How your Office 365 account was hacked..... and how to stop it from happening again.
In this post we’re going to cover the common mistakes businesses make when transitioning to Office 365 and why there has been so many breaches of business data due to bad security practices.
Microsoft/Office 365 is not insecure, but your business might be.
Microsoft spends more than $1 billion per annum on security. Let that sink in for a moment. If your business can invest that amount of money into security and you want to keep your on-premise servers then go ahead. However, if you’re a small or medium sized business or even a large enterprise, you’ll probably have smaller budgets to keep on top of security.
The reason there is this assumption that Office 365 is insecure, is because businesses keep getting their accounts hacked. This is mainly caused by bad IT security policies and housekeeping.
Let's look at the methods hackers are using to gain access to insecure accounts:
1. Credential Stuffing
This is where hackers gather username and password information from a previous data breach and try those same credentials against various other online services, including Office 365. This can lead to thousands of accounts being breached due to the fact that most people use the same username (normally their email address) and password for multiple websites or applications.
The hackers download these previously breached credentials from the dark web which has an online marketplace with billions of passwords for sale at less than the price of a bag of sweets. They then feed these passwords to automated bots which test the user credentials of each person against several online services. The bots can then indicate to the hacker which accounts successfully worked, at which point they just help themselves into your emails and files.
This is generally how most security breaches start, with a well crafted phishing email to someone within the business. These targeted emails are getting more sophisticated and less obvious to identify. However there should still be some red flags on any phishing email and employees within the business should be educated to spot these.
To cover the basics, phishing emails will be sent to employees within the company and will try to encourage them to click a link and then potentially sign in to a website. Lot’s of phishing emails are now targeting Office 365 users with some of the following themes:
- Your Office 365 password has expired, please use this link to reset it now.
- Someone has sent you a document on OneDrive please click this link and verify your identity to view it.
- You have a meeting request in Teams that you have not accepted, please follow this link and sign in to accept the meeting.
- Someone has accessed your Office 365 account, please login to check the attempts.
These are just a handful of examples that could be used to try and encourage your users to click a link and login. If someone does fall for one of these scams, they will essentially be giving their username and password to the hacker. At this point they will login and take control of the person’s mailbox and start looking for information. They will then typically extend the attack to colleagues and clients of that individual.
3. Session Hijacking
This is a more sophisticated attack where the hacker doesn’t need to steal your username and password, instead they take over your session.
To understand what we mean by a session, think about when you’re logged in to an online account. This could be a social media site such as Facebook, Twitter, LinkedIn etc. What you’ll notice is that once you’ve signed in with a username and password, you won’t have to do that again for days, maybe even weeks. The website issues your computer or device with a session cookie. This is basically a small file which confirms you’ve passed authentication. Then every time you visit the site it checks to see if you have this file and let’s let back on without signing in again.
For years, hackers have been exploiting weaknesses with these session cookies and advancements in technology have made this more secure. However there are still methods for this to be exploited.
How do Reformed IT help to reduce the risk of attack?
1. Dark Web Monitoring
Because hackers use previously breached passwords for this attack which they find on the dark web, we monitor the dark web for you. Whenever we take on a new client, we provide a report of all data currently available on the dark web containing your company domain. For example, in our case this would be any reference to reformed-it.co.uk.
This will reveal the potential risk of people who are reusing passwords which have already been compromised elsewhere. As well as the company domain, we can also monitor personal email addresses for key members of the senior management team such as company directors. These are likely to be bigger targets for hackers so are at increased risk.
As well as an initial report, we then provide updated information as and when a new compromise of your business data has been detected on the dark web. This will be sent to the main business contact to assess the risk and advise any individuals whose data is exposed.
This is an included service within the Reformed IT Support agreement, however, if you are interested in receiving a free one-time report on your business then please fill in the form below.
Recieve a free dark web report by filling in your details below:
2. Cyber Security Awareness Training
Every Reformed IT support client gets access to the market leading Cyber Security training by KnowBe4 as standard. This gives every employee access to a managed security training plan online including videos, demonstrations and games to keep it interactive.
As well as the training, we will also provide simulated phishing testing. This is where we send phishing emails to people within the business and provide insights as to who is clicking links and potentially putting the business at risk. Automatically, based on the potential risk of an individual clicking a link, they are re-enrolled onto further training which can help them to ensure they aren’t fooled again.
This is an example of one of the interactive games we provide as part of our training:
3. Multi-Factor Authentication
If a hacker is able to steal one of your employees username & password through phishing or credential stuffing, the attacker will login to that individuals Office 365 account and start to look through emails and files.
Multi-Factor Authentication (MFA) which is also frequently referred to as Two-Factor Authentication (2FA) helps to prevent this type of breach. It works by confirming the users identity with something else besides a username & password. You may have seen this implemented with HMRC or Apple iCloud as a text message code sent once the user credentials have been accepted.
This doesn’t prevent hackers from using the session hijacking technique described earlier, however it goes a long way towards protecting your accounts from common breaches.
At Reformed IT, we configure MFA for every client as we onboard them to our IT Support to minimise the risk.
4. Conditional Access Policies
One frequently overlooked feature of Microsoft 365 Business Premium (our recommended package for businesses with less than 300 users) is Conditional Access. This can be used to establish policies about which devices can access your Office 365 data and from which locations.
For example, a common policy we configure for clients is to allow access from trusted locations such as the company offices without needing MFA. However if an untrusted or unknown device tries to access anything from outside the office, we will request further proof from the individual that it is them. We can also restrict access completely for users who do not need to access files or emails from outside the office.
We can even fine tune these policies further such as restricting the ability for files to be copied onto personal devices.
Speak to one of the team if you’d like more information on any of these features and benefits of Office 365.
Get In Touch.
If you have any questions about Office 365, feel free to contact us by calling 01158 244 824 or email us using the button below.