By Patrick Lonz, President, Compliant Workspace

I’m on calls often these days with firms wanting my opinion on their “cybersecurity” strategy. We usually have a lengthy spirited discussion about what they aught to be doing about it, or aught not be doing. I then hang up and have a little chuckle to myself because I quickly realize they don’t even know what cybersecurity means – but sure as the dawn, they’re convinced they need to do something about it… and fast! And then I think about the cloud and believe that’s where they should be, for obvious reasons, and being a managed Microsoft 365 cloud service provider, I am fully behind the Microsoft Cloud (as an option for companies to run their complete operation). However, nobody has stepped and said: “to be secure on the cloud; here’s the first step you need to take …and here’s the second step ..and step three – then – BE DONE WITH IT!

But Cybersecurity Isn’t  Complicated These Days

Now at this point I know what you’re going to say : “But cybersecurity is complicated these days, and hackers are launching new and improved attacks every day, it’s always changing.” Not really. The basic rules of protection still apply yet the reality is you’re being twisted by all the new security vendors trying to up-sell you on add-on products you don’t need. But in any case, let’s focus on a typical company that’s on Microsoft 365 and what it means to make it “cybersecure”. Because when you transplant your whole office to the cloud, you immediately become a target since hackers can simply do an internet lookup on you and they’ll know you’re on the Microsoft cloud, then they’ll pull out their bag of tricks.

But, let me be clear now when I say, “you can use the built-in tools to make Microsoft 365 cybersecure.” I am NOT talking about large firms. I don’t mean banks or insurance companies or the government because they are constantly targeted and will surely use third-party tools to help them make Microsoft 365 cybersecure. Also, they will outsource this to a dedicated team of professionals, and that works for them.

I am talking about the typical small firm. A firm with 10-25 employees without a dedicated IT person, and who wants to keep it that way by choosing a Microsoft 365 Cloud solution that’s preconfigured — with cybersecurity already setup — without having to worry if they are open to basic attacks or need to spend hours trying to configure tools or pay for additional add-ons to make them cybersecure.

The first thing you want to avoid is a hacker getting someone’s password who’s on Microsoft 365. Which can be so easy. Let’s do a real-world example now with a typical employee – we’ll call him Bob. Now Bob goes off and signs up for the monthly newsletter to his favorite fly-fishing site; in Montana by giving a username and password. Meanwhile, legendary fly fishing has a totally insecure, wide-open site for any hacker who happens to scan it. This time a hacker finds Bob’s email address and the password he used on this site. (Bob also uses the same password for everything). Now the hacker is excited!

“Hackers get excited when they find out your employees use the same password for everything, especially when they sign up for a wide open site like you’ll find at in Montana

He’s got Bob’s email address and password and knows he is on Microsoft 365. He brews himself a fresh pot of coffee, sits at his laptop and gets to work hoping you’re company also signed up for Microsoft 365 before October 21, 2019, when MFA was not a requirement, or he might get really lucky and find out you happened to turn off MFA for your 365 tenant. (Which is quite easy to do by click of an admin anytime).

But you’ve gone ahead and made sure to enable MFA, so the hacker attempts to login to Bob’s Microsoft 365 account but immediately an alert pops up on Bob’s phone because he has the authentication app installed on it, Bob clicks cancel since he didn’t login and the hacker is shutdown. MFA has done its job and a potential hack is thwarted.

A Security Awareness Training Program means employees don’t bite;  don’t open spam, or click spoofed links – instead they forward them IT support.

Alright, lets stay with our hacker since he still has his pot of coffee on the go and see what he does next. We know he can’t control your employees on Microsoft 365, i.e., use their email or steal documents from their OneDrive or SharePoint, so he will now go phishing (not for flies in Montana), but for passwords. However this time he’ll target third party apps a company like yours typically uses such as accounting or a CRM. (Which by the way are cloud based now, and also use Bob’s email address as his login, and who knows if MFA has been set on these apps. Probably not.)

At this point the hacker can see Bob is an accounting associate, so he cleverly customizes an email for him that actually looks like it comes from the director of accounting – he also knows who she is from the contact page on your website. The email says “Bob! We need you to urgently reset your password to QuickBooks ASAP since you have been recently locked out of your account and your profile must be updated immediately!”

Also included at the bottom of the email is a link to reset his password which will send it to our hacker. And boom!… our hacker sits back and waits for Bob to bite. In other words, he hopes Bob will click the link, put in his password to QuickBooks, where he can use it to login to your client database where the real fun can begin, and he’ll start spoofing credit cards from your clients.

Unbeknownst to our coffee swilling hacker though, is Bob has been diligently taking your company’s Security Awareness Training Program and he doesn’t bite, meaning he doesn’t open the email or click the link in it, instead he immediately forwards this email to IT support who recognizes it as spam and blocks any messages coming from this person again.

The Security Awareness Training you signed your company up for was designed specifically for your employees because you know the risk involved when you move your company to the Microsoft 365 Cloud. Luckily, the security training included a baseline test of all employees to assess how prone they were by performing regular simulated phishing attacks. This was designed to flesh out those who frequently got duped and may expose their Microsoft Exchange email user accounts or files in SharePoint or OneDrive. Then they get emailed video training on how to spot suspicious emails in the future. What you want your Security Awareness Training to do:

  • Baseline test of all employees to assess how prone they are

  • Performing regular simulated phishing attacks

  • Flesh out those who frequently got duped
  • Then email them video training on how to spot suspicious emails in the future

Step Three. Block Incoming Cyber Threats Aimed at Your Microsoft 365 Users

By now our hacker is almost halfway through his pot of coffee, but now he knows that you know your being targeted. At the same time, you’ve got MFA configured, and all employees are taking Security Awareness Training to help protect their accounts on Microsoft 365 from being attacked, however our hacker is not done. He’ll simply start spoofing your people from a different address, but no worries, Microsoft 365 has the built-in tools to help with this as well.

However, you need to know that these built-in tools included with Microsoft 365 to block further threats aren’t enabled by default, they are also hard to find and configure. On the other hand, they are free. But what’s important here about these security tools built-in with Microsoft 365 is you don’t need to buy or configure third party security add-ons from the big boys trying to get in this space. (AvePoint, Mimecast, Proofpoint, etc.) Also, you must understand that if you use these third-party add-ons, they sit between you and the rest of the world. Meaning you’ll need to do an MX record redirect where they’ll filter all email between you and everyone else (adding another support company to call if email’s not working). Nonetheless, we’re going to continue with my theory that you can use the built-in tools from Microsoft to protect yourself from any additional threats via our highly motivated (and caffeinated) hacker today.

Stopping Blatant Attacks with Microsoft 365’s Built-in Tools

Using Built-In Tools

We Secure You on Microsoft 365 using their Built-in Tools -MFA, Anti-Phishing, Spoof Intelligence, Blocking Malware/Ransomware and Enable Safe Attachments With Safe Links

At this point, the first incoming threat you’ll need to protect your employees against is these blatant email phishing attacks. To set anti-phishing go into Microsoft Security and Threat Policies edit the default Anti-Phishing policy and firstly change the threshold to aggressive and enable Spoof Intelligence.  Then in the pre-set security policy section in threat policies, click strict protection.

And finally, if any email sent by an impersonated user gets through, redirect it to the security admin so they can tighten up the security settings if need be.

The next incoming threat you need to protect against is malware. (Malware is when someone downloads a nasty program in an email or off a website – its virus code that messes up their computer.) To protect everyone from this, just add an inbound Anti-Malware policy applied to all users. This is done in the security portal in Microsoft 365 by enabling a common attachment filter, thankfully you just click a button and it adds all the file types like .ace, .ani, .apk and so on.

Then you’re going to make sure everyone on Microsoft 365 is protected against malicious attachments and URL’s. You want to do this because people will be downloading documents like spread sheets from who knows where, then sharing them with everyone. Then they’ll be saving these infected excel docs, word docs or presentations on SharePoint, OneDrive and on Teams, which will then spread malware infected files to everyone in the company.

To protect everyone from malicious attachments, create a Safe Attachment Policy in the Microsoft security portal. Select the setting Replace ; Block attachment with delete detected malware so that people will at least still get the emails with the malware removed so they can contact the sender and tell them their infected.  Then select the option to forward the email to IT so they can further tighten things.

Then you’ll create a Safe Links Policy that will scan documents with malicious links and remove them, then notify IT on this too.

The Last Trick. Ransomware Aimed at Exchange, SharePoint, OneDrive and Teams

Ok, our villain is pouring his last cup of coffee and getting jittery. He’s going to pull out his last trick: Ransomware. But don’t worry I’m not going to rattle off dozens of stats telling you how bad ransomware is or that it’s on the rise or that so and so company got compromised and had to pay a million bucks to get their data back. Also, I am not going to point out one simple fact that the solution to ransomware is just doing your daily backups – yes, that’s all you need to do. And in reality, if you do get “ransomwared”, (I’m not sure if that’s a word) and some data gets locked by the bad guys, just restore last night’s full data backup over top of it. Oh, and then don’t forget to forward a huge smiley face emoji to them when they ask for your bitcoins.

But the really funny thing about ransomware and Microsoft 365 is, that by default, nothing is backed up by Microsoft, this means all your data is kept on their systems ready to be locked. When you think about it, it’s a hacker’s wet dream unless you add a third-party offsite backup tool, everyone’s Microsoft Exchange data (email and everything), their personal OneDrive, SharePoint, and Team Chats can be locked out at anytime…but I’ll rant about that in another blog. In the meantime, we’re going to pump-up the ransomware protection for your Microsoft Cloud users, since we now know nothing is backed up off the Microsoft Cloud.

Again, to protect your employees from ransomware on Microsoft 365 you’re going to use another built-in tool called the Microsoft Exchange Admin, included with your subscription. For this you’ll have to go to a whole other portal on Microsoft (I don’t know why) and create a Mail-flow rule that’ll apply to all incoming email for all your users. You add a list of file types that could have Malware. Such as .bat, .cmd, a whole bunch of them. It will block any files containing ransomware, quarantine them and finally send an email to your IT admin that you are getting “ransomwared.”

Secure to the Last Drop on the Microsoft Cloud

Our hacker finished his coffee by now and moved on to another Target. We can see, for many companies who want to be cybersecure on Microsoft 365, the built-in tools will do the job. Although its true that you become a bigger target to hackers when your firm is on the Microsoft Cloud, you will face all kinds of attacks. However, you can setup, MFA, do Security Awareness Training an enable Anti-Phishing policies, Spoof Intelligence, block malware and enable Safe Attachments with Safe Links also blocking ransomware. to get full protection. To learn how we can get you on Microsoft 365 fully secure, out-of-the-box , contact us.

About Compliant Workspace

Compliant Workspace is a managed Microsoft 365 cloud service provider committed to giving small companies an option to move their firm to the Microsoft 365 Cloud. With our unique Consolidated 365 Service® we include our Pre-Set 365 Security Template, our 365 Cloud Protect and our 365 Cloud Migration Service that gives your firm an office in the Cloud – fully-secured, fully-protected: out-of-the-box.

Contact us today, and get your firm on the Microsoft Cloud