On July 1, 2021, The U.S. National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the UK’s National Cyber Security Centre (NCSC) released a joint advisory around the ongoing, high-impact targeted attacks on organizations using Microsoft Office 365 cloud services.
Although all Microsoft Office 365 organizations are at risk, there is a heightened risk for those in hybrid environments within government, defense, energy, and higher education branches.
The Threat to Microsoft Office 365 Cloud Services
The advisory released on July 1st indicates a higher use of brute force attacks on email and user accounts for those operating in the Microsoft Office 365 space. Lateral movement into administrative accounts; remote code execution; malware; ransomware; creation of back-door access for future use.
Advisory Recommendations from the Brute Force Global Cyber Campaign Report
- Use automated tools to audit access logs for security concerns and identify anomalous access requests. (p. 7)
- Review indicators of compromise (p. 2)
- Restrict remote PowerShell access to M365 (p. 4)
- Restrict access controls on cloud resources… to ensure that only well-maintained and well-authenticated accounts have access. Change all default credentials and disable Legacy Authentication protocols that use weak authentication which does not support multi-factor authentication. (p. 7)
- Set time-out, lock-out, and secure password policies (p. 7)
- Block access [via Conditional Access Policy] from anonymous IP addresses used by VPN services and specific IP addresses identified from previous attacks (p. 5)
- Implement Microsoft’s Zero-Trust Framework (p. 7)
- Specifically, the most effective mitigation is the use of multi-factor authentication
7 Recommendations to Reduce Brute Force Cyber Attacks on Microsoft Office 365
Use Automated Tools to Access Logs and Identify Security Concerns
When looking at extensive analysis in the attempt to gather insightful infrastructure data – it pays to invest in reliable log management tools that can empower your business workflow.
Utilizing an automated log management tool is beneficial in three key areas.
- Easily pinpoint the root of any application error
- Identify security attacks (before they happen)
- All-encompassing view of how the users apply the software – like Microsoft Office 365
Through the CoreView Health Check, you can enable logging and surface operational issues based on your specific tenant.
- CoreView enables detailed logging across all Microsoft Office 365 workloads, which is not enabled by default.
- Reports take seconds or minutes to run – as compared to PowerShell, which may take hours to run a single report.
- Data from multiple Microsoft information sources are available in individual reports.
- Reports are actionable and can have automated scheduling and response via workflow.
Review Indicators of Compromise
Indicators of compromise act as a warning system to alert the IT pro to hazardous activity early. These unusual activities are the red flags that indicate a potential or in-progress attack that could lead to a data breach or systems compromise.
These red flags should not be taken lightly and should insight action internally to help mitigate risk and protect your data. CoreView was founded on providing quick action reports to these potential threats and provides a set of reporting that stays one step ahead. Reports like ‘Email Forwarding Outside the Domain’ and ‘Exchange New Management Role Assignment’ are already in place to ensure malicious activity remains at bay.
- Search for Legacy protocol and HTTPs usage by protocol.
- Search for accounts utilizing Legacy Auth and frequency count.
- Search for Application Impersonation Role assignment date/time.
- Search for Application Impersonation Role applied to accounts. CoreView | Analyze | Security Reports | Administrative Roles Role Name = Application
- Search for login attempts from source IP addresses used. Audit | Azure AD Reports | Sign-Ins Events IP Address =
Set blocks as described in Block access [via Conditional Access Policy] from anonymous IP addresses, below.
- Search for Anonymous Sign-In Events indicating possible VPN usage. Audit | Azure AD Reports | Sign-Ins from Anonymous IP Addresses
- Search for Firefox (Mozilla) connection attempts. Audit | Azure AD Reports | Sign In Events Device Information contains Firefox.
Restrict Remote PowerShell Access
Although PowerShell is generally treated as a trusted application by security software– it has also become an increasingly popular avenue for malware attacks.
By utilizing CoreView Custom Actions for M365 PowerShell Commands, these accounts are secured with a CoreView service account leveraging Azure Key Vault services and customers’ own Conditional Access policies – invulnerable to these exploits. End users do not need access to remote PowerShell, thus meeting the recommendations.
Restrict access controls on cloud resources
Human error is one of the top reasons for data breaches in the cloud, as administrators forget to turn on basic security controls. By reducing the number of hands in the kitchen you will be able to provide greater control of your ecosystem and ensure it runs smoothly.
Set time-out, lock-out, and secure password policies
Azure AD does not provide controls for Session time-out and lockout policies. Surprisingly, without session controls such as CoreView’s “Revoke User Sessions” management action, the session timeouts are up to 90 days for SharePoint Online mobile access, 5 days for SPO client access, 8 hours for the M365 admin center, and 6 hours for OWA.
For Yammer access it is forever, and for Azure AD, “Refresh tokens are valid for 90 days, and with continuous use, they can be valid until revoked.”
Block access [via Conditional Access Policy] from anonymous IP addresses
If you detect that someone has launched a brute-force attack against your site (such attacks generate a huge amount of fail login attempts in your log), you can block the attacker’s IP address from accessing your site completely.
CoreView can easily pinpoint the location where that anonymous traffic has come from and provide an easy solution to shut down the attacks.
Implement Microsoft’s Zero-Trust Framework
According to Microsoft, their own Zero-Trust implementation… “journey began a few years ago and will continue to evolve for years to come”
CoreView’s management actions and reports provide configuration and constant validation of critical Microsoft Zero Trust elements, specifically for Identity Management, Device Management, and Least-Privilege Access.