Securing Your Organization from Attacks Targeting Microsoft 365 Vulnerabilities

Microsoft 365 provides a valuable array of productivity tools, including cloud-based collaboration apps and artificial intelligence features, as well as key Office 365 tools such as Word, Excel, and PowerPoint. Microsoft has long been a dominant player in the software market and the pandemic-spurred shift to hybrid work had further strengthened that trend: An estimated 145 million users now sign into Microsoft Teams every day.

The power, convenience and flat-out ubiquity of the apps in Microsoft 365 lead many organizations to overlook the significant security vulnerabilities associated with their broad reliance on the popular platform.

Microsoft 365 Security Concerns

As is often the case, the feature that is one of the greatest strengths of the Microsoft business productivity suite is also a source of vulnerability. Since the package provides so many different capabilities, many organizations practically run on the platform, which magnifies associated risks.

Consider Microsoft cloud apps. The industry-wide shortage of skilled IT specialists has led many companies to adopt cloud-based versions of Word, Excel, and other apps. Cloud-based apps free IT staff from configuring individual user devices and from concerns as to whether users are promptly installing security updates and patches.

On the other hand, if a hacker does manage to break into any Microsoft app, they may be able to access highly sensitive corporate or customer data in many additional apps. The potential harm is much greater than for breaches of completely separated apps hosted on users’ devices or organization networks.

A recent report detailing the ways in which cybercriminals are leveraging Microsoft Teams to launch broad attacks on corporate users is a case in point.

Cybersecurity firm Avanan has observed malicious actors launching multi-pronged attacks via Microsoft Teams. Using compromised Teams credentials, they might listen in on organizational – and inter-organizational – chats and gather confidential information. Or they could insert a malicious executable in a chat, since Teams does minimal, if any, scanning of files and URLs. When a chat participant opens the file, malware might write data to the Windows registry or install DLL files, enabling the attackers to break into the system. And once in, they can see – and neutralize – whatever defenses are in use.

Video meetings are similarly risky since, as with chat, users tend to assume that “official” business communication tools are secure. As long as they know the participants (or believe that they do) few users hesitate to share information or click on a file.

With access to OneDrive or Sharepoint – once more, with stolen credentials – cybercriminals can upload malware that can spread throughout the corporate cloud, infecting user devices as well as cloud storage.

For many cybercriminals, obtaining Office365 credentials is not a huge challenge. Users regularly sign in on open networks, where keyloggers may lurk. New, carefully constructed social engineering and spear phishing techniques are capable of fooling even reasonably sophisticated users. And in the increasingly specialized world of cybercrime, initial access brokers sell access to particular corporations’ networks to other cybercriminals, who conduct the espionage or ransomware attacks.

Browser vulnerabilities represent an additional point of weakness for Microsoft products. Microsoft Edge is based on Google’s Chromium, which has been plagued with many Zero Day exploits. Any vulnerability in Chromium will make Edge vulnerable, too.

Tools for Securing Microsoft 365

Safely deploying cloud-based infrastructure requires the use of cloud-specific cybersecurity, such as ZTEdge Cloud Access Security Broker (CASB).

While most cloud platforms, including Microsoft 365, provide the ability to restrict access to certain IP addresses, with many users working from home and other remote locations, including public networks, IP-based security is unrealistic or just plain impossible to implement.

With the ZTEdge CASB, user access to cloud-based apps is granted through the ZTEdge Web Security tenant. The Web Security tenant enables users to sign on using a dedicated personal IP address regardless of which network they are on or which device they are using. Only users that connect from the appropriate IP address can enter their credentials on the Microsoft 365 portal: For other users, the portal will simply appear dark.

Policy Controls

Once a user has authenticated, granular policies restrict access to only the apps and resources they need for they work. Policies may control, for example, which directories they can access and which file sizes and types they can upload, download, print or share. Data Loss Prevention (DLP) policies can also be implemented to protect sensitive personal or financial information, based on standard PII formats or custom data based on regular expressions.

Remote Browser Isolation (RBI)

RBI protects against the Zero Day exploits that have become all too common in Edge and other Chromium-based browsers. It protects against malicious links embedded in emails, documents, video meetings or Team chats, by opening websites in isolated, cloud-based containers. Only a safe content stream reaches the endpoint browser, where users interact just as they normally would with native – but risky – web code. To prevent credential theft, RBI opens suspected phishing sites in read-only mode.

Infected File Protection

ZTEdge Remote Browser Isolation (RBI) includes Content Disarm and Reconstruction (CDR) capabilities to block malware embedded in weaponized files. Files transmitted via email, downloaded from websites, or attached to Team chats or video meetings are examined in an isolated container in the cloud. Malware hidden in weaponized files is removed and the files are reconstructed before they can be opened by the user, saved to Sharepoint or OneDrive, or downloaded to endpoints.

Virtual Meeting Isolation

ZTEdge Virtual Meeting Isolation is the only RBI solution available that protects against threats delivered via Microsoft Team Meetings. Links and files that are shared via video chats are opened in an isolated container in the cloud. Any malware is removed from attached files via CDR, and from links in chats, only safe rendering data is sent to user browsers. Endpoint IP addresses of meeting participants are cloaked to hide them from hackers seeking an in. Granular policy controls limit what users can share via chats, display using screenshares or record.

Conclusion

Microsoft 365 is a valuable, comprehensive business productivity tool. Going to a cloud-based implementation can ease the workload for short-handed IT staffs, but it can bring with it a host of cybersecurity vulnerabilities.

The best way to protect against the known vulnerabilities in cloud-based productivity platforms such as Microsoft 365 is with a comprehensive Zero Trust-based solution, such as the ZTEdge Secure Access Service Edge. ZTEdge is especially designed to meet the needs of midsize enterprises and small businesses that need the protection of Zero Trust, but that don’t have large cybersecurity staffs to put together and manage a piecemeal solution from multiple vendors.

---

Share this on:

---

About Gerry Grealish

Gerry Grealish, ZTEdge CMO, is a security industry veteran, bringing over 20 years of marketing and product experience in cybersecurity, cloud, analytics, and related technologies. Responsible for marketing and business development, Gerry previously was at Symantec, where he led the product marketing and go-to-market activities for the company’s broad Network Security portfolio. Prior to Symantec, Gerry was at Blue Coat, which he joined as part of Blue Coat’s acquisition of venture-backed Cloud Access Security Broker (CASB) innovator, Perspecsys, where he was Chief Marketing Officer.