The security threat landscape continues to evolve as more companies transition from self-hosted e-mail and collaboration services to cloud-hosted services, such as Microsoft’s M365. Due to its relatively low risk and high reward potential, malicious actors have shifted their focus to compromising users of cloud services.
How do these compromises occur?
Password Spraying: According to Microsoft, approximately 40% of detected M365 compromises occur due to password spraying. Password spraying is a tactic where a bad actor uses commonly used or easy to guess passwords and then attacks a list of usernames. By timing their attempts carefully, an attacker can use this method while bypassing account lockout thresholds. Once an attacker targets you or your business, they can automate login attempts until they eventually compromise your accounts.
Phishing: Another common method is to trick a user into granting account access by phishing. Phishing is the attempt to obtain sensitive information or data, such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity.
Reusing Passwords: With 60% of people using the same passwords for multiple accounts, the “reuse” of passwords also increases the chances of a compromise. By utilizing the same password for multiple companies or services, users open up an opportunity for attackers to use passwords they have already gathered through a previous attacks on different companies or services. Any compromised data attackers already have access to can be used to attack other services like M365.
Other: In addition to the methods listed above, attackers continue to search for and exploit security vulnerabilities to gain access to data in any way they can. New techniques and methods will continue to evolve as technology advances.
What does an attacker do once they are in?
Once an account is compromised, a common exfiltration tactic is to create two forwarding rules. One rule will send all inbound email to the malicious actor, the second rule hides their tracks by permanently deleting the traces of those forwarded emails. Once the attacker has access to your data, they examine how your business operates and identify your employees, customers and vendors. They then use that information to masquerade as you or a representative of your business to trick your employees, customers, or vendors into things like fraudulent payments, wire transfers or further data compromise. By the time you find out about this activity, the money and/or data is gone, along with your business’s reputation.
Estimating the cost of a compromise:
According to Hiscox’s 2018 Small Business Cyber Risk Report, the average cost estimate for a single cyber-security event was just over $34,000 for a small business. The following year in the 2019 Cyber Readiness Report, Hixcox estimates rose just shy of $200,000. With punitive and corrective costs aside, the real damage is most likely the lost confidence and diminished reputation compromised businesses face. In fact, this combination of monetary and reputational damage is so substantial that 60% of small businesses close within 6 months of a data breach or cyber attack. Then, even if a business survives an attack and its immediate aftermath, future damages will continue to have an impact and are almost impossible to accurately calculate. It is vital for businesses to protect themselves against attacks and there are several security features businesses can utilize to reduce their risks while using cloud services.
Where can technology help?
The first technology, Multi-Factor Authentication or MFA, is used to ensure that an individual attempting to log into the system is indeed the user who is authorized to log into the system. While we have been accustomed to a common username and password challenge for as far as some of us can remember, MFA takes authentication a step further and requires a secondary mechanism in assuring that successful logins are only made by the user that is approved to log in. MFA can be achieved with an approved mobile application, a SMS Text, or a phone call. Each offers a different level of security, but all offer additional layer of security to that of a traditional username and password challenge. You may already be familiar with MFA as many of our personal services like banking, commerce websites sites, and other online services already utilize MFA. Microsoft’s M365 MFA technology is easy to implement, and offers a high level of confidence that that nobody is logging into your accounts but you. How well does this work? Microsoft Engineers have disclosed that 1.2 million accounts were compromised in the month of January 2020 alone, and of all compromised accounts 99.9% did not have MFA enabled.
A second, and complementing technology, is Conditional Access. You can think of Conditional Access as Microsoft 365 service’s “firewall.” With Conditional Access one can create a series of rules that help reduce the available methods malicious actors can use. With Conditional Access, rules can be created that only permit access to your Microsoft 365 service from approved network(s), disallow geographic locations outside of the United States and enforce MFA for all users at all times.
How do I get access to this technology?
Microsoft has a set of licensing and entitlement requirements to effectively enable both MFA and Conditional Access for your organization. The Conditional Access tool is sometimes offered as value-added item on specific Microsoft 365 product tiers, or it can be added to an existing subscription as a stand-alone. Please contact your IT Department, vendors, or your service providers to inquire on whether these entitlement requirements are being met at your current subscription levels.
Cimpanu, C. (2020, March 6). Microsoft: 99.9% of compromised accounts did not use multi-factor authentication. Retrieved September 2, 2020, from https://www.zdnet.com/article/microsoft-99-9-of-compromised-accounts-did-not-use-multi-factor-authentication/
Hiscox. (2018). 2018 HISCOX Small Business Cyber Risk Report ™. Retrieved September 1, 2020, from https://www.hiscox.com/documents/2018-Hiscox-Small-Business-Cyber-Risk-Report.pdf
Hiscox. (2019). Hiscox Cyber Readiness Report 2019. Retrieved September 1, 2020, from https://www.hiscox.com/documents/2019-Hiscox-Cyber-Readiness-Report.pdf
Johnson, R., III. (2019, January 2). 60 Percent Of Small Companies Close Within 6 Months Of Being Hacked. Retrieved September 1, 2020, from https://cybersecurityventures.com/60-percent-of-small-companies-close-within-6-months-of-being-hacked/#:~:text=In fact, 60 percent of,to monitor suspicious network activity.
Microsoft. (2020, May 21). What is Conditional Access? Retrieved September 1, 2020, from https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview