At 260 million monthly users, Microsoft 365 is one of the most widely used cloud collaboration tools in the market today – which means it’s also often targeted by attackers seeking to compromise accounts, steal data and commit financial fraud.
With the shift to cloud applications and services, many attackers now target users and their endpoints as an easy way to get their foot in the door of organizations, especially small and mid-sized businesses (SMBs). By focusing on identity-based risks, organizations can more effectively protect themselves against critical threats and help prevent a breach.
But it’s hard to know where to start on that security journey, and SMBs are often ill-equipped.
What are the real problems that SMBs are facing when it comes to reducing risk, meeting compliance and continuously improving their security posture?
- Lack of people, process and tools to build, manage and maintain a security program
- Understanding of what’s critical or priority to focus on, or how to react quickly and accurately in a stressful situation to address a threat
- Unable to dedicate resources to security alone – often IT teams that are stretched thin must double as security teams at smaller organizations
- Finance or CFOs may lack expertise on what solutions to invest in to help meet compliance requirements and cybersecurity insurance policies for log monitoring, data retention or audit trails
Attacks are also increasingly focusing on SMBs as an easy way into enterprise networks, a popular and effective route to compromise seen in supply chain attacks around the world. By equipping SMBs with the right tools built for them to understand and easily manage, we can help make the world a safer place while educating their existing teams and encouraging security growth.
Simplified for SMBs: Free Microsoft 365 Security
That’s why Blumira has designed a free edition of our cloud SIEM, complete with detection and response that’s built with SMBs specifically in mind. We took a typically complicated, advanced and enterprise-focused technology and simplified it to make it easy for small IT teams to set up, get operational and get to security value faster than the industry standard of several months to deploy a SIEM. Our Free edition is not a trial, but an edition you can continue to use and get security value from.
Here’s the value of what you get for free:
- Security monitoring for Microsoft 365, with unlimited users and data (no special licensing required)
- Easy, guided setup with Cloud Connectors that takes only minutes
- Detection rules automatically rolled out to your account, fine-tuned to filter out the noise
- Summary dashboard of key findings and security reports
- Playbooks with each finding to guide you through response steps
- One week of log data retention – upgrade for up to one year
Learn more about what you get and sign up free.
Identify and Respond to Critical Microsoft 365 Threats
Like any popular cloud application, attackers often target Microsoft 365 to take over and compromise legitimate user accounts. In 2020, a survey of IT professionals using Microsoft 365 found that 70% reported an average of 7 account takeovers in the past year, according to Vectra.
For SMBs in particular, the 2021 Verizon Data Breach Investigations Report (DBIR) found that the patterns of system intrusion and compromised credentials (44% of data compromised) were the top attack trends, overwhelmingly motivated by financial gain (95%).
The DBIR also reported that business email compromise (BEC) was the second most common form of social engineering attacks, noting a jump in social engineering breaches since 2017, which they correlated to the uptick in the compromise of cloud-based email servers.
With these trends in mind, Blumira’s incident engineering team has developed and tested specific Microsoft 365 rules to detect critical techniques used in account takeovers and BEC attacks so you can identify an attack in progress early enough to limit its damage. The team continuously releases new rules every two weeks to help SMBs defend against the latest evolving threats.
These are some examples of attacker techniques used in BEC attacks. For example, an attacker might disable multi-factor authentication (MFA) on a legitimate user account to make it easier to compromise the account, then create a new inbox rule that deletes incoming messages to evade detection of the compromise. Blumira provides detection rule coverage for these types of techniques so you can identify an attack early and stop it.
Learn more in Securing Microsoft 365: Protecting Against Business Email Compromise.
We Do the Heavy Lifting For You: Automated Rule Deployment
While traditional SIEM providers require you to develop and maintain their own rules, or pay for additional custom rule development, Blumira’s engineering team has built automated rule deployment into its free edition to make it easy for you to take advantage of ready-to-go detections, activated immediately after you set up a third-party integration.
Here are some of the detection rules you’ll get for free, triggered in near real-time – as well as playbooks that come with every finding to guide you through next steps to respond and help contain a threat:
User & Access Security
- Multi-factor authentication (MFA) is disabled for an Azure Active Directory (AD) user
- Anomalous access attempts or the creation or deletion of an application password
- Anytime a user clicks on a malicious URL or is restricted from sending an email
- Any impossible travel activity, indicating unauthorized access
- Multiple failed user logon attempts
Attacker Activity
- Privilege escalation of Exchange admin accounts
- When an Azure AD global admin role is assigned to a user
- Creation of forwarding & redirect rules
- Suspicious inbox rule creation
- When files are shared with personal email addresses
- The mass download of files
- Whenever an email send limit is exceeded to protect against spam campaigns
Unusual Behavior
- Any activity from anonymous or suspicious IP addresses
- Activity from infrequent countries or terminated users
- Any unusual external file activity
- Increases in phishing emails or ISPs (internet service providers) for an OAuth application
- Any suspicious email sending patterns detected
Ransomware & Malware
- Ransomware activity (high rate of file uploads or deletion activity could indicate an adverse encryption process)
- Malware campaigns detected in SharePoint and OneDrive Malware campaigns detected after delivery
- Malware auto-purge failed due to user configuration (Microsoft’s email protection features disabled)
When you use our Free edition, you can see a full list of rules activated and applied to your account in your summary dashboard:
You can upgrade to any paid edition to see detailed descriptions of each detection rule and turn specific rules on and off to suit your organization’s needs. See our new feature and access it from Settings > Detection Rules:
Easy-to-Run Security Reports
To help you see security trends across your organization, which can be useful for compliance requirements, forensics and investigation, we provide free security reports you can easily run with one click.
Here are a few examples of the types of pre-built, global reports you get for free with our Report Builder:
- Disabled Azure AD accounts, deleted contacts and any group changes
- Password changes or resets, and user or device added
- Failed user login attempts, overall login reports and logins outside of U.S., Canada and Mexico
- Impossible travel activity and successful logins outside of the U.S.
- Delegation of mailbox permissions, mail items accessed (other than the owner) and emails forwarded to new domains
- Files previewed or accessed – SharePoint
Upgrade to a paid edition for advanced reporting features, including the ability to easily schedule reports to send periodically to your team.
Security Summary Dashboard
Free users also have access to their summary dashboard to view:
- Number of logs ingested, events detected and analyzed, suspects and findings generated
- Detection rules and a list of each one applied to your account
- Cloud Connector status to indicate your M365 integration is working correctly
- Instructions on how to run a test to verify detection rules are working correctly
- Example list of pre-built or global reports available in your account, including one popular report (see below)
- Example findings and playbooks to view immediately
Sign Up For Blumira’s Free Edition
See how easy it is to sign up and start getting value from your free account (see transcript here):
Our help center provides articles and step-by-step documentation on how to get started, and we will send you emails with onboarding instructions once you sign up to get you up and running in no time.
Want more coverage, 24/7 support or longer data retention for compliance? Check out our other plans to learn about our paid editions to see which one is right for your organization.
Additional Resources
Learn more about what we provide for free for SMBs:
Thu Pham
Thu has over 15 years of experience in the information security and technology industries. Prior to joining Blumira, she held both content and product marketing roles at Duo Security, leading go-to-market (GTM) and messaging for the portfolio solution Cisco Zero Trust. She holds a bachelor of science degree in...
More from the blog
View All PostsSubscribe to email updates
Stay up-to-date on what's happening at this blog and get additional content about the benefits of subscribing.