Microsoft 365 (M365) is widely used throughout the business world. It offers organizations a subscription-based, cloud-powered productivity platform that includes Microsoft Office applications, such as Excel, Outlook, PowerPoint, and Word. The solution also provides users with OneDrive cloud storage and supports a mobile workforce with real-time collaboration tools.
The platform provides basic security features via Microsoft Defender and limited file recovery capabilities. However, motivated threat actors can exploit the environment if organizations do not take the necessary steps to harden it. Successful attacks can put business-critical data assets at risk.
This article examines the types of cyberattacks targeting M365 and how to protect your business with robust security measures and a third-party backup and recovery solution.
What is the Primary Risk to Microsoft 365 Environments?
Companies rely on M365 to store and process business-critical data. The loss or corruption of this data is a primary risk to M365 environments. Businesses can experience M365 data loss due to several factors, including:
- Ransomware or cyberattacks from external threat actors;
- Accidental or deliberate internal actions;
- Insufficient M365 data retention capacity.
M365 does not provide the built-in, comprehensive backup and disaster recovery capabilities companies need to protect their environment. The basic backup and recovery functionality is not sufficient to safeguard valuable business data. Companies must adopt a third-party backup solution for full M365 data protection.
Why Do You Need to Protect the Microsoft 365 Environment?
Microsoft’s large user base has traditionally made its software a prime target for cyberattacks. However, the most common attacks against Microsoft 365 are not driven by traditional malware delivery techniques. They focus on exploiting compromised credentials and misconfigurations. Teams must be aware of the following attack types when maintaining an M365 environment.
Phishing and credential harvesting
Threat actors can leverage compromised credentials to disrupt an organization’s Microsoft 365 environment. They attempt to harvest usable credentials through a variety of phishing techniques, including fraudulent Microsoft login pages, password reset emails, and malicious voicemails. These attacks target the platform’s users rather than its infrastructure and are designed to bypass typical perimeter defenses.
A successful attack can grant the attacker account and email access. They may use the credentials or move laterally throughout the environment in search of valuable targets for data exfiltration or corruption. Attackers may launch ransomware after identifying mission-critical resources.
MFA bypass attacks
This type of attack circumvents MFA to allow account takeover by threat actors. The attacker may authenticate without triggering MFA, fraudulently obtain MFA approval, or steal session tokens that no longer need MFA. Several techniques are used in MFA bypass attacks, including:
- MFA fatigue: The attacker already has the password and repeatedly sends MFA push requests. Users may eventually allow access to stop the annoying prompts.
- Abusing legacy authentication: Attackers may attempt to authenticate using legacy protocols that do not support MFA, such as IMAP or POP3. These protocols are still enabled in many cloud tenants.
- Session hijacking: Attackers may steal session cookies via malware or malicious browser extensions and then reuse the previously authenticated session. These attacks are difficult to detect and completely bypass MFA.
Admin account takeover
Global M365 admins or Exchange admins present attractive targets for threat actors. A compromised account allows attackers to modify platform-wide settings. They can modify security controls to enable further incursions into the environment. This type of attack exploits M365 implementations with too many admin accounts or where admins typically use daily-use accounts.
How Can You Secure the Microsoft 365 Platform?
Securing the M365 platform requires a dual focus on preventing threat actors from entering the environment and on implementing a comprehensive backup and recovery solution.
Preventing threat actor access
Organizations can take multiple measures to prevent threat actors from gaining access to M365 accounts and data.
- Enforce strong MFA: Companies should require MFA for all admin accounts and, ideally, for all user accounts. Teams should disable legacy MFA methods and adopt modern alternatives, such as SMS. Users must be trained to avoid falling victim to attacks based on MFA fatigue.
- Implement Conditional Access policies: Conditional Access provides perimeter defense for M365. Effective policies can block access from high-risk locations, limit admin access to trusted locations, and require admins to use compliant devices.
- Protect Global Admin and privileged users: Teams should minimize the number of Global Admins, ideally to fewer than five. Admin accounts should not be used for other purposes, such as email or Teams access. Admins should require Conditional Access and MFA for all activity.
- Enable Microsoft Defender for Office 365: Teams should enable Safe Links and Safe Attachments and implement anti-phishing policies to protect against email-based attacks.
- Restrict external data sharing: Companies should review and restrict anonymous sharing links and external sharing defaults. All external users should be required to authenticate, and teams should configure sharing links to expire automatically.
Comprehensive backup and recovery for M365
Companies may still experience data loss or require disaster recovery despite their best efforts at preventing threat actors. Cohesity DataProtect offers enterprise-grade cloud-to-cloud backup-as-a-service for SaaS applications, including Microsoft 365. The solution provides data protection that exceeds M365’s built-in capabilities, safeguarding your critical business data with the following features.
Enhanced data security and visibility are provided by:
- Immutable backups that cannot be modified or deleted;
- Secure data encryption and flexible key management;
- Data isolation for compliance support or ransomware protection;
- Consolidating multiple cloud data sources.
DataProtect offers simple and unified protection with:
- A single service for multiple SaaS platforms;
- Tailoring cloud-to-cloud backups to align with your operational requirements;
- Extending retention periods to meet SLAs;
- Enabling granular recovery to the original or a new location;
- A single user interface for hybrid and multicloud data management.
VAST and Cohesity for M365 Data Security
Vast is an authorized Cohesity Partner and supports DataProtect as the best M365 backup and recovery tool. We offer expert assessments of your M365 environment to identify data risks that you need to address. Our teams provide cost-effective support for routine backups and disaster recovery to meet your SLAs and support business continuity.
Contact VAST and learn how our M365 backup solution protects your business.
