How do you effectively protect Office 365? The issue has never been as critical as it is today. The latest edition of our “Phishers’ Favorite” ranking named Microsoft as the No. 1 company in terms of exposure to phishing attacks. With 2.3 times more phishing URLs detected in the 4th quarter of 2018, the Redmond firm remains far ahead of Netflix or PayPal. The price of success: in one of its latest activity reports, Microsoft claims to have 155 million users active on Office 365, with a monthly growth rate of over 3 million.
It must be said that Office 365 has no shortage of arguments for winning new users over. Its strengths in a nutshell:
- Office 365 is now a complete collaborative suite: office automation tools (Word, Excel, PowerPoint), messaging (Outlook), collaboration (SharePoint, Teams), it’s got it all.
- Office 365 works from software installed on users' workstations as well as in the cloud.
- Microsoft also offers its tools on mobile devices with apps whose ergonomics have significantly improved in recent months.
- The email system is based on Microsoft Exchange, which provides great flexibility in all collaboration tasks (calendar synchronization, videoconferencing, resource sharing, etc.).
- Administrators have the ability to review the main aspects of security from a dedicated security interface: defining password policies, managing the lifecycle of sensitive data, viewing message flows and alerts, which can lead to notifications. In short, from identities to infrastructure and data, the editor offers a kind of control tower.
In practice, however, this control tower suffers from several blind spots. And the news regularly proves this. In late 2017, Microsoft thus released a patch with its Patch Tuesday to fix a vulnerability in Office and Office 365. It was linked to a piece of vestigial code dating back to 2000. Given the scope of the code to be maintained, Microsoft concedes that even recent products may have vulnerabilities.
In early 2018, another specific threat to the Office 365 environment made the headlines: “ShurL0ckr”, a “Ransomware as a Service” platform targets and infects OneDrive (Office 365) collaborative storage areas, encrypting the data it finds. Above all, it is undetectable by Office 365 anti-malware filters. Sneak attacks can steal passwords, Bitcoin portfolios, software keys, launch denial of service attacks, and more.
Office 365 credentials: hackers’ gold
Threats are increasingly advanced and hard to detect. For example, they invite their future victims to open an infected document contained in a ZIP file and provided as an attachment, or to click on a corrupted link. The company can suffer serious consequences with just one successful attack. This is even more true in a centralized and collaborative environment like that of Office 365. It should be recalled that according to Cisco's annual cybersecurity report Office files are the most commonly used to convey malicious code.
This interest of hackers in the Office environment makes sense: Office 365 credentials are very valuable because they provide access to all hosted applications - and data! Even within a large organization, it becomes possible with a handful of credentials to send spear phishing emails (or CEO Fraud) to colleagues or business partners of hacked users. And since these attacks are based on legitimate accounts, traditional security solutions are unlikely to detect them.
This type of scenario illustrates the main weaknesses of Office 365:
- Office 365 offers 2 levels of email security options called “Exchange Online Protection” and “Advanced Threat Protection” for a protection level in the low-middle of the market, according to an SE Labs study, “Email-hosted protection”, conducted in August 2017.
- The same study noticed a high level of false positives for the proposed protection solutions.
- The proposed protection systems, especially Microsoft Exchange Online Protection (EOP), do not detect unknown phishing and spear phishing attacks.
- Even if Microsoft takes reactive action to counter new threats, as was the case with the Cerber Ransomware, a few hours without protection are enough to put the company's information assets at risk.
- Due to the technologies they use, the proposed protection solutions guarantee efficacy against all known threats. But... what about new threats that bypass existing security systems?
- Lack of internal email scanning
Does this mean that a cloud offering such as Office 365 is less reliable than an on-premises solution? No, a solution in the cloud is better protected than its local version, offering native security capabilities far beyond those of the on-premises version. But they’re not enough.
In the face of new threats, let’s focus on AI
That’s why Gartner analysts advise using non-Microsoft tools to maintain security. Furthermore, Gartner estimates that by 2020, 50% of all organizations using Office in SaaS (Software-as-a-Service) mode, will enhance their security with tools from third-party publishers. The firm has also formalized a security framework: the “Gartner Framework for SaaS Security Controls”, which provides an overview of security issues to be addressed. The protection of email systems against various threats (spam, malware, ransomware, and phishing) is an important part of this framework.
Faced with these threats, one thing’s for sure: traditional email protection technologies, based on reputation analysis, known signatures and fingerprinting, are no longer effective. Effectively securing Office 365 today means preparing for the unknown. In other words, organizations have a strong interest in equipping themselves with solutions that can predictively anticipate new attacks.
The good news is that technologies exist to make these predictions fully operational today. The use of heuristic methods and artificial intelligence, especially machine learning algorithms, represents a qualitative leap forward in protection. This gives companies real-time protection against unknown threats and a way to take advantage of a collaborative environment like Office 365 without fearing the worst.
