Forum Discussion
How Microsoft thwarts phishing attacks with Office 365
A few updates that might be of interest including the risk of ransomware infecting Office 365 mailboxes and the corresponding mitigation.
Ransomware is a well-known threat that usually comes in via phishing links or via email attachments. Taking this to the next level there is a risk of Office 365 mailboxes from being encrypted and held for ransom. Other cloud services may also be affected.
This was shown a couple of days ago on an Office 365 mailbox, while it was simulated it's still alarming and well worth reviewing.
Here is a https://youtu.be/VX59Gf-Twwo, which shows a link in a phishing email being clicked and the user agreeing to grant rights, then all emails being encrypted and then finally the ransom being paid and all emails restored:
It's possible to mitigate this threat but it does have implications, as it requires turning Integrated Apps off on a tenant per https://support.office.com/en-us/article/turning-integrated-apps-on-or-off-7e453a40-66df-44ab-92a1-96786cb7fb34, this setting is on by default:
Obviously, review the impact before changing this setting. Coaching/training staff in how to spot phishing emails is crucial and not to act upon when they are instructed to carry out actions, like clicking links etc. Make sure staff know about Safety tips and how to take them into account - https://support.office.com/en-us/article/Safety-tips-in-email-messages-in-Office-365-fb4f8e49-0468-4be2-8fa6-99501f1ad9d5.
Also, it's important that when harmful spam/phishing does get through that these are reported properly, here are are some instructions on how to do this - https://blogs.msdn.microsoft.com/tzink/2017/11/30/when-creating-support-tickets-about-spam-be-sure-to-include-message-headers/.
- Yes, it will be really important to set company tenant right regarding security. Which must be carefully balanced between security and usability.
That's true Petr, it's always a balancing act and is important to get the right approach, that doesn't unnecessarily diminish productivity but also protects from different types of threats. Things like conditional access and MFA are great in those regards.
Microsoft has talked more about what they are calling Illicit Consent Grants, which was the approach used in that proof of concept to encrypt a user's Office 365 mailbox for ransom.
"Office 365 Security has been tracking an emergent threat to customer data in the Office 365 cloud over the last year. This blog post is intended to help IT Administrators of Office 365 organizations detect, monitor, and remediate this threat."
Microsoft is recommending admins proactively run at least weekly a script to unearth applications with illicit permissions. Further advice here - https://blogs.technet.microsoft.com/office365security/defending-against-illicit-consent-grants/.
It would be great if these are added in Azure AD reporting, as currently this can only be viewed on a per-user basis in the portal. Then get them added to Secure Score, as an additional check.
The problem for us is only options provided:
- Allow and "grant" all apps to users (and after that checking added apps)
- Allow only set of apps explicitly added by IT (and hoping that we do not miss important app)
But users do not want to contact IT about asking for access. They likely to start complain within kitchens. :-)
I liked if there will be the third option: Let user add the app, IT receive this request and accept or deny the app, then user is notified and app is granted to him.
