Office 365 enjoys the confidence of millions of users around the world, for whom its ease of use in the cloud, ability to deliver instant access to files from anywhere and on multiple devices, makes it hugely popular. But it is its ubiquity and popularity that also makes it a prime target for cyberattacks.
At a time when home working has become a necessity for so many of us, we are ultra-aware of a corresponding rise in cyberattacks. The biggest challenge is keeping one step ahead of increasingly ingenious attempts to infiltrate the devices we are now using to work collaboratively, while being outside the security of the corporate perimeter.
Cybercriminals are aware of this, and are putting their considerable resources behind ways to get their hands on sensitive organisational data. Apart from the value of sensitive information, compromised Office 365 accounts can be used to impersonate the legitimate owner using phishing attacks, to siphon off detailed company insights from email correspondence and to manipulate money transfers.
Until recently much of the focus for Office 365 security has been on protecting data transmission and safeguarding the data that is stored in the cloud. Enterprises commonly use techniques such as TLS or IPsec to transmit data, containerisation in the cloud, multi-factor authentication via SMS or the Microsoft Authenticator app.
Changed working practices
Because of Covid-19, enterprises have asked employees to work remotely as much as possible and to all intents and purposes Office 365 is the ideal tool to support this shift. The danger, however, is not the data that is stored in the cloud, it is the endpoints – home-based computers, personal laptops and tablets, and even mobile phones – that are accessing and processing the data and which all too often are vulnerable to cyberattacks.
Windows Defender or an equivalent anti-virus package will offer some endpoint protection, but with the proliferation of polymorphic malware, obfuscation and stealth technologies, even the most popular anti-virus techniques are often woefully inadequate.
Key logging and screen capture
Keylogging and screen capture are two particular threats posed to endpoints, even if they are protected by anti-virus software. If keylogging malware has infiltrated the device, as soon as an employee taps a key to start typing into Microsoft Word or Powerpoint, for example, the keys will be transmitted not just to the cloud, but also, in the background to the attacker’s server. At the beginning of a session, those keystrokes are highly likely to be a password or log-in details, providing open access to the cloud account. In addition, screen capture malware will then take a screen shot (say, every 5 seconds), so as soon as the employee opens a document the details will be captured. Anything that is displayed on the screen from important financial data, product roadmaps, personnel files or the new marketing programme, is available to the attacker.
As a rule, enterprises ensure that they have in place good security measures for data transmission and to protect data on the cloud, but right now with so many employees operating outside of the controlled security framework, this is of little use if the data is stolen at the endpoint before it is even transmitted or arrives in the cloud.
Top ten threats to endpoint security
As evidence of the severity of threats for Office 365 users, Any.Run, the interactive malware hunting service, has listed the top ten. They include (in order) malware such as Emotet, Agent Tesla, NanoCare, LokiBot, Ursnif, FormBook, Hawkeye, AZORult, TrickBot, and njRAT. All of these malware threats harvest keystrokes entered by the user on the endpoint device, and all incorporate techniques to evade Windows Defender and other standard anti-virus products.
In terms of the protections offered by anti-virus software, looking specifically at Agent Tesla malware as an example, researchers tested it against the best-selling and most well-known solutions, and found most of them failed to identify it as malware at all. This is the reality of the world we live in today. Conventional protections on the endpoint are not up to the attacks that are being made on them and should not be solely relied upon. In fact, over-reliance on these solutions is the reason why the biggest security threats to Office 365 are currently on the endpoint – threats that steal sensitive data through keylogging and screen capturing.
What can help?
Enterprises, particularly those with employees working remotely, should give consideration, urgently, to what they can do now to beef up their endpoint security, adding another security layer to mitigate against these vulnerabilities in Office 365 installations:
- Enterprises, particularly those with employees working remotely, should give consideration, urgently, to what they can do now to beef up their endpoint security, adding another security layer to mitigate against these vulnerabilities in Office 365 installations:
- Deploy safeguards which specifically prevent screen grabbing of Microsoft Word, Excel and PowerPoint installations, while allowing the user to continue using collaborative tools such as GoToMeeting, Google Hangouts and TeamViewer.
- Check the integrity of Office 365 logon credentials in real-time when the user logs on, against known stolen credentials, and take appropriate actions in the event of a match.
- Ensure that as well as preventing keylogging and screen capture malware, the solution also protects against MITN/MITB, dll injection, ensures process integrity and prevents RDP/double-hopping.
What is important is to develop a strategy that extends the corporate security perimeter to encompass every employee regardless of where they are working and what endpoint they are using to connect with the corporate cloud. This is the only way that enterprises can be sure they are securing their own data, protecting the integrity of the cloud and ensuring their team remains productive, efficient, and safe.
Solutions designed to protect all logins, data transfer and transactions regardless of the security status of the endpoints will also provide protection of Microsoft Outlook, and can be adapted to secure a designated range of cloud-based apps or services to suit different needs.
Dave Waterson is CEO, SentryBay