If Microsoft 365 security is so great, why do its customers keep getting hacked?

Sponsored Microsoft 365 is so ubiquitous these days that it's difficult to avoid. It succeeded in part because it filled a yawning gap in email, adding security to a technology that had little of it in its original form. In spite of the extra controls that it offers, though, customer data breaches keep happening. Why?

Email is still a major delivery system for digital pathogens. Verizon's 2020 Data Breach Investigation Report cited email links as the number one delivery mechanism for malware. Attachments delivered via email came fourth.

If anyone is well-positioned to flip a switch and solve the email security problem entirely, it would be Microsoft. It had almost 258 million commercial seats for Microsoft 365 in its third fiscal quarter, the three months to April 29, 2020, and it's growing rapidly. According to BitGlass, which surveyed the market in November 2019, Microsoft 365 had a 79 percent adoption rate.

There are still many companies using their own mail services or alternatives from third parties, but Microsoft 365 is creating something that looks increasingly like a monoculture. Mimecast's numbers seem to bear this out. In its 2020 State of Security report, it found that 96 percent of respondents used Microsoft 365 for email delivery.

One size doesn't fit all

Yet the company hasn't been able to solve the email security problem. That's because one size doesn't fit all. Flocking to a single service and assuming that it will solve all your security problems is dangerous, because each company has different infrastructure needs, employees, and risk profiles. A healthcare company needing a secure way to exchange sensitive patient data needs a different approach to email than a local joinery sending over material spec sheets to a client.

Perhaps that's why those Mimecast respondents found that not all was happy in Microsoft 365 land. Only about 22 per cent of the companies it surveyed agreed that the service offered them world-class security, and 59 per cent had experienced an outage with it in the prior year.

That's the problem with cloud services: they're rock-solid. Dependable. Uncrashable. Until they aren't. Remember The Great Office 365 Outage Of 2017, when the service fell over during Microsoft's Build conference? The company never did explain why. Or that time last October when Microsoft's multi-factor authentication system took down Microsoft 365 access? These aren't the only incidents where customers have been left without mail.

The cloud is so complex that simple human error can mess it up, which doesn't bode well for the future. Availability and security are linked. If a legitimate problem with a network provider can take the entire empire down, what might a well-planned DDoS attack do?

There's no real business continuity system in place to ensure that Microsoft 365 doesn't go down. That's why Mimecast found 65 per cent of companies adding more layers of cyber resilience to cope with the problem.

An array of additional email threats

DDoS attacks aren't the half of it. Online ne'er-do-wells are an ingenious lot. As technology evolves to combat traditional threats, they find new ways to compromise networks. One good example of this is phishing. What started out as a spray-and-pray technique affecting millions of consumers indiscriminately soon morphed into targeted hits on specific individuals as part of an focused attempt to infiltrate a company.

Try as it might, Redmond can't stop all of these attacks getting through. According to Avanan's 2019 Phish Report, one in every 99 emails is a phishing attack, using malicious links and attachments as their main vectors. The research found that 25 percent of phishing emails bypassed Microsoft 365 security. That number is only likely to increase as hackers design new ways of hiding their attacks.

One dastardly approach is to bury phishing lures in calendar entries. This surfaced as an attack vector last year, and just recently researchers found criminals at it again, embedding phishing URLs in iCalendar files.

This isn't to say that Microsoft 365 is bad at security. As a general purpose email system, it's pretty solid, but many companies need something more than general purpose. That's why security stacks often feature products from multiple vendors. They're crafted to fit a company's specific risk exposure and use cases.

Those risks can often evolve quickly in response to emergent conditions. The rush to work from home during the Covid-19 pandemic is a case in point. Phishing campaigns exploiting the confusion around working from home have been rife, and several of them have targeted Microsoft 365 email users.

Constantly evolving risks

One phishing campaign, purporting to be from a victim's IT admin, included a supposed link to a new VPN configuration for home access. It took them to an Office 365 credential phishing website. It was hosted on a Microsoft .NET platform to take advantage of the company's own certificate. Criminals uploading malicious content to Microsoft sites that host user pages are a perennial problem for a tech giant with a rich portfolio of domains.

These attacks can be highly targeted. The PerSwaysion campaign, discovered by Group-IB in April, had been active since at least mid-2019 and had pilfered the Microsoft 365 credentials of at least 150 top-level business people.

The attack began with a phishing email from an already compromised account. It contained a PDF attachment inviting the victim to view a document on Microsoft's Sway online presentation site. The document displayed what looked like a Microsoft 365 login page. Clicking 'read now' yet again took victims to the real phishing site, which happily accepted their Microsoft 365 credentials.

At least 156 high-level executives fell for this, effectively giving the campaign's organizers the keys to several kingdoms.

Another form of high-value, low-volume email attack is business email compromise (BEC). The attacker poses as a supplier or as a senior official in the victim's company and persuades someone with purse-string access to send funds to a fraudulent account. It works often enough that perps siphoned $26m from US companies alone between June 2016 and June 2019, according to the FBI.

Some attacks don't alert employees at all. Domain spoofing, where an email pretends to come from your domain, targets business partners or customers. The average organization has been made aware of nine attacks spoofing their domains in the last year, according to the Mimecast report, with 84 percent worried about more to come.

The situation isn't all gloom. Microsoft is doing its best to plug holes where they exist. In July, it will disable Office 365 email forwarding to external recipients by default. Email forwarding is a tool often used by attackers to siphon incoming emails from a victim's compromised account. It enables them to stealthily monitor what their victims are reading.

The company will also eventually switch off Basic Authentication by default, which is a less secure mechanism for accessing email - although it has extended the deadline to give admins some breathing room during the pandemic.

Why can't Microsoft make these seemingly simple changes more quickly? Its incredible market power is also its weakness. Flipping a switch can affect millions of customers in unexpected ways, causing operational havoc. It must plan the tiniest move carefully. Agility is a casualty when you own most of the enterprise email market.

Adding your own protection

Companies can take control of their email security by adding extra layers of protection themselves. Examples include cloud-based fail-over systems that switch seamlessly to alternative providers in the event of an outage. That way, they can continue sending and receiving emails and even searching their inboxes should Microsoft's cloud evaporate temporarily again.

Admins can consider bolt-on encryption services with more functionality than Microsoft offers out of the box. They can give users different encryption options based on the kind of recipient they're communicating with, such as a web portal for non-tech-savvy users, or S/MIME for more regular correspondents who are equipped with the appropriate certificates. They can also manage automated fall-back options when default encryption capabilities aren't available.

Third party providers can also help with plug-ins for additional tasks like key management for those certificate-based communications, relieving admin headaches. Currently, Microsoft's S/MIME implementation requires each party to handle their own private keys.

Some third-party services also offer more intricate controls over what happens to an email after you've sent it, enabling users to revoke their own messages rather than asking an admin to do it. At the time of writing, this feature was still in Microsoft's development queue.

With the sheer scale of its user base, Microsoft 365's current security feature set is admirable. It was never going to suit every user's every need, though. For true perfection, it needs a little help.

Sponsored by Echoworx.