Key Practices to Close the Microsoft 365 Security Gap

Derik Belair

Microsoft 365 is the new shiny object finding favor with the current army of cyberattackers.

Two of the critical CVEs (common vulnerabilities and exposures) Microsoft announced in September were related to Microsoft Dynamics 365 on-premises remote code execution. CVE-2022-34700 and CVE-2022-35805 give attackers an opportunity to finesse authentication processes to be able to execute arbitrary SQL commands, then escalate commands as the “owner” within the Dynamics CRM database. Since Dynamics includes several CRM and ERP business applications, there is potential for disruption to customer-facing workloads.

Authentication also continues to be an issue for Microsoft Office 365. While multifactor authentication (MFA) can help slow unauthorized access, hackers are already finding ways to circumvent MFA. Earlier this year Microsoft detailed a widespread Office 365 phishing campaign affecting more than 10,000 organizations.

The cyberattackers skirted MFA and were able to use passwords and session cookies to access emails containing financial information. Their goal was to execute BEC (business email compromise) scams and defraud businesses of millions of dollars through payments made. Using a proxy server, the attacker takes over the MFA process, inserting between the client and Microsoft. Once an MFA is approved the attacker is in and free to start making phony financial requests.

MSPs as Microsoft 365 Security Partners

Those two examples are just the tip of the iceberg. Microsoft 365 continues to be the most-targeted SaaS platform in the world.

A research report by Egress estimates 85% of organizations using Microsoft 365 have had an outbound email data breach. IT leaders (67%) have seen incidents rising post-pandemic and are notably concerned about protecting client data in a remote/hybrid environment.

In the SMB market, Microsoft 365 risk mitigation, compliance and security updates often compete for time and attention with a limited IT staff. MSPs can play a valuable role in launching a counter-offensive against the constant barrage of cyber threats. To strengthen data protection and prevent financial loss for their customers, MSPs can employ a combination of vigilance, license management and execution, and technology deployment to give SMBs far greater protection in their Microsoft 365 environments.

A good first step is revisiting the Microsoft Secure Score, which measures an organization’s security posture. Taken not as the absolute rule playbook for all security standards but as a useful starting point, MSPs can use the score to identify additional security defense measures they need to put in place.

MSPs often rely on third-party services to provide security applications, but these aren’t recognized in a Secure Score analysis. Also, Secure Score doesn’t address security-related compliance requirements such HIPAA, NIST and privacy regulations. It’s good to keep these limitations in mind when developing a complete security platform and communicating with customers.

Securing Microsoft 365

Security professionals are aware Microsoft 365 doesn’t come out of the box with a fully loaded anti-ransomware and anti-social engineering security package. They’re also aware that obtaining cybersecurity insurance at a reasonable rate is tied to demonstrating, among other items, an effective Microsoft 365 security program. However, many companies, particularly SMBs, are now living with even leaner IT and security staffs and finding it difficult to navigate the intricacies of complete Microsoft 365 security. MSPs play a significant part here in closing the staffing and security gap.

Ways to Help Customers Improve Security

These are key areas in which MSPs, working with third-party services, can help customers improve security:

1. Multifactor Authentication (MFA). We know MFA breaches are occurring. It’s one of the most critical measures to execute. Also critical is blocking any legacy authentication “back doors” that can be used to circumvent MFA.
2. Email safeguards. Outlook email is the most common point of attack for spammers and security can be improved by blocking suspicious attachments and highlighting external emails. It is also imperative to have a high-quality spam guard product, in addition to any Microsoft 365 standard filtering. These third-party products can vet emails before they reach the inbox, use machine learning to detect emerging threats, and help protect against denial-of-service (DoS) attacks.
3. Licensing options. Investigate Azure licenses that can offer more security benefits for SMBs at an affordable rate. For example, the Azure AD Premium P1 licenses cost only $6 more per user compared with the Business Standard plan.
4. Consistent auditing SMBs find monitoring security settings a time drag on their limited staff. Third- party services can conduct periodic audits to check for suspicious variances in access control and privilege access management. Auditing can also show precisely which users don’t have MFA enabled and lets MSPs configure alerts to be triggered if MFA is ever disabled.
5. MSPs can conduct continuous monitoring that will automatically generate tickets for compliance violations.

Partnering to Beat the Microsoft 365 Hackers

Companies are adopting Microsoft 365 to leverage their cloud investments, support remote/hybrid workspaces and provide business continuity.

MSPs and their third-party service partners can enhance the benefits of Microsoft 365 by improving security beyond the standard Microsoft 365 out-of-the box features. By providing security practices like auditing, monitoring and tighter MFA vigilance, companies can avoid becoming prey to the seemingly endless attempts to disrupt Microsoft 365 use in the business world.

Derik Belair is president and CEO at Augmentt. Previously, he was vice president of marketing at SolarWinds, where he led the digital marketing strategy for the company’s cloud division after it acquired N-able Technologies, a company he helped build and sell to SolarWinds in 2013. He has been working in the channel for more than 20 years, having been through the IPO process and several acquisitions. You may follow him on LinkedIn or on Twitter @augmentt_com.