Email has long plagued IT professionals. In the early 2000’s we began to see the beginning of the SPAM explosion back in a day when open relay servers were a normality. A decade later email became a major component of corporate litigation. IT organizations had to scramble to find solutions to perform litigation hold and eDiscovery for email. Today email, and specifically Office 365, is a favorite target for bad guys.
There are many reasons for this. The email content itself is a valuable target for attackers. Email is the primary vehicle used to perform the initial compromise that allows the attacker to establish a foothold within the network. Mandiant/FireEye M-Trend 2017 report notes that “…the volume of email stolen through the years is likely greater than all other forms of electronic data theft combined”.
There are several steps you need to take to protect your email system against cyber attacks. We’ll focus on protecting the Microsoft email platform.
We have several possible hosting scenarios for Microsoft’s Exchange email platform: cloud, on-premise, hybrid. Below are different approaches depending on environment, with nuances from deployment to deployment.
1. Web and Outlook Client Authentication
Outlook Web Access (OWA) can integrate with a strong authentication solution like SecureAuth Cloud Identity and Access Management going all the way back to Exchange 2010. However, you may need additional steps to secure the Outlook client. Whether using on-premise or Office 365, ensure you are using clients that support modern authentication paired with an adaptive multi-factor solution (Adaptive MFA).
Outlook 2013 and 2016 both support modern authentication. However, organizations with on-premises installations will need to be on Exchange 2016 to support modern authentication.
You cannot implement multi-factor authentication with the legacy WS-TRUST protocol. This omission led to an upward trend in attacks against WS-TRUST. In the short-term organizations should implement threat and risk services for WS-TRUST such as those available in SecureAuth for Office 365*.
Enabling threat rules that block WS-TRUST authentication attempts from malicious networks reduces the chances of compromised credentials being used within the environment. It also reduces the chance of these attacks having a performance impact. Long-term, disable the legacy active login (WS-TRUST) endpoints and move all clients to modern authentication across all client types.
2. Securing ActiveSync
In Office 365 and Exchange 2016 environments, the Mobile Outlook client will prompt for MFA when integrated with SecureAuth cloud IAM. However, the native mail clients for Android and iOS currently use the legacy ActiveSync web application that doesn’t support modern authentication. This leaves organizations with a few options to protect this user directory from being accessed with stolen credentials:
- Option 1: Disable remote access to the ActiveSync directory remotely and require users to use the Outlook Mobile app for Android and iOS.
- Option 2: Make ActiveSync URLs available only when using per-app level VPN provided by Mobile Device Management (MDM) providers. Ensure the MDM registration page is MFA-protected. Ensure that the authentication product can detect malicious traffic using i.e. SecureAuth Risk Engine.
3. Securing Exchange Web Services (EWS)
There are two main instances requiring remote access to the EWS directory:
- When you run in Exchange/Office 365 Hybrid mode,
- When you have federation between two organizations (to share free/busy information, etc).
In both scenarios, you should allow access to the EWS directory only for specific IP addresses required for this integration.
The IP list for Office 365 Hybrid mode changes frequently. It is something you will need to script to keep it up to date. This alone should be good motivation not to stay in Hybrid mode for too long.
2FA Is Not Enough to Secure Your Office 365 Email Environment
The Office 365 and Exchange on-premise use cases are a great example of how simple two-factor authentication is not enough. You should utilize an authentication solution that evaluates authentication attempts based on adaptive risk rules tailored for your users.
*SecureAuth offers enhanced protection for Office 365 that includes threat protection for WS-TRUST since July 2017.