As business confidence in the security of the cloud continues to grow, Office 365 usage becomes more and more prevalent. Today, the Office 365 suite is used by just about every organization on the planet. It allows users to access their files from anywhere (such as from home) and from multiple devices (thin client, laptop, tablet, mobile), and it empowers collaboration. This improves work productivity and efficiency.
The large Office 365 user base makes it a prime target for cyber attacks. Cybercrime gangs are very keen to get their hands on sensitive organizational data. Apart from the value of sensitive data, compromised Office accounts can be used to impersonate the legitimate owner in phishing attacks, to siphon off sensitive data contained in emails, and to manipulate money transfers.
Until now, much of the focus for Office 365 security has been on securing data transmission and safeguarding the data in the cloud. To achieve this, a number of security measures are available such as transmitting data using TLS and IPsec, containerization in the cloud, multi-factor authentication via SMS or the Microsoft Authenticator app.
Currently, the greatest vulnerabilities for Office 365 are on the endpoint. Although Windows Defender or equivalent anti-virus offers some endpoint protection, in today’s world with polymorphic malware, obfuscation and stealth technologies, anti-virus techniques are woefully inadequate. Application Guard blocks some malicious Office attachments, but current measures fall far short of ensuring the data is safeguarded on the endpoint. Having great security during data transmission and on the cloud is of little use if the data is stolen at the endpoint before it is even transmitted or arrives in the cloud.
As evidence of the severity of threats for Office 365 users, we can examine the top 10 most prevalent threats on the endpoint as identified by Any.Run – they include (in order) malware such as Emotet, Agent Tesla, NanoCare, LokiBot, Ursnif, FormBook, Hawkeye, AZORult, TrickBot, and njRAT. All of these malware threats harvest keystrokes entered by the user on the endpoint device, and all incorporate techniques to evade Windows Defender and other AV products.
Taking the Agent Tesla malware as an example, when researchers tested it against AV products, they found that McAfee, BitDefender, ESET, Microsoft Defender, TrendMicro, Cylance, and Kaspersky, all failed to identify it as malware at all. This is the realty of the world we live in today. Conventional AV protections on the endpoint are completely inadequate and should not be solely relied upon. Overreliance on AV is the reason why the biggest security threats to Office 365 are currently on the endpoint – threats that steal sensitive data through keylogging and screen capturing.
Organizations should do three things to beef up their endpoint security, adding another security layer to mitigate against these vulnerabilities in Office 365 installations:
- Deploy specific protections to securely wrap Office 365 and provide protection against all kernel level keylogging. This protection should not rely on identifying the key logger, but should work proactively against all present and future key logging threats, out the box without the need for regular signature updates.
- Deploy safeguards which specifically prevent screen grabbing of Microsoft Word, Excel and PowerPoint installations, while allowing the user to continue using collaborative tools such as GoToMeeting, Google Hangouts and TeamViewer.
- Check the integrity of Office 365 logon credentials in real-time when the user logs on, against known stolen credentials, and take appropriate actions in the event of a match.
For more information about these 3 actions to boost endpoint security for Office 365, contact SentryBay.