Although Microsoft 365 has many built-in security features which can make the environment safe against attackers, this relies heavily on whether the environment has been set up properly. Many critical issues can arise when a Microsoft 365 environment has been incorrectly configured.
For example, the environment offers Multi-Factor Authentication which ensures that an attacker would not be able to access an account even with valid credentials; however, this is an option that is not on by default.
The environment supports Single Sign-On to allow users the ability to bypass the login process where they have already authenticated to another area of the environment; however, if Multi-Factor Authentication has not been implemented in all areas, an attacker with valid credentials can bypass the Multi-Factor Authentication requirement via authentication to these other areas.
Another area that can cause issues is when accounts used for general purpose tasks, are also given high levels of permissions. This would mean that if an attacker were, for example, able to break into an account used by IT Support via phishing or another attack that requires interaction from a user, the attacker would have access to all the permissions that the user would have. Ensuring that users have an account for performing general everyday tasks and a separate account for performing tasks that require privilege will ensure that privilege escalation through the Microsoft 365 environment is more difficult for the attacker.
Another best practice is to ensure that adequate logging is in place for the environment as well as adequate logging and alerts. This will ensure that any attacks that are being performed can be caught and dealt with before they become an issue.
One of the best places to start with ensuring the environment is properly configured, is to refer to the most up to date CIS Benchmark for the environment. This benchmark provides checks and recommended settings for ensuring that the environment is set up correctly and in line with best practices.
Another recommendation is to perform regular penetration tests against the environment. This will highlight any vulnerabilities which could be abused by an attacker. It should be noted that, although performing penetration tests against the Microsoft 365 is allowed, there are a set of ‘rules of engagement’ which must be adhered to. These can be found here microsoft.com/en-us/msrc/pentest-rules-of-engagement
If you like this blog post, find more content in our Glossary.