Many organisations are making the move to cloud services. They provide some great benefits for an organisation's accessibility, productivity, and costs. But, cloud service models also mean a big change to how the network and systems are accessed.
Previously, remote access to the internal network required a VPN client, and access was limited to a small number of staff. Now all it takes is a web browser, and it’s accessible to anyone. It means that access to the network is available from multiple points over the internet. This changes the security landscape for an organisation.
As such, it's important to:
- restrict the number of ways a user can authenticate, and
- make sure you protect those ways with multi-factor authentication (MFA).
This guide provides some examples of attacks that CERT NZ has seen, and advice on how to secure access to M365. If you are experiencing an incident, read our advice on mitigating M365 attacks, and report it to CERT NZ.
Some of the controls mentioned below only apply to some licence levels, so check which are applicable to you.
Initial enrolment of MFA
When implementing MFA in your organisation, the number of accounts that haven’t yet MFA enabled will lessen over time. Accounts that haven't enabled MFA will still be at risk of phishing or unauthorised access.
For example, a victim account could be re-using a password disclosed in a breach. An attacker could use that password in an attempt against their M365 account.
Legacy authentication protocols
Legacy authentication protocols are older protocols that don’t support multi-factor authentication. These protocols can only use credentials to open a connection, like a:
- password, and
- pre-configured, app-specific token.
Some Microsoft cloud apps, like Exchange Online, support these legacy authentication protocols. These protocols may not be blocked by default, or may be enabled to allow other legacy systems to operate.
Conditional access is a feature in Microsoft products. It allows you to control access based on a set of conditions. You can use it to control what access you allow to cloud applications, and how you enforce MFA. There are multiple conditions that you can use to configure a conditional access policy. It can be complex to implement correctly.