Office 365 – the target on your back
Office 365 is the platform of choice for the vast majority of businesses today. Last year, 56.3% of companies were using Office 3651. 73.7% of enterprises (defined as 1000 seats upwards) are using Office 3652. According to Microsoft’s figures, at the end of 2018, there were 155 million monthly active users3. That’s a big number. But even more important – it is growing at approximately 3 million per month. So as a company deploying the solution, is this good news? Do you care?
There is an important, and typically under-appreciated, concern hidden here. If Office 365 is such an attractive product – and the numbers say it is – then it makes Office 365 very attractive to attackers as well. If I’m going to develop tools and capabilities to compromise any given enterprise technology solution, I’m going to choose the most popular. Very simple bang-for-buck economics. Find a single method of compromise and I now have tens of thousands of companies and many, many millions of users to access. Do a quick Google, it ain’t hard to find these attack tools. Frequently masquerading as PEN test tools.
But that isn’t the end of the concern. Microsoft Office 365 is not a single application. It is an email platform. It is a documentation management platform. It is a collaboration platform. It is a unified communications platform. And if you happen to be using some of the wider components, it can be your CRM and your ERP.
Pause on that thought for a second. If I’m an attacker trying to decide which enterprise technology I should be trying to compromise, not only am I going to choose the most popular one, I’m going to choose one that is likely to give me access to the most data. A single sign-on into Office 365 and hey‑presto, I can see anything and everything.
Bottom line: if you deploy Office 365, you have pasted a target on your back. That said, many of you may have jumped to the obvious counter conclusion: if Office 365 is the most popular solution being used by enterprises today, and if this means it is the most popular solution for hackers to attack, then surely it also it is the obvious solution for which enterprising defenders will build new defences?
Yes, and no. Microsoft has a whole suite of security solutions (largely wrapped up within the Enterprise Mobility + Security bucket), some of which they have built and some of which they have acquired. And of course there are many people delivering competing solutions: DLP, MFA, SSO, etc – you are certainly not obligated to use Microsoft’s tools.
However, most people do. What is the path of least resistance when you are deploying Office 365? It is to deploy the Office 365 built-in tools. I’m not arguing here that Microsoft’s own tools are better or worse than the third‑party alternatives available – it will depend on individual tools, your specific needs, your views on the strengths and weaknesses etc.
But I will say that by definition, they suffer from the same inherent challenge that Office 365 suffers from – if the vast majority of people use Microsoft’s Azure MFA, then which MFA platform is an attacker going to focus on defeating? There are increasing reports of MFA defeat, and, completely anecdotally, it does appear that Azure MFA is frequently at the core. This may have nothing to do with its inherent quality as a technology, and everything to do with the fact it is widely deployed and very popular, so the obvious attack vector for a hacker.
With all this in mind, it does imply that it’s important to deploy some level of security technology independent of Microsoft. I don’t suppose any reader will be shockingly surprised that I suggest that IDECSI’s solution for monitoring access to Office 365 (and other applications) is the ideal choice. Have a look at this link to see how it identifies potential breaches and malicious activities, and empowers your users to ensure you can process all of the potential breaches – rather than leaving them to fester in your SOC.
A few words about Ben Miller
Ben Miller is an experienced technologist and entrepreneur with a background in mathematics and software engineering. He is focused on bringing new technologies to market, which change conventional thinking. Within cyber security, we have long been used to complaining about users, and driving more work into the security team. Ben’s particular focus today is technologies which challenge this approach and instead make user empowerment a key part of the cyber discussion
