What is happening?
NCSC recently published an Advisory regarding several incidents involving compromise of Office 365 user accounts within the UK and using them in targeted supply chain attacks.
To be clear, this is not a vulnerability in Office 365. NCSC are highlighting that O365 users are being increasingly targeted by attackers given its widespread use and the tendency for users to authenticate with just username and password credentials only.
This advisory highlights that username and password credentials alone do not provide adequate protection against attackers who can obtain credentials from victims via common methods such as Spear Phishing and password guessing.
NCSC highlight that once an account is compromised, an attacker can use that access to impersonate the owners of compromised accounts, manipulate the movement of money, gain access to and [covertly] steal sensitive information; sell information or disclose it publicly to cause reputational damage or use it in other ways to further compromise other users and accounts.
The advisory makes sound recommendations to mitigate such attacks by applying controls in the following areas:
- Multi-Factor Authentication (MFA)
- Conditional Access Policies
- Securing the Email Service with appropriate Anti-Malware Protection and Anti-Spoofing configuration measures such as (SPF, DMARC and DKIM)
- Logging and Monitoring Access at the Email Service and End-user Device level
- Securing Devices we use to access Office 365 such as Smartphones, Tablet PCs Laptops and Workstations
Does this affect me?
At MTI, our experience of conducting penetration testing and social engineering assessments for over 17 years across a wide range of industry sectors, demonstrates that the majority of organisations are susceptible to compromise of user credentials. If you are using Office 365 services with just username and password authentication it is increasingly likely that this form of compromise will affect you.
To underline this, during our Social Engineering assessments, we find on average 5% of corporate email addresses are present in security breach data sets known to include passwords.
Finally, our experience shows that the larger your organisation, the greater the likelihood of user accounts being compromised.
Our extensive Office 365 Audit of Security Implementation Service (OASIS) uses NCSC and Microsoft best practice guidelines to baseline the configuration of your O365 environment against good security practice; highlighting actions to significantly improve your level of protection.
In addition, we deliver a range of social engineering assessments to simulate real-world attacks, which attempt to steal and leverage user credentials, assessing your human and technical defences. We deliver Spear Phishing, Whaling, Client Side Exploits, Telephone and Physical Social Engineering attacks either on an ad-hoc basis or in a joined-up, highly effective Red Teaming Service.
Learn more about these services – here
As part of an award-winning 2018, MTI won ‘Penetration Tester of the Year’ at the Cyber Security Awards and the ‘Security VAR of the Year’ by the CRN.
Our paper “Enterprise Cyber Security Addressing the Human Factor” available here sets out critically important human factors you need to consider (including those referenced in NCSC’s advisory) the risks they present and how to address these risks.
As a member of the NCSC CHECK Scheme (approved Penetration Testing suppliers to Government) for over 14 years and an official Microsoft Cloud Hosting provider, MTI has the knowledge and experience to assess your exposure and deliver the advice and support you need to improve your protection.