding, as it is often the first step in attacks against Office 365 environments. It’s worth considering disabling all email forwarding to reduce potential information leakage, and only allowing access when needed.
Learn more about how easy it is to integrate Blumira with Microsoft Office 365 to stream security events and logs to Blumira’s service for automated threat detection and response.
According to a Check Point analysis, Microsoft was the most impersonated brand in phishing attacks during the third quarter of this year at 19%, rising to the top due to the shift to remote work during the pandemic.
To help organizations running Microsoft environments, our guide gives you practical, step-by-step Windows tips to significantly improve your visibility into malicious activity.
In this guide, you’ll learn: