I wanted to share some insights into email security and provide some high-level top-tips on securing Microsoft 365 (M365) based systems; which I will cover in a series of Insight post over the coming weeks.
Email is often the first step a hacker uses along the way to gaining unauthorised access to your data or your Microsoft 365 based environment; this could be as a result of a successful phishing attack or even a brute force attack against a Microsoft 365 web portal.
3B Data Security regularly conducts incident response investigations into attacks of Microsoft 365 systems, and there are several learning outcomes that I am going to share to help steer you to stronger Microsoft 365 platform. Some of these tips are not just related to Microsoft 365 based systems and could be applied to other email platforms or providers as well.
So Where To Start?
Well, in our opinion there are several free features and services that can be applied to email and domains to help improve security, even before you log into your M365 portal (or other email systems).
- Sender Policy Framework or SPF
- SPF is the policy that defines what servers are authorised to send emails for the domain. It can be a list of servers or an individual server.
- If this is not in place, any server could send legitimate emails on behalf of the domain. The tighter the SPF record, the fewer servers can send emails for the domain.
- This is the equivalent of knowing the name of the person who is going to give you the information.
- Domain Key Identified Mail or DKIM.
- DKIM is a protocol that verifies the authenticity of the sending server.
- It uses public key encryption to show that the server that sent the message was indeed permitted to send that message.
- DKIM prevents an attacker from building a server with the same name or IP address as a legitimate server.
- This is the equivalent of checking the ID of the person giving you the information.
- Domain-based Message Authentication, Reporting and Conformance or DMARC.
- DMARC is the policy that advertises to the receiver what to do when they receive mail from your domain that fails SPF or DKIM.
- This is the equivalent of knowing not to accept information from some unknown person, after the ID check or if the name on the ID is different to what you expected.
3B Data Security will provide more detailed information on the above in future Insight posts.
Once you have taken some action at the Domain level, you can turn your attention to the high-level features and options available for most Microsoft 365 subscriptions out of the (cloud) box. With Microsoft 365, email is just one part of the overall system, so although I am going to focus on email but the points will often apply to the Microsoft 365 account or tenant along with other Microsoft 365 services, like Teams, SharePoint and other 365 applications.
It is always worth conducting a full Microsoft 365 security review and there are a lot of features that compliment (or affect) one another and apply to all parts of the Microsoft 365 tenant.
These general points can also be applied to any other email systems as well.
Multi Factor Authentication
The first and seemingly obvious starting point is enablement\enforcement of multi-factor authentication; it should be an obvious point (hopefully by now) but we still see many attacked Microsoft 365 environments where only a couple of users have multi-factor enabled, and certainly not 100% of their administration user base is enforced.
Corporate Devices Only
If possible, utilise corporate devices for corporate email only, and do not allow the bring your own device policies, or usage of personal devices for corporate work.
Now this plan may have gone out the Window in early 2020 with Covid-19, but this remains one of the largest risks to a corporate email (and the associated data) when corporate email is on personal devices that are not managed or within a mobile-device management sandbox.
This includes Laptops, PCs, Macs as well as mobile devices like telephones and tablets; the only saving grace at the moment is that if corporate email is on a personal device, at least that personal device isn’t really going anywhere! However, once that device (and owner) are allowed to leave the confines of its owner’s house, it becomes even more of a risk, especially if the owner did not have the corporate email on there pre-Covid.
Has the business conducted a recent risk assessment on this?, are they going to remove access to personal devices or leave it on there just in case?, or worse still forget about it?, what if the employee leaves, how do they confirm the corporate data is removed?
Disable Browser-Based Access
Utilise application-based email access like Microsoft Outlook (that is installed on the Desktop or Mobile) and disable Outlook Web Access and browser-based access. It is far easier for the web-based email systems to be compromised or involved in web-based phishing attack, whereby the attacker is trying to trick the user into logging into a fake email sign in page.
If the users can only access email via the desktop application, (hopefully) they will be more cautious of any web-based login prompt trying to get them to log on and won't try it!
The above are two examples of fake Microsoft 365 email log on pages used in phishing attacks 3B Data Security has investigated, the only part that looked different was the URL (website address) which has been cut off the screenshots for privacy reasons, they were hosted on a compromised server and did not contain the standard Microsoft address, but acted exactly the same other than that.
Lockdown Email Access Methods
There are many ways in which Microsoft 365 emails could be accessed, I have mentioned above where my views on corporate vs personal devices, but on top of this in the Microsoft 365 user portal you can lockdown which applications can be used to access the email account further.
The less options are enabled the more access restrictions are in place. At a high level, the above only allows the Outlook Application to access email on the Desktop and Mobile device and stops some of the older methods of connecting to the email, including the web browser, and also stops other email clients (i.e., not Outlook) being able to access email like Mail for the iPhone for example.
This is a feature of Microsoft 365 whereby the incoming email messages that contain URLs (web addresses) are real-time scanned for suspicious links and links that point to files and the feature ensures the URL scanning is complete before delivering the message to the user.
This helps to prevent malicious links being clicked on by the user, this is of course if they are none by the Microsoft scanning systems.
You can also add rules to block specific URLs that contain known elements like 1drv links (One Drive), Drop Box and other online storage systems that usually contain fake login pages for Phishing attacks.
Block Or Filter Email Attachments & Use a Secure File Sharing Solution
Blocking all attachments may not be practical, but at least restrict and filter for those types of attachments that are likely to cause problems, like *.exe, *.BAT, *.Zip, *.CAB, *.DLL etc.
Likewise having a policy on not sending attachments via plain text email is a good start as well, have a dedicated secure means of file sharing that allows the sender to revoke access to the file or imposes and restricts a time limit on how long it is accessible for.
This not only helps if the file link is accidentally shared with the wrong person, as the link can be revoked and expired; it also means the attachment is not sat in a sender’s sent items and a recipient’s inbox for evermore, to be potentially stolen if a compromise of a mailbox occurs years later.
The Microsoft 365 Safe Attachments feature works in a similar way to the Safe Link , whereby the system automatically scans attachments for malware and if detected, either blocks it, or sends it onto an administrator for double checking and verification or monitors it and sends it on.
It also stops the user from opening the attachment while it scans it.
Mail Flow Rules
In Microsoft 365 (and no doubt other platforms) you can set up a mail flow rule to automatically add a disclaimer to your email or verify emails are being sent from external sources. When set up, the mail flow rule will verify that the email domain is external and basically not being sent internally and can add a message to confirm and remind the user about clicking on links or attachments and that they should be careful. This falls inline with the points I have already made above regarding phishing prevention and user security awareness training etc.
The above inserts a prefix ‘EXT’ to the subject line and adds a message at the top of the body of the email, and the below goes a bit further and adds some colour to the top of the body of the email.
Not only does this help remind the users about thinking before clicking on links or blindly opening attachments, but it also helps to detect email spoofing or Domain Typo Squatting attacks. If a user knows that this message only pops up when the email is sent from an external source and not from a colleague internally, they may well then spot a faked message being sent to them externally by a hacker trying to fake the email domain or impersonate an internal colleague.
Domain Typo Squatting, yes that is really a thing!
It is a very simple and clever method that hackers use to deceive users into thinking a legitimate entity has emailed them, often one they know or have communicated with in the past.
Domain Typo Squatting is a technique used by attackers to form a real domain, that looks similar to the legitimate domain by misspelling a letter or buying a domain with the same name but with a .com, or .net to impersonate the legitimate domain like a .co.uk for example. I will be covering more about this in a separate Insight post, but ultimately the preventive actions for this are using the mail flow features discussed above and training users and clients on security awareness to stop those sorts of attacks.
About The Author.
Benn has spent many years in digital forensics, investigating breaches of sensitive data. As Office/Microsoft 365 gained popularity it started to become another common focus for attacks and data loss, Benn has focussed on investigating and proactively securing/locking down the Microsoft 365 environment. If you need any additional help or advice on M365 reach out on IR@3BDataSecurity.com or 01223 298333.
There are many other M365 configurations that can be locked down and secured on the similar topics, and Benn will cover these in future 3B Data Security Insight blogs in the future.