TIME TO READ: 6 MINUTES
According to Microsoft, they see over 300 million fraudulent login attempts on their "Microsoft 365" cloud platform every day. Every DAY.
These represent an enormous security risk to everyone who uses MS365. After you read this WOOF, you'll understand why.
What's a "Fraudulent Login?"
Basically, a Fraudulent Login Attempt is someone trying to log into an admin or user account not their own. Attempts can happen on any online service, but we'll focus on Microsoft 365 for this issue.
The person trying to log in can use any of these methods:
- Guessing user names and passwords, based on any available information about the account's owner (your birthday, pet names, your social media, etc.)
- Using a phishing campaign to obtain someone's user name and/or password
- Using software to try thousands of user name & password combinations (called "brute force")
The Reality of Fraudulent Logins
Since Microsoft 365 requires a login to access their services, account logins are the gateway in. This means fraudulent login attempts can come from anywhere, by anyone, at any time.
What do they want? They're after the data you keep in your MS365 account – documents, emails, customer and product information, financial information, and more.
They'll also use a compromised account to send emails to your trusted contacts. Typically with ransomware attached.
"But Microsoft has security on their cloud services," you may say. And you're right, they do. They just aren’t all enabled by default.
So, should you worry?
The Risk of a Fraudulent Login Succeeding
Let's say one of the login attempts works. What happens then?
The cybercriminal logs into an MS365 account. So what? What's so dangerous about accessing a few spreadsheets and reports?
You have two risks here. Both of which can cause serious harm:
- Stealing customer information out of the account (credit card numbers, other account passwords)
- Using the account as a Trojan horse. Jumping from the account further into your company's MS365 tenant. Other user accounts. Critical IT services, like email. The bank accounts linked to the tenant. Intellectual property stored in OneDrive. Confidential
employee information stored in SharePoint.
See what we mean? Just one fraudulent login can wreak havoc across the entire business.
Does that mean all fraudulent logins spell doom? No. Sometimes it's just someone who wants to cause mischief.
However, they don't announce this beforehand. So, we have to treat all fraudulent login attempts as dangerous.
Can you even stop fraudulent logins? To a great extent, yes. It requires some preventative measures in MS365, and some security added to user accounts.
10 Safeguards Against Fraudulent MS365 Logins
- Enable MFA for your entire MS365 tenant. Multi-Factor Authentication is your #1 defense. It creates a second "proof of identity" which only legitimate users have.
- Audit your MS365 user list on a monthly basis. You'll catch any "orphaned" accounts which no one uses, but remain active. That's the cloud equivalent of an open side door.
- Don't assign Administrator privileges to any "daily driver" user accounts. Keep only one Administrator account (with MFA and a complex password). Use it for executing administrator-level tasks only.
- If a fraudulent login succeeds on an account with Administrator privileges...you just lost control of the entire tenant!
- Enforce password rules. These rules can include how many passwords are remembered, the life span of the password (we recommend 6 months maximum), and requiring a level of complexity.
- Sync your Active Directory. If you have an on-premise Active Directory, sync it with Microsoft 365 Azure. This will sync the AD settings (including your security settings), so everyone uses them.
- Back up all Microsoft 365 data using a third-party solution. This places a copy of your company’s data into a secure space, outside of Microsoft 365.
- Create an alert for the "Mail Forwarding Rule Created" event. Your MS365 administrator and your IT support team should receive the alert. Why alert you to this? Wouldn't the administrator create mail forwarding rules? Yes, but
so can a cybercriminal if they break in. This is called a "Puppet" phishing scam.
The alert will tell you if someone is trying to divert emails.
- Secure former employee email accounts. When an employee leaves, take all of these preventative steps:
- Disable the former employee's MS365 account.
- Convert the former employee's email account to a shared mailbox.
- Add an existing employee to the shared mailbox, so you still have access to the emails in case someone needs them. The former employee's supervisor works best here.
- Put these steps in your offboarding process documentation, so it's done every time.
- Employ location-based access policies. Microsoft 365 lets you create policies to restrict logins based on your geographic location. If your account normally logs in from the office, and then one day tries to log in from three states
away? MS365 says "Nope!"
- Note: This can present a challenge to some remote workers, if not configured properly. Verify locations with remote workers before setting the policy.
- Limit the device types that can access MS365. Another access policy controls what devices you can use to connect to MS365. For example, your company laptop and phone are okay but MS365 won't log in from your personal tablet.
You can even mark certain devices as "compliant" (e.g., company workstations) and exclude all others.
Protect Your Logins, but Don't Relax Afterward!
Microsoft 365 is one of the biggest cloud services out there. That makes it one of the biggest targets. Taking the actions above will give you the best chance at protecting your MS365 hosted data.
If you need more security (and if you're worried right now, you do!), consider an on-premise server or a private cloud server hosted with PlanetMagpie. We explained these in the September 2022 issue of WOOF: What's the Most Secure Way to Host Your Company's Data?
Need help securing your Microsoft 365 tenant? Please contact us at email@example.com.