Stories from the Front Lines: How Real Financial Institutions Handled an O365/M365 Cloud Security Compromise
Microsoft 365 (formerly Office 365) comes with an array of settings that customers can modify to enhance their security controls. When these settings are not effectively adjusted though, serious cloud security compromises can ensue. Our M365 Security Basics solution helps financial institutions detect and respond to potential problems. From our recent webinar, here are real-life stories about financial institutions (whose names have been changed) that had their cloud security compromised. See how they handled each situation, so you can learn what to do and not do to secure your O365/M365 account.
Loan Officer – Email Forwarding
Luke, a loan officer, is constantly emailing people inside and outside his organization. He often sends sensitive information but uses encryption to protect his outbound emails and multi-factor authentication (MFA) to protect his identity. Somehow his email account was compromised—for eight whole months—before the problem was discovered. Our M365 Security Basics reporting indicated there was an issue with his email being forwarded to an external domain. We worked with the IT administration team to confirm that a suspicious Yahoo address was not an authorized send-to address for the emails Luke had been receiving. The intruders’ cunning scheme involved a modified mailbox setting that predated Luke’s MFA setup and the other precautions Luke had implemented. We were able to resolve the compromise by removing the forwarding property. Moving forward, Luke’s IT team needs to keep a close watch to ensure the organization’s email accounts are protected.
IT Administrator – Global Auditing
Han works at a smaller organization and wears multiple hats as an IT, compliance, and security administrator. While he’s not well versed in cloud security, Han thinks the cloud is the best option for his organization. He selects various Microsoft cloud resources and works with a vendor to establish a tenant in Azure Active Directory (Azure AD), which is a requirement for O365/M365. Han provisions his account administrative rights in Azure, synchronizes users and passwords, and gets help training end-users on Microsoft 365 services like OneDrive, SharePoint, and Teams. Then he notices an Azure AD account that he and his team have never seen—and the name of the account is strangely almost identical to an existing end-user. Han called our support staff for assistance and learned that his global administrator account had been compromised. To make matters worse, Han had left his security settings at defaults and had not enabled global auditing, which meant there was no way to determine what the attacker had changed in the system. The best solution was to move the organization’s data, email, and identities to a brand new Microsoft tenant. This extensive migration project could have likely been avoided if Han had enabled MFA and the proper audit settings.
HR – External Document Sharing
Human resources vice president Leah employs a variety of technologies to facilitate working from home and the office. Leah relies on the Cloud, and desktop and mobile apps to access documents on all her devices and enjoys using Teams to share files with others in her organization. Using these technology services has caused her to inadvertently place the company at risk of exposure and identity compromise because her IT administration team had not implemented the appropriate security controls for all their organization’s licensed technology services, creating a security gap. Luckily, the IT team received an M365 Security Basics alert for a file being shared externally in OneDrive, which is a common alert that we see. There was also enough data in the alert to indicate the multiple bad security, identity, and compliance practices that Leah has. The IT team resolved these issues by reducing the default sharing levels of SharePoint Online and OneDrive and retraining Leah on good and bad practices for security, identity, and compliance.
CEO – Multifactor Authentication
As the CEO of his organization, Chewy’s contact information is very public; his email address is prominently displayed on the company’s website, LinkedIn, and other social media platforms. Chewy uses multiple devices to get work done in the office and at home. He often signs into whatever computer is handy, whether it’s his or his wife’s laptop. Chewy’s account is under attack in Azure AD from a Russian IP. M365 Security Basics Alerting was able to notify his IT team of this by way of the Large Number of Failed Sign Ins for a Single User alert. Unfortunately, the IT department did not require MFA registration for most of the organization’s users, including Chewy, even after being alerted to the attack. The Russian attackers eventually compromised Chewy’s account. Once they did, our alerting engine promptly notified the IT team of a successful sign-in from outside of the USA, which they promptly responded to, limiting the amount of time the account was compromised.
Listen to the full stories or watch the complete webinar.