Have you ever received a suspicious email about your Office 365 account? It might seem legitimate, even with a Microsoft logo, but if you look close at the links or the email address it came from, it’s not from your company.
Office 365 credentials are a hot asset these days. You need to look no further than the typical inbox to see the truth of that — many users are facing nonstop onslaught of phishing messages attempting to trick them into revealing their credentials so that they can be used to distribute malware and even more phishing emails.
Fortunately, with Office 365, your mailbox sits behind Exchange Online Protection, which is automatically enabled on all Office 365 tenants. This filter is continuously refined by Microsoft to capture as much of the malicious incoming email as possible. But sometimes, a suspicious email does get through accidentally.
Here’s one I got recently about getting added to a new Team.
4 Additional Security Layers for Office 365
Here are four security measures you can use with Office 365 to add extra protection for your business:
Enable Multi Factor Authentication
The concept of a username and password for providing access to resources is inherently flawed. We’ve done it this way for decades, mainly because generally no better solution existed for the mainstream. Anyone with knowledge of the password can exploit it, often from anywhere. Smart cards and token fobs required infrastructure; however, that was beyond the reach of most small or medium sized companies. By contrast, a device is a lot more secure than a password, because it can be physically protected. A key to a door has to be physically taken from your pocket, whereas a key-code could be lifted off a post-it note. That’s the advantage of multi-factor authentication or MFA for short – combining a pass code with proven access to a secured physical device such as your smart phone.
Office 365 supports three different authentication mechanisms:
- The Authenticator app
- Phone based
We recommend the authenticator app as it is the most convenient and most secure. You can turn MFA on for all users or a select group, but we definitely recommend enabling it for any accounts that have administrative access to resources.
To make MFA less intrusive, you can white list IP address ranges, so trusted locations such as offices with dedicated IPs don’t require users to complete a MFA challenge. You also have the ability of changing the amount of time before another two-factor challenge is required from a given location to up to 60 days.
Create Advanced Threat Protection Policies
A great feature of the Office 365 stack is Advanced Threat Protection. This provides an additional layer of protection and user configurable policy to mitigate threats via email, collaboration tools, and malicious URLs. These tools can be configured by your partner or administrator in the Office 365 Security Center.
There are a number of policies available to configure:
- ATP Safe Attachments: Going beyond virus scanning, the safe attachments policy redirects all incoming file attachments to a virtualized sandbox environment within Office 365, where it is subject to heuristic analysis and machine learning to identify suspicious behavior.
- ATP Safe Links: This tool wraps all links in email messages, redirecting them to the Office 365 scanning engine which provides time of click verification of URLs. This is particularly valuable since just because a URL is safe today, doesn’t mean it couldn’t be compromised by an attack tomorrow. Time of click scanning provides extra security for this scenario.
- ATP Anti-phishing: Have you ever received an email from someone supposedly within your organization, asking for last-minute gift cards or checks? This type of attack, called the spear phishing attack, is becoming increasingly popular. Anti-phishing policies evaluate emails that could be attempting to impersonate a staffer and commit fraud.
In Microsoft 365 plans, Advanced Threat Protection is included and can be an add-on feature to multiple of the other Office 365 plans.
Use Device Authentication
Taking the device idea further, why type your confidential, valuable password into your device when you could use a simple PIN code specific to that specific device instead, and have it be more secure than a password? Windows Hello is a new authentication framework which allows you to log into a machine with a PIN code, facial recognition, or fingerprint that is unique to that machine, replacing a password with a strong two factor authentication process. This is part of Microsoft’s movement away from passwords and towards “password-less” security, reduces or eliminates the user’s exposure to, and need for their own password. To enable this type of device authentication, you enroll the device in Azure AD, which also provides tools to manage Internet connected (but not necessarily corporate network connected) devices down the road.
Use a Mobile Device Manager
As time goes on, users are becoming increasingly distributed. Ten years ago, it was far less common for users to work remotely, but now it is becoming the norm. This poses some challenges when it comes to configuring and maintaining policies on workstations. Often times, a laptop is staged, added to an active directory domain, and then handed to an employee, and it’s anyone’s guess when it will be connected to the corporate network again. Microsoft Intune is a service that allows administrators to control policy on Azure AD joined or registered machines, which means that as long as they are connected to the Internet, you can maintain organizational control. Here are a few of the great features of Microsoft Intune:
- Ensure all your company-owned and bring-your-own (BYO) devices are managed and always up to date with the most flexible control over any Windows, Apple, and Android devices.
- Precisely control how users access and utilize data in Office 365 and other mobile apps with integrated data protection and compliance capabilities.
- Let employees choose devices and apps with intuitive, self-service support and deployment. Access FastTrack deployment experts and global 24/7 support with your subscription.
We are always here to help keep your business secure.