Contributors: Sharon Breeze, Terence Jackson, and Rob Edmondson
As Microsoft 365 increasingly becomes the world’s digital workspace, cybercriminals are increasingly turning their focus to it. In this article, we’ll cover:
Just in the first quarter of 2024, Microsoft 365 observed a tenfold surge in password-based attacks, from around 3 billion per month to over 30 billion. Recent high-profile incidents, such as the Midnight Blizzard attack by the Russian state-sponsored group Nobelium, have shown just how exposed organizations are. Worse still, attackers like Fancy Bear, APT28, and Strontium are increasingly targeting M365 each year.
In this three-part series, we break down the tools, techniques, and tactics cybercriminals use in an attack on a Microsoft 365 tenant and share clear practical guidance on how best to secure your organization.
For the first part of this series, we’ll focus on Entry. We’ll explain the different strategies that attackers apply to gain access to your Microsoft 365 tenant, from password-based brute-force attacks to targeting external users with exploitable permissions.
Stay tuned for the 2nd and 3rd parts of this series which will be coming soon:
Before launching an attack, cybercriminals often conduct extensive reconnaissance to identify the most vulnerable entry points into an organization's tenants in Microsoft 365. This research phase involves gathering information about the target organization's infrastructure, user accounts, and potential security weaknesses. Armed with this intelligence, they then employ various techniques to breach the system:
So, how can you prevent attackers from exploiting these entry points to gain access to your organization’s tenant architecture? First, you need to understand how each of these tactics work.
During a password spray attack, the attacker tries a small number of commonly used passwords against many different accounts. This contrasts with a brute force attack, where attackers try many passwords against a single account. Together, these are the two most common forms of cyberattacks that cloud-based private organizations experience.
When Midnight Blizzard breached Microsoft's environment, it was using a classic password spray technique to gain entry. While this might seem too easy, it helped the attackers find exactly what they were looking for: a powerful account with a guessable password and no multi-factor authentication. Other examples of famous password spray and brute force attacks include the Bad Rabbit ransomware from 2018 and the GRU campaign of 2019-21.
Enforce a strong password policy.
Prohibit common and easily guessable passwords. Require a minimum length and complexity. Educate users on how to create strong, unique passwords for their work accounts.
Enforce multi-factor authentication (MFA) for all your Microsoft accounts.
Require a second factor prevents access even if a password is compromised. MFA should be mandatory, especially for privileged admin accounts.
Configure Conditional Access to block legacy M365 authentication.
Many password spray attacks use older protocols like IMAP and POP that don't support modern authentication. Blocking legacy auth with Conditional Access Policies (CAP) significantly reduces your attack surface.
Enable password protection for Entra.
Azure AD Password Protection detects and blocks known weak passwords and their variants. It can be enforced for both cloud-only and hybrid Microsoft 365 environments.
Report on sudden spikes in failed logins.
A high volume of failed logins across many accounts in a short period is a telltale sign of a password spray attack. Configure your SIEM to alert on this anomalous activity.
Stay alert for high numbers of locked accounts.
Multiple accounts getting locked out around the same time could indicate a spray attack that exceeded lockout thresholds. Investigate any widespread account lockouts.
Watch out for unknown or invalid user attempts.
Password spray attacks often try to log into accounts that don't exist to avoid lockouts on real accounts. Monitor for failed logins with invalid usernames.
Spear phishing is a sophisticated email attack aimed at a particular individual, business, or organization. Unlike regular phishing which uses generic, broad messages, spear phishing is highly customized to the intended target.
71.4% of Microsoft 365 business users suffer at least one compromised account each month. Examples of spear phishing attacks can be found as early as 2009 with Operation Aurora, which targeted companies like Adobe and Google. Cyber criminals use it for a wide variety of complex objectives, including ransomware deployment, financial fraud, and reconnaissance.
Ensure that Microsoft Defender/Advanced Threat Protection is properly configured.
Microsoft Defender for Office 365 includes advanced threat protection features like Safe Links, Safe Attachments, and anti-phishing policies. Make sure these are enabled and tuned for your environment.
Implement advanced email security beyond Microsoft's native Advanced Threat Protection capabilities.
While Microsoft's built-in features provide a good baseline, consider augmenting with third-party email security solutions for more comprehensive protection against sophisticated threats.
Ensure the Safe Links policy is enabled.
Safe Links protects users from malicious URLs in emails and Office documents. Ensure the policy is turned on and configured to scan URLs and email attachments.
Ensure internal phishing protection for Forms is enabled.
This setting in Microsoft Defender for Office 365 protects against phishing attempts that use Microsoft Forms.
Ensure Microsoft Defender for Cloud Apps is enabled.
Cloud App Security provides visibility, control, and threat protection for your cloud apps, including detecting anomalous activities that could indicate a compromised account.
Ensure the spoofed domains report is reviewed weekly.
Regularly check the spoof intelligence insight to identify and remediate any spoofed domains targeting your organization.
Run regular phishing simulation exercises and training for your teams.
Educate users to recognize and report suspicious emails through phishing simulations. Provide training to reinforce best practices like scrutinizing message details and not clicking unknown links.
Monitor your Advanced Threat Protection for configuration drift.
Regularly audit your ATP settings to ensure protections haven't been disabled or misconfigured, which could allow phishing emails through.
Check for suspicious Exchange mailboxes.
Look for mailboxes that have been set with external forwarding, as this could be used to exfiltrate sensitive data to an attacker.
Enforce policies to detect anomalous account logins.
Set up alerts for logins from unusual locations, IP addresses, or devices that deviate from a user's normal behavior.
In a typical OAuth consent phishing attack, the attacker registers a malicious app with an OAuth 2.0 provider like Microsoft 365. They then send a phishing email with a link that directs the user to grant permissions to the app. The consent screen shows the permissions the app is requesting, which often include excessive access like the ability to read emails or files. If the user consents, the malicious app gains access to their account data and can perform unauthorized actions without needing further interaction or passwords.
Even security-savvy users can fall for these attacks, as the consent prompts come from legitimate identity providers and the requested permissions may seem reasonable at a glance. Attackers exploit the fact that users are accustomed to granting app permissions as part of their normal workflow.
Configure Entra to require consent before third-party applications can access M365 permissions.
This ensures an admin reviews any app requesting sensitive permissions before users can grant consent.
Entra configurations should be monitored to detect configuration drift.
Regularly audit your OAuth settings to ensure protections haven't been disabled or misconfigured, opening the door to malicious apps.
Document a process for careful review of third-party application privileges.
Establish clear guidelines for evaluating the legitimacy and permissions of OAuth apps. Admins should know how to manage consent requests.
Learn how to build an effective Disaster Recovery Plan to protect Microsoft 365.
Enforce a process to detect third-party apps that are connecting to Entra with excessive privilege requirements.
Use tools like Microsoft Defender for Cloud Apps to discover OAuth apps with suspicious permissions or behavior.
Implement a process to have these apps reviewed and removed where appropriate.
Investigate any apps flagged as high-risk and remove their access if they are deemed malicious or unnecessary. Conduct regular audits of consented apps and permissions.
Many organizations need to allow cross-tenant access to their Teams and SharePoint environments. This creates a channel that can be exploited by cyber criminals. The challenge is that you can't enforce your typical security policies (like password complexity or multi-factor authentication) on these accounts.
Despite this, third parties and external users can still have access to sensitive SharePoint and OneDrive documents. They may also be part of multiple Microsoft 365 distribution and teams groups, creating a unique window for attackers to leverage. If their account is breached, attackers could abuse their access to your environment to steal data or launch further attacks.
Read more about external sharing in this guide to SharePoint security.
Create a governance plan that determines what external users can do, data they can access, and what they can and can't share.
Establish clear policies around external collaboration, including what types of data can be shared, with whom, and for how long. Communicate these policies to both internal and external users.
Disable anonymous sharing and limit the external sharing of sensitive data.
Configure SharePoint and OneDrive settings to prevent unauthenticated access and restrict external sharing for sensitive sites and files. Use sensitivity labels to classify and protect critical data.
Properly configure Microsoft's native DLP capabilities for Exchange, SharePoint, OneDrive, and Teams.
Leverage Data Loss Prevention policies to detect and prevent the unauthorized sharing of sensitive information with external parties. Set up rules to block or restrict sharing based on data classifications.
Monitor your DLP configurations for configuration drift.
Regularly audit your DLP settings to ensure they haven't been modified or disabled, which could allow sensitive data to be exposed. Use tools to track and alert on configuration changes.
Enforce a process to detect external users in Teams and SharePoint.
Regularly review the list of external users and their permissions across your Teams and SharePoint sites. Remove access for users who no longer require it or whose accounts show suspicious activity.
Identify public Teams groups.
Scan for Teams that allow public access and verify they don't contain sensitive data or discussions. Restrict public groups to only those with a legitimate business need.
Look for SharePoint sites with external sharing and no expiration policy.
Find sites that allow external access indefinitely and implement expiration policies to automatically revoke access after a set period. This ensures external users don't retain access longer than necessary.
Track all OneDrive files that are being shared externally.
Monitor for sensitive files stored in OneDrive that are being shared with external parties. Investigate any unusual sharing activity or files being accessed by unauthorized users.
Develop a lifecycle management process to decommission unused sites.
Implement a process to identify and archive inactive Teams and SharePoint sites, removing external access in the process. This reduces your attack surface by eliminating stale external permissions.
Read the full list of Teams governance best practices in the Essential Guide to Microsoft Teams Governance: Best Practices, Plans, and Templates.
In a research effort that identified more than 15 billion credentials in circulation on the dark web, Digital Shadows found domain admin accounts being auctioned for $120,000 on dark web marketplaces. cybercriminals can bypass the early stages of the attack by searching on the dark web to get ahead.
Attackers actively seek out compromised Microsoft 365 accounts on the dark web, especially those with administrative privileges. With a stolen Global Admin account, an attacker could gain unrestricted access to your entire tenant on M365. They could exfiltrate sensitive data, deploy malware, modify configurations, and wreak havoc on your business.
Enforce least privilege access for Microsoft 365 admins.
Compliance mandates like NIST, SOX, NIS, ASD, and others all require that organizations enforce least privilege. This is especially important for Microsoft 365. Global Admin and other privileged accounts give cyber criminals the power to destroy your business. Try to delegate just enough privilege to administrators and regional teams. If you struggle with Microsoft's delegation capabilities, seek a purpose-built solution to create least privilege access to your tenant.
Enforce strong credential standards for all Microsoft Online accounts.
Require complex passwords. Educate users on password best practices. Consider using a password manager. Implement banned password lists to prevent the use of commonly compromised passwords.
Enforce multi-factor authentication and a zero-trust approach for all logins.
Multi-factor authentication (MFA) adds a critical extra layer of security. Even if a password is compromised, attackers can't access the account without the second factor. Adopt a zero-trust model that continuously verifies every access attempt.
Build a best-practice governance plan for Microsoft 365 with our Governance Starter Kit.
Work with third parties to get an assessment of your dark web profile and risk exposure.
Engage a reputable cybersecurity firm to scan dark web marketplaces and forums for any mentions of your organization's accounts or data. They can alert you if any of your Microsoft 365 admin credentials are being sold or traded by cybercriminals. This early warning allows you to proactively reset compromised accounts before they can be abused.
As a leading Microsoft 365 management platform, CoreView offers a range of free tools for securing Microsoft to help organizations get a head start in assessing and improving their security posture. These tools provide valuable insights into vulnerabilities and misconfigurations that attackers could exploit to gain entry into your environment.
For example:
Ready to begin improving your M365 security posture one step at a time? Check out our list of free tools to see how they can help!
