Has your enterprise taken the required steps to properly harden your M365 Exchange Online environment?
This piece details how M365 tenants can prioritize activities to protect against sophisticated Azure AD and Exchange Online attacks.
Old Attacks, New M365 Attack Environments
The 2022 Verizon Data Breach Investigations Report (DBIR) confirmed the majority of attacks against enterprise networks follow a simple pattern:
- Gain access to user credentials via phishing or other social engineering means.
- Use those stolen credentials to access enterprise services.
- Elevate privilege to gain additional access to data and services.
- Obfuscate activities through service manipulation.
- Exfiltrate data or use a victim’s systems to attack other targets.
These are not new techniques, however, how attackers target users to begin this chain of attack has changed due to the significant changes in where email servers are hosted and how users interact with their enterprise email services. Follow-on attacker
activities targeting user identities have changed as well, due to identity services shifting to the cloud and away from on-prem directories.
Most organizations use Exchange Online for at least some of their email users. That market share has driven attackers to look for ways they can exploit vulnerabilities in Exchange Online to begin their attack process through phishing. For example, certain Exchange Online security features designed to prevent phishing can be manipulated to trick users into entering their credentials via forms that looked like legitimate M365 user authentication
portals.
Azure AD attacks have significantly increased in sophistication resulting from simple phishing campaigns. Many organizations have reported privilege escalation attacks, where attackers use compromised application administrator accounts to abuse service principal
accounts associated with those applications.
READ: 5 Ways to Configure M365 to Improve Security
To avoid these scenarios, M365 customers must harden their email and identity services using these best practices:
Stop Safe Links Configuration Drift
If phishing is the primary starting point of all cyberattacks, then attention to email security details is critical. For example, Microsoft Defender for Office 365 and Exchange Online Protection can be perfectly adequate replacements for the likes of email hygiene platforms like Proofpoint and Mimecast – if they are configured appropriately. This is especially true when it comes to defending against email threats originating from within
the organization, such as those associated with a compromised user account sending internal emails as part of ransomware campaigns.
Recent sophisticated attacks focus on manipulating links within emails to appear as if they are Safe Links-approved links.
This is done either through manipulation of the hyperlinks within emails or more malicious activities that focus on disabling Safe Links for specific users through abuse of Exchange Online administrative privilege.
Unfortunately, few organizations have focused on periodically ensuring Safe Links was properly configured after original configuration. It has been difficult to determine whether Safe Links configuration changes within M365 tenants had been the result
of a user request to allow a specific type of email through as an exception or whether the changes were the result of malicious activity.
Monitoring for material changes to Safe Links settings is critical to reduce the impact of phishing attacks against an organization. Such monitoring approaches should be coordinated with automated SIEM and security orchestration, automation and response
(SOAR) capabilities to reduce the impact of any Safe Links setting manipulations.
Microsoft provides extensive documentation of the Safe Links options available within Exchange Online and Microsoft Defender for Office 365,
and initial configuration of those settings is very straightforward. The problems relate to long-term implementation of Safe Links policies, where either internal administrators make changes resulting in unintended security consequences or attackers
make unauthorized changes. In most cases, the default M365 logging functions will not detect these changes.
Based on incidents that have originated from Safe Links policy gaps, it’s best to put a process in place to frequently verify Safe Links settings are what they are expected to be, especially for high-value target users like executives and board
members (if they use company-provided email addresses). This process can be automated through the use of cmdlet queries through the Exchange Online PowerShell Module.
Secure Azure AD
Azure AD attacks will continue to significantly increase in quantity and quality. This is partially due to a lack in consistent uncomplicated security guidance for Azure AD. There are many avenues attackers can pursue to exploit vulnerabilities in Azure
AD.
Focus on MFA
Securing Azure AD comes down to ensuring strong MFA policies are enforced, regardless of where someone is logging into a system. However, with most M365 organization
there are MFA deficiencies. Some of these have been severe, for example, in cases where MFA policies were disabled for privileged user accounts that had access to Exchange Online and SharePoint administrator portals.
Many organizations require MFA for Azure AD logins only when users are on a system outside the enterprise network. With the increase in remote work and access from outside of the corporate network for such long periods of time, this MFA exception is not
a realistic approach. MFA should be utilized for all logins from all users, regardless of where the login originates.
Additionally, customers should also follow a number of other basic security configurations Microsoft recommends as best practices for overarching Azure AD security management.
Prioritize Defender for Identity
An additional challenge is that some of the most valuable tools for securing Azure AD are only available on a limited licensing basis. For example, Defender for Identity is by far the best tool on the market to do large-scale identity integrity analysis
and incident detection. Unfortunately, Defender for Identity is only available as part of the E5 license for enterprise customers, or as a standalone license (which is difficult to price, depending on how an organization purchases M365 licenses).
Many organizations have not fully implemented Defender for Identity. Only a small fraction of those who fully adopted Defender for Identify have done any custom identity protection configuration within Azure AD.
It is also difficult to distinguish between Defender for Identity (full product version) and the identity protection capabilities built into the Microsoft 365 Defender
service. Organizations using Azure AD in a synchronized on-prem configuration should prioritize getting a full license
for Defender for Identity.
If you don’t have a license Defender for Identity, consider leveraging the basic functionality of Azure AD Identity Protection as much as possible through the configuration of risk policies within the Identity Protection portal.
Sample risk policies can be found throughout Microsoft’s documentation, but the most important thing to do is build a plan to ingest Identity Protection information into your SIEM.
Key events security operations teams should be looking for relate to the use of identities to gain access to users’ Exchange Online mailboxes, cross-M365 services settings with impacts on Teams and the Power Platform, and conditional access
policy settings that impact MFA policy enforcement and service principal account access.
Identity is essentially the last perimeter available to an organization using M365. Prioritizing the appropriate tools to compensate for lack of on-prem identity controls is becoming critical for securing M365 users.
Bottom Line to Harden Exchange Online
It is increasingly critical for organizations to implement improved Exchange Online and Azure AD security controls and monitoring. Specifically, enterprises must:
- Ensure Safe Links is configured appropriately now – and over time. This requires putting in place a frequent verification process.
- Take steps to protect Azure AD appropriately. Organizations with E5 licenses should use Defender for Identity, while others must ensure they properly configure Azure AD Identity Protection, ingest its data into their SIEM and alert on the appropriate
identity-based events.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.