Microsoft 365 Breaches - As preventable as they are common

Sash Vasilevski, Octiga co-founder and cyber security expert, explains why stopping unauthorised access to Microsoft 365 is complex, requiring specialist tools, like Octiga.
Cybersecurity
Written by
Guest Author
Published on
June 27, 2024

The Problem

It seems like every other day there is a public announcement of a compromise involving unauthorised access to Microsoft 365. Privately, my security consultancy team are called in more often than we would like to deconstruct a compromise and determine if a notifiable data breach has occurred.

As organisations move to adopt more and more features, tools and products of M365, more data is finding its way into the platform, becoming the de-facto centralised repository for all types of commercial, sensitive,personal and confidential information.

Due to the frequency and commonality of these Microsoft 365 breaches, I wanted to deconstruct the crucial elements and provide recommendations for howto prevent these based on our first-hand experiences.

Entry Points

The manner in which the breach occurred can be summarised as one (ormore) of the following:

  1. Inadequate or inappropriate M365 security configuration
  2. Weak or ineffective implementation of (often complicated) security controls
  3. Human behaviour

I'll cover each of these individually.

#1 - Inadequate or inappropriate M365 security configuration

Microsoft provides a new tenancy with many, many default settings and many of the security configuration parameters are designed for maximum compatibility. Think the 5-year-old multi-function printer that does not support TLS for SMTP, so to avoid interrupting the scan function, weaker email protocols are supported for all mailboxes by default.

Microsoft has been making some great improvements over time by adjusting defaults and in some cases, retrospectively changing weak protocol support,however it is limited by the risk of causing disruptions.

There are over 150 basic configuration parameters that need to be set and the vast majority are only accessible via PowerShell or by using the GraphAPI. This leaves many parameters in a weak or exposed state, where they could be used individually to gain unauthorised access or chained together to exploit a human to gain access.

Example: Bypassing MFA

The classic example is where 'legacy' authentication is enabled to support older email clients such as Outlook 2010. Larger organisations may have invested heavily in perpetual Office licenses and may be slow to replace these with M365 subscriptions that include the newer client. Organisations may opt for the front line worker 'F' license type rather than the enterprise 'E'license for cost reasons where front line workers don't require the same functionality as back office corporate staff.

Modern (read secure) authentication is used by current versions of Outlook, however when Outlook 2010 tries to connect to M365 with legacy authentication enabled, M365 will downgrade its security for the connection to support Outlook 2010. Since legacy authentication does not support multi-factor authentication, attackers have been using this technique to bypass MFA. Attackers harvest, guess weak or reuse previously breached usernames and passwords to connect to M356 using what looks like Outlook 2010 to trigger a legacy authentication protocol downgrade, thereby bypassing MFA.

#2 - Weak or ineffective implementation of (often complicated) security controls

Time and time again we're validating the effectiveness of security controls only to discover what appears like valid in-place security controls are anything but. Whilst the M365 GUI can show MFA enabled or enforced for particular users, legacy authentication (#1 above) is not the only weakness.Azure - the underlying authentication and authorisation of M365 - includes Conditional Access Policies (CAPs) as one powerful feature included in some license variants.

Example: The Ineffective Access Policy

CAPs are used to provide granular access to applications with layered grant, deny or challenge rule sets. The issue is one of complexity and we are often presented with 20+ CAPs that individually seem to provide logical access policies, however when digging deeper and validating common scenarios we discover glaring gaps and unexpected behaviour resulting in layered scope inclusions and exclusions. We've discovered entire business units that never require MFA or could maintain persistent sessions originating from high-risk countries for months.

What the GUI seems to suggest is a reasonable control and expected behaviour, however this presents a false sense of security. I suspect that the simplicity of the CAP interface - literally clicking a few check boxes -attracts those without experience and expertise into configuring these settings and reporting to management as being in place and effective. Unfortunately,we are yet to come across a single M365 environment secured by a general IT MSP (versus a cyber security specialist) that does not have a difference in expected vs actual security control implementation.

#3 - Human Behaviour

Much has been written about human behaviour and how it affects cyber security, however it often boils down to everyone is busy. With this comes behaviours and often shortcuts in order to be more efficient during their busywork days (or nights). Human risk with regards to M365 compromises can be broken down into the following:

(i) Password reuse

(ii) Password capture

(iii) MFA fatigue

The first two are fairly common and coupled with the MFA bypass covered in #1 above, are trivial to exploit and gain unauthorised access.

Example: Ineffective MFA

MFA is a no brainer and one of the best bang-for-buck security controls that you can implement. However, its implementation and effect on humans means its protection can deteriorate. MFA fatigue and phishing-resistant MFA are two examples of how MFA is implemented is just as important as implementing it.

Firstly, is the scenario that led to the Twitter breach - too many MFA prompts leading to someone clicking to grant access to an unauthorised access attempt that triggered an MFA prompt. When you receive hundreds of MFA approval requests per day, how do you know which ones are legitimate?

MFA Push Request

Rather than a push notification request to grant or deny, the request asks to enter the number displayed at the point of making the request. I.e. if you have not made the request, you won't know the number associated with the request to enter into your mobile authenticator application. This technique (along with physical tokens) are resistant to phishing and the effects of MFA fatigue.

Impact

As more and more data is traversing or being stored in M365, the impact of an M365 breach increases. We have seen environments where over 10 years of sensitive customer PII is stored in user or shared mailboxes, with a treasure trove of identification documents in some cases. In this case, Notifiable Data Breaches scheme required the organisation to manually sift through thousands of individual emails and advise individuals who may have been impacted by the breach.

To further complicate assessing the impact of a breach, certain M365 licenses include an ability, if enabled and properly configured, to access item-level auditing. What this allows us to do when performing a forensic investigation is determine which individual data objects were accessed, such as individual emails. It's far better to know exactly what was accessed and respond accordingly, rather than having to assume all content in the mailbox was compromised. However, the function needs to be enabled!

Activity Sample

Further compounding the issue are processes and sharing policies. Sending attachments vs OneDrive/SharePoint links, non-expiring or anonymous (sharable) links are all configurable and policies enforced to help users avoid widening the impact of an account compromise.

The other consideration is duration of stored activity. The default is to store logs for 90 days and this is also a limitation for most M365 license tiers. This proves a challenge when trying to determine when the original breach occurred, what has been accessed and if other accounts are affected.

At the end of the day, what we're aiming for - and it's very much achievable - is make it difficult to compromise M365, but when an account is compromised, the impact is inconvenience rather than catastrophe.

Recommendations

• Ask your IT service provider / MSP if they use a tool, like Octiga, to implement proven M365 security baselines that instantly highlight current risks; that proactively catch and remediate risks before they come breaches.

• Insist that they use a tool, like Octiga, to catch and remediate breaches either automatically or via their L1 team. This ensures breaches are caught in minutes, not weeks and so minimises exposure.

• Insist that your IT service provider / MSP delivers security reports from a tool, like Octiga, that are tailored to the specific security needs of your business (unlike Microsoft Secure Score) and that prove your business is secure.

Take Octiga for a spin

See what your team can do with a single platform