7 Critical Security Steps to Protect You From an Office 365 Compromise

In August 2018, security researchers announced that cybercriminals were successfully bypassing Office 365's Advanced Threat Protection via a new evolution of phishing – inserting malware links into SharePoint documents. Analysts at the cloud security firm Avanan discovered this vulnerability – reporting that SharePoint invitations containing malicious links were being sent from Microsoft to some users.

The SharePoint file itself mimicked a typical OneDrive file access request. However, the researchers noted that the Access Document button within the file was coded to instead send the user to a spoofed site. A bogus Office 365 login screen appeared when the link was clicked. This fake site looked like the real thing but was simply a portal through which hackers collected the login credentials of the unaware.

Vulnerabilities such as this remind us that Office 365 is far from a universally secure environment. In fact, it is critically important to adjust certain aspects of the system and take other steps if you want to improve security, meet compliance requirements, or simply exert more control over user behavior. Here are steps you can take.

1. Know your Office 365 Secure Score

We often think of technologies or services in isolation, in terms of how secure that entity is. However, it is critical for every organization to optimize how they are implementing and using systems; that is the focus of the Office 365 Secure Score, which rates your security configurations and behaviors. Microsoft notes specifically that the perspective toward this score should be to think about methods to safeguard your users and data better (ideally with no negative influence on user productivity) – a tactic that will, in turn, improve your score. While the scoring system is established by Microsoft, it should give you a sense how well your organization adheres to security best practices.

2. Check the Security & Compliance Center reports and dashboards

Familiarize yourself with the dashboards and reports within the Security & Compliance center:

Reports dashboard – Audit reports for your Exchange Online and SharePoint Online organizations are retrievable within the Reports section. Within Reports, you can also view the Azure Active Directory (AD) audit log, user sign-in reports, and user activity reports.

Threat explorer – This Security & Compliance center tool shows you how many attacks have occurred over time, along with data on attacker servers and analysis of data organized into threat families. If your Office 365 tenant ever is attacked, analysis with this tool can help you mitigate and investigate it. 

Threat management dashboard – This dashboard is helpful for sending out reports to business decision makers related to security steps you have taken. It also is a place to review threats that have been resolved in the past.

3. Add Customer Lockbox

The external threat to your data is significant. However, so is the internal one. Access by Microsoft staff to your personal data may seem to be unacceptable to you as a risk. However, you will sometimes want Microsoft engineers to access your data in order to provide support.

Customer Lockbox allows you to control their level of access. This feature is available via subscription for any enterprise plan; it comes automatically with Office 365 Enterprise E5. Customer Lockbox allows you to approve or reject Microsoft’s desire to access for fixing or troubleshooting. If you approve the access request, the engineers will exit the system as soon as they have completed the approved task and will not be able to access it again. Plus, "[i]f you reject or don’t approve the request in 12 hours, access is automatically revoked," noted MS Expert Talk.

4. Enable Cloud App Security

Cloud App Security is a feature that comes standard with the Office 365 Enterprise E5 plan and can also be ordered as an enterprise subscription. Sometimes a user will sign in from dangerous or unknown Internet protocol (IP) addresses; fail to sign in repeatedly; or download a large volume of data. To monitor these and other high-risk or uncommon user behaviors, you can create alerts within the platform.

5. Turn on mailbox audit logging.

Mailbox audit logging, unlike some other forms of audit logging, is not enabled by default in Office 365. Exchange Online PowerShell can be used to establish that all user mailboxes get audit logging. Once you have set up audit logging for your mailboxes, you can know who is logging intro mailboxes and sending emails or conducting other tasks that are typically performed by the administrator, the mailbox owner, or a designated user. You can adjust the amount of time that the audit log keeps entries to meet your needs. You are able to search the logs within the Compliance center and within Office 365.

6. Implement MFA

Ideally, you want user accounts to remain secure even if someone steals the password. For that reason, beyond having good password policies, it is wise to require users to respond to a notification via a smartphone app, through a phone call, or via SMS – and to disallow access until that second factor is successfully met. This method, called two-factor authentication (2FA) or (more broadly) multi-factor authentication (MFA), is now one of the top security best practices across the industry. (However, it is far from perfect as a security mechanism.)

7. Add mail flow protections

You want to be certain that your messages do not contain malicious links, viruses, or malware. For better protection against these threats in Office 365, you can use the rich feature set within Exchange Online Protection and complete these tasks:

Recovering your Office 365 data

As the data landscape grows increasingly complex and threatening, robust safeguards are needed to defend your organization against attack. In fact, no matter how many protections you deploy, hackers may still figure out a workaround to get into your system. If your technology has fallen into the wrong hands, a reputable data recovery company can get to the bottom of it.