Office365, other SaaS email services and other Clouds in general can be more secure than having it on-premise, however security is also dependent on an important factor… you the end user. You can spend £1,000 on a physical high security certified safe and set the PIN as 00000 or put a Post-it note near it with the PIN on, and hey presto the high security product or service is greatly weakened by a human being.
The admin account
Go back ten years and usernames were not email addresses but a letter followed by a few random numbers. Now everything is email@example.com or initialsurname as login. This has made password cracking, guessing or phishing easier.
The admin account should not be the Head of ITs general email address but something different so it cannot be cracked easily. I.e. do not set the admin account as firstname.lastname@example.org but rather something like email@example.com or more random to make it harder to guess.
Two factor authentication
Statistics say only about 10% or less of organisations use 2FA of any form. With emails being easily guessable as stated above, phishing or password cracking is a problem. Why? With on-premise a firewall at times restricted access to OWA (Outlook Web Access), not with Office365 by default.
Even on the entry level SaaS offering by Microsoft, 2FA is included which not everyone knows. It can authenticate by: SMS code, push on app or OTP code within the app. Start off by enabling 2FA for all admins, then have them test it for a week, and then slowly enforce it for all organisation users.
Consider ATP (Advanced Threat Protection)
Office365 inbuilt antimalware & antispam protection is decent however nothing is perfect of course. By default, links embedded in emails are only checked simply and files go through a few standard antimalware engines. More advanced and worse targeted attacks have a chance of getting through.
Office365 ATP RRP is £1.50 per user per month and is great value for its functionality. It has two core functions; firstly Auto sandbox files it cannot determine the intent of - it runs the file in a safe environment and delivers it if safe. Secondly, Re-codes each link so on click it is rescanned in the cloud.
Enable SPF (Sender Policy Framework) and DKIM (Domain Key Identified Mail)
Incoming phishing and spoofing organisations domain is a big problem. Many Office365 end users' mailboxes are sent decent looking phishing emails with links to copies of Office365 login pages - 2FA assists with this and SPF + DKIM makes it harder for outbound emails.
Setting up SPF is as simple as adding an additional TXT DNS record and enabling it within the Office365 portal. Additional IPs may need to be added dependant on the organisation outbound email sending methods. DKIM is setup by another TXT record and digitally signs outgoing emails.
Tweak all settings
Want totally free extra security? Just go through every security and non-security setting within the portal and enhance. You can buy the best product or service but if you leave the defaults on you are losing out on features. Take an IPS for instance, it has 1000s of rules but only 20% enabled as is.
Go through every 'sub-portal', read all the settings and if you do not understand a setting research it, and enable/disable. Three to consider, 1. File extension filtering to block known malicious files. 2. Strengthen anti phishing/spam for known targeted users. 3. Make ATP sandbox before delivery.
As a Microsoft Gold Learning Partner, QA offer the full Microsoft Official Curriculum alongside a QA Authored curriculum that can take you deeper in your knowledge of individual Office 365 products, deployments and best practice. The following courses can support with Security on Office 365:
Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.
Graeme joined QA in 2017 and has worked in security on and off for 15 years. His last role was as a Senior Technical Security consultant at Capgemini covering the public and private sector.
From the age of 17, he was running investigations into online scams and phishing. Today he teaches and/or has written: CEH, OSINT, CTF (conventional or OSINT), CyberFirst, practical encryption and Security+. Graeme is an avid writer with 130+ articles to his name and a chapter in a published book.
He loves thinking like a hacker to review and tweak settings with a fine-tooth comb.
More articles by Graeme
Shadow IT during Covid-19: Do not let your employees decide which apps and tools to use
11 cybersecurity tips for more secure home-working during the Covid-19 outbreak
Hostile reconnaissance: What is it and how do we stay safe?
My partner is a landscape gardener – who would want to hack me?
7 cybersecurity tips for wedding photographers – or anyone, really
Cyber Security for everyone - what we all should know
Cyber Attacks - Most of them are not as high-tech as you'd think
Cyber risks are too often ignored by management
Rise and Fall of Bitcoin
Endpoint and network firewalling needs to change