Securing Office 365 Against Targeted Attacks
Securing Office 365 against targeted attacks is vital for ensuring business continuity.
Many small businesses place their trust in free, entry-level firewalls and anti-virus packages but relying on them can be risky. Basic email scanning systems are next to useless against targeted attacks and they can often produce false positives - meaning they end up putting important messages into quarantine, where they can easily be overlooked and lost.
Email security is always a difficult balancing act. Become too stringent and you risk missing important documents. But become too lax and you could potentially fall victim to spam and a range of malware threats.
In our experience, hackers understand this balancing act and can play between the gaps in a security policy.
In the past, IT security professionals looked at products that ran checks based on file attributes, such as blocking executable files. But this type of analysis can easily give rise to mistakes.
Executable files may be quarantined, but certain scripts may have genuine uses. If a company's security policy does not block all forms of executable code in email, hackers can use the scripts as an attack vector by targeting email users with scripts that secretly download malware.
Malware researcher Andy Norton suggests that rather than attempt to scan emails using malware signatures to identify known attack vectors, companies need start to dynamically analyse files. "For a threat to get through the extensive checks deployed by Office 365, it must deploy a multitude of deceptive techniques. Any anti-malware solution relying on signatures must make a choice: either they choose to cover an extended hash (leading to more false positives) or cover a smaller and more specific hash, which creates the risk of introducing false negatives.” As Office 365 becomes more of a collaboration platform, it presents a bigger target for would-be attackers. People need to apply dynamic analysis on everything that comes into the environment and go through behavioural analysis before a file is considered safe.
Options for Office 365 Alerts
If you have Office 365 Enterprise E5 licensing — or have added the licensing for Advanced Compliance features — then you have access to Advanced Data Governance. Another option is to use a third-party tool that hooks into Office 365 and provides something similar. Advanced Data Governance offers a variety of features, such as automatic labelling of data, advanced retention and advanced eDiscovery, and automatic alerts from within Office 365’s Security and Compliance Centre. Likewise, if you have Enterprise Mobility + Security Enterprise E5 licensing, then you have access to the advanced features within Microsoft Cloud App Security, which can also be purchased separately. This offering spots the use of shadow IT tools and also provides advanced proactive alerts and automatic actions for Office 365, to name just a few features. Organisations with basic Office 365 licensing can use third-party products such as Radar Reporting, which utilises API access to Office 365 to get up-to-date data from the service and provide alerts and insights.
Constructing Office 365 Alerts
Admins can configure Office 365 alerts in the Security and Compliance Centre from the Alerts panel. Figure 1 shows alert policies in the Dashboard section. Office 365 Enterprise E5 subscribers get default alerts that cover the basics, including privilege elevation, malware campaigns and unusual file activity.
To create Office 365 alerts, choose Alert Policies, and then select New Alert Policy. A New Alert Policy dialogue will appear. Select the Severity of the alert and the Category. Available categories include data loss prevention, threat management, data governance, permissions and mail flow. The second page of the dialogue shows the Activity picker. The list of activities that trigger an alert is extensive, covering common user activities, file and folder activities, data sharing, client synchronisation, and administration activities. After selecting the activity, configure the trigger threshold. Protect your business against advanced email threats with malicious attachments and URLs – also zero-day, polymorphic malware, weaponized documents, and credential phish. Dynamically analyse and block in real-time malicious URLs and attachments that can even slip past antivirus and reputation filters to deliver banking Trojans, ransomware, and other forms of malware.
AMP’s email security technology is used by some of the world’s largest and most successful security-conscious companies. Delivering on a global scale, AMP can meet all your email security content control and email filtering requirements.
AMP Helping you in securing your Office 365 emails against a targeted attack
- Protect your business against advanced threats in emails with malicious attachments and URLs – even zero-day, polymorphic malware, weaponised documents, and credential phish.
- Dynamically analyse and block in real-time the malicious URLs and attachments that can evade antivirus and reputation filters to deliver banking Trojans, ransomware, and other malware.