Protecting email from cyber-attacks: Office 365 is key

Protecting Email
Back to Blog
June 23, 2017
Brian Bowden

Email has long plagued IT professionals. In the early 2000’s we began to see the beginning of the SPAM explosion back in a day when open relay servers were a normality. A decade later email became a major component of corporate litigation. IT organizations had to scramble to find solutions to perform litigation hold and eDiscovery for email. Today email, and specifically Office 365, is a favorite target for bad guys.

There are many reasons for this. The email content itself is a valuable target for attackers. Email is the primary vehicle used to perform the initial compromise that allows the attacker to establish a foothold within the network. Mandiant/FireEye M-Trend 2017 report notes that “…the volume of email stolen through the years is likely greater than all other forms of electronic data theft combined”.

There are several steps you need to take to protect your email system against cyber attacks. We’ll focus on protecting the Microsoft email platform.

We have several possible hosting scenarios for Microsoft’s Exchange email platform: cloud, on-premise, hybrid. Below are different approaches depending on environment, with nuances from deployment to deployment.

1. Web and Outlook Client Authentication

Outlook Web Access (OWA) can integrate with a strong authentication solution like SecureAuth Cloud Identity and Access Management going all the way back to Exchange 2010. However, you may need additional steps to secure the Outlook client. Whether using on-premise or Office 365, ensure you are using clients that support modern authentication paired with an adaptive multi-factor solution (Adaptive MFA).

Outlook 2013 and 2016 both support modern authentication. However, organizations with on-premises installations will need to be on Exchange 2016 to support modern authentication.

You cannot implement multi-factor authentication with the legacy WS-TRUST protocol. This omission led to an upward trend in attacks against WS-TRUST. In the short-term organizations should implement threat and risk services for WS-TRUST such as those available in SecureAuth for Office 365*.

Enabling threat rules that block WS-TRUST authentication attempts from malicious networks reduces the chances of compromised credentials being used within the environment. It also reduces the chance of these attacks having a performance impact.  Long-term, disable the legacy active login (WS-TRUST) endpoints and move all clients to modern authentication across all client types.

2. Securing ActiveSync

In Office 365 and Exchange 2016 environments, the Mobile Outlook client will prompt for MFA when integrated with SecureAuth cloud IAM. However, the native mail clients for Android and iOS currently use the legacy ActiveSync web application that doesn’t support modern authentication. This leaves organizations with a few options to protect this user directory from being accessed with stolen credentials:

  • Option 1:  Disable remote access to the ActiveSync directory remotely and require users to use the Outlook Mobile app for Android and iOS.
  • Option 2:  Make ActiveSync URLs available only when using per-app level VPN provided by Mobile Device Management (MDM) providers. Ensure the MDM registration page is MFA-protected. Ensure that the authentication product can detect malicious traffic using i.e. SecureAuth Risk Engine.

3. Securing Exchange Web Services (EWS)

There are two main instances requiring remote access to the EWS directory:

  1. When you run in Exchange/Office 365 Hybrid mode,
  2. When you have federation between two organizations (to share free/busy information, etc).

In both scenarios, you should allow access to the EWS directory only for specific IP addresses required for this integration.

The IP list for Office 365 Hybrid mode changes frequently. It is something you will need to script to keep it up to date. This alone should be good motivation not to stay in Hybrid mode for too long.

Best Practices for Protecting Email

2FA Is Not Enough to Secure Your Office 365 Email Environment

The Office 365 and Exchange on-premise use cases are a great example of how simple two-factor authentication is not enough. You should utilize an authentication solution that evaluates authentication attempts based on adaptive risk rules tailored for your users.

Learn more about how SecureAuth protects Office 365 with adaptive authentication and reach out to request a demo.

 

*SecureAuth offers enhanced protection for Office 365 that includes threat protection for WS-TRUST since July 2017. 

 

 

Never Miss a Beat
Subscribe to Our Blog

SecureAuth Identity Platform Adaptative Authentication

Identity and Access Management

Empower your digital initiatives with secure access for everyone and everything connecting to your business

Product Features

Adaptive Authentication

Extend verification of a user identity with contextual risk checks

Multi-Factor Authentication

Leverage a broad portfolio of authentication factors for desktop and mobile

Intelligent Risk Engine

Protect your identities with advanced risk profiling analytics

Single Sign-On

Provide app discovery and one-click login through portal or desktop SSO

User Lifecycle Management

Enable admins with strong CRUD capabilities and users with self-service tools

Secure All Identities

CIAM

Customer Identities

Deliver a frictionless customer experience safeguarding user data and privacy

B2E

Workforce Identities

Govern and control access rights for employees, partners, and contractors

SecureAuth Authenticate App

Passwordless MFA client with
Symbol-to-Accept. Stronger security.

Moving Beyond Passwords

Learn how passwords alone no longer provide the appropriate level of protection, nor confidence, required to secure valuable resources

Initiatives

Passwordless Authentication

Reduce the risk of breaches by eliminating passwords

2FA is Not Enough

Block popular phishing and brute force attacks used by bad actors

Protecting Office 365

Extend adaptive authentication and flexible MFA to all apps including Office 365

Securing Portals and Web Apps

Balance strong security and an exceptional user experience

RSA Migration

Transition to a modern identity and access management solution

Industries

Healthcare

Financial Services

Retail

Energy and Utilities

Public Sector

Resources

White Papers

eBooks

Recorded Webinars

Analyst Reports

Innovation Labs

Documentation

Support Portal

Events & Webinars

Events

Webinars

Calculate Your Savings

Lower support costs by enabling your users the control to reset passwords, account unlocks, device enrollment and update profiles

Meet SecureAuth

About SecureAuth

Careers

Contact