Many companies are migrating their email systems to Microsoft Office 365 (O365). The majority of security incidents in which we have been engaged in over the past six months involve a hacker successfully phishing an employee of the company (most of the time someone who is an executive in the company) and then spoofing the Office 365 credentials box, so the victim puts his or her user name and password into the hacker’s spoofed O365 pop-up, allowing the hacker full access to the email box.
Once the hacker gets into the email box, he places forwarding rules in the email box so all emails that the victim receives are forwarded to his email account. That way, he can monitor the existing email account, and gain access to all new emails sent to the executive to try to figure out how to either implement a wire fraud scheme, a man-in-the-middle scheme, or steal personal information of the victim or others if such information is flowing through the email traffic.
When the executive or the IT department discovers the incident, usually a forensic firm is hired to review the situation and try to figure out when the hacker was able to get into the system, what data was available, and if any information was ex-filtrated.
Almost every forensic analysis we have been involved in with an O365 incident comes to the same conclusion: the incident could have been prevented if multi-factor authentication had been utilized up front when migrating to O365. Following each O365 incident, the recommendation by the security experts is to implement multi-factor authentication. Learn from these other companies that have been victims of such schemes.
In addition, when the forensic firm requested the O365 logs, in only a few cases were we able to access the logs to determine the date the intruder was able to access the system. This is because apparently when companies implement O365, the auditing function for the logs is turned off by default, and the company has to manually turn the logging function on. Most companies have no idea that this is the case, and assume that the logging is turned on by default and that the logs are or would be available for a security incident. This is not the case, so learn from these companies and turn the logging function on when migrating to O365.