top of page
  • InPhySec

Microsoft Office and the catch 22

Ten steps to secure your office 365 environment

Microsoft Office 365 often forms the heart of an enterprise’s operations, facilitating almost all data storage and sharing as well as being the Identity Provider brokering access to a myriad of other SaaS applications. The broad scope of capabilities and data afforded to a Microsoft Office 365 user means compromising an account can enable an attacker to cause massive harm with ease.

Office 365 provides direct access to files and data that are priority targets of theft or ransom. These accounts also provide cyber criminals the ability to move laterally to other users by either poisoning internal content or reply-jacking internal email threads.

Many products focus on preventing compromise of Office 365 accounts. However, when prevention fails, they don’t offer detection to find and stop the compromises before damage is done.

When you think about all the different types of activity that users are performing within Office 365 —how certain can we be that every action has been performed by a legitimate user and not a threat actor working to take over an account? In fact Vectra, recently surveyed over 1,000 security pros and an astonishing 71% revealed they had suffered an average of 7 account takeovers of authorized users over the last 12 months.

We probably shouldn’t be surprised by this level of attack activity, especially considering the popularity of Office 365 and its hundreds of millions of users. It’s a powerful productivity tool that continues to provide many connectivity and collaboration benefits to teams near and far. So, while Microsoft has built an incredible platform that many companies can’t live without, cybercriminals view this large pool of users as an opportunity to try and swoop in and take over accounts.

So, how can we spot the malicious activity and get the right alerts to security teams, so they aren’t spending valuable cycles chasing benign activity? Thankfully, collecting the right data and using meaningful artificial intelligence (AI) can help organizations have a vision for what authorized use looks like when it comes to the cloud service they adopt.

Vectra Cognito Detect uses the power of AI plus threat research to detect and prioritize in-progress attacks in real-time. It can identify and stop attackers operating in your Microsoft Office 365 environment and any federated SaaS application using Azure AD. Critical threats such as the use of privileged access accounts are identified and prioritised so they can be shut down before the intruder has a chance to execute their attack.

AI software such as Cognito Detect would always be top of our recommended approach to secure your Office 365 environment however here are steps that you should be taking at a minimum to secure your environments against compromised accounts. The top 10 are as follows:

1. Understand your privileged accounts

You need to have a solid understanding of which accounts can access sensitive data or use powerful Microsoft Office 365 tools such as eDiscovery. These accounts will be the prime target for threat actors. Strictly limiting system and tool access

to those required by job roles will limit the damage a compromised account can inflict.

2. Measure the right metrics

Any metrics used to measure security effectiveness must pass the “so what?” test – it must drive action, not just inform. Measuring time to acknowledge, time to respond, repeated incidents and reinfection rates will provide a strong indication of how effectively your team is identifying and closing threats.

3. Implement MFA

Multi-factor authentication may not be the golden ticket of securing accounts, but it is still a very important tool for slowing attackers down. If you don’t already, you should ensure that all accounts are using MFA.

4. Minimise configuration complexity

Transitional hybrid cloud environments can deliver the worst of both worlds in security, creating redundancies and blind spots that can be exploited. Lengthy transitions strain your IT and security resources and increase risk, so try to focus

on accelerating the process to simplify and streamline your environment.

5. Conduct regular testing

Exercises such as penetration testing and red teaming will help assess the foundation of your security confidence by identifying vulnerabilities and attack paths. Tests must be repeated on a regular basis to ensure that fixes are improving your security standing.

6. Train all your staff – security included

As you continue to transform your operations, you must ensure your workforce is aware of how to use new tools safely – as well as educating them about threats such as adversaries impersonating the IT team in phishing emails. Greater awareness will reduce the success of initial compromise attempts. You also need to ensure your security personnel are up to speed with your new environment and

can switch over from traditional perimeter-based strategies to the more open borders of the cloud.

7. Understand how tools are being used

Microsoft Office 365 tools like eDiscovery and Power Automate are devastating in the wrong hands. You need to gain context for how these tools are being used and build an accurate picture of what normal behaviour for these tools look like. Incorrect and malicious activity needs to be identified immediately and stopped before the damage can be done.

8. Gain a unified view across your environments

Adversaries will freely move between your traditional and cloud networks in pursuit of their goals, but it is difficult to connect the dots between separate security tools monitoring different environments. You need to be able to identify malicious

behaviours across your IT network, SaaS cloud environment, data centre, and anywhere else attackers may exploit. NDR (Network Detection and Response) is essential here.

9. Use AI to accelerate and automate your response times

You aren’t the only one benefiting from the increased speed and scale of the cloud – threat actors are too. The use of well-defined APIs means attackers can drastically shorten the exploration phase and begin executing their attack

much faster. AI and machine learning enhanced analytics are key to rapid identification of malicious activity and automating response activity.

10. Cut through the noise

Rapid response capabilities are essential, but only half the story. Without a high-fidelity signal that cuts through the noise, overzealous automated defences may be triggered by false positives. AI-powered NDR will ensure that downstream response orchestration is accurate and reliable as well as fast.

Give us a call today to discuss your options for securing your Microsoft Office365 environment. 0800 463 673.

Article written in collaboration with Vectra and InPhySec with excerpts taken from Vectra’s Matthew Pieklik’s blog of May 19, 2021. Original blog can be found here


Recent Posts

See All


bottom of page