Ransomware Considerations for Microsoft 365
A practical hands-on look at how to keep your Microsoft 365 environment secure from ransomware.
The Microsoft 365 (M365) ecosystem provides a full workplace suite that all IT professionals will be familiar with: collaboration tools, email, cloud storage, Office apps and much more. As ransomware attacks continue to plague organisations of all sizes, it is natural to wonder where the risks lie within M365.
To be clear, M365 is not inherently unsafe. However, your business could be exposed to ransomware attacks through M365 if you don’t take advantage of the security tools within the ecosystem while following best practices. The bottom line with ransomware is that today, you will be targeted. Regardless of your size or turnover, it’s a matter of when not if.
In this article, we will share some of the areas in M365 that threat actors could gain access. It outlines actionable ransomware prevention steps to improve the security posture of your M365 instance. If you would like to jump straight to our tips for prevention, please click here.
If you get attacked, you will end up implementing these preventative measures anyway (plus a whole lot more), so it pays to get ahead and protect yourself upfront.
M365 Ransomware Threat Surface
Threat actors craft and send convincing emails that get users to disclose their application login credentials or download malicious files as attachments. These phishing emails are a significant vector through which ransomware attacks infiltrate a network.
An unsuspecting employee could reveal their login credentials when replying to an email in Outlook. Or, an employee could download an attachment that infects their local machine. Without sufficient controls in place, phishing emails can feasibly result in a damaging ransomware attack.
It’s common for a company to synchronise Active Directory accounts from on-premise Active Directory to their Office 365 tenancy. As our Technical Director, Conor Scolard, explains: “These companies often synchronise their administrator accounts. They probably have the same administrator account on their internal domain and Office 365 or Azure.”
If an administrator gets phished, the attacker will gain admin access to your M365 or Azure instance, which means they can delete, exfiltrate or encrypt data and demand a ransom.
“In any ransomware, or even a DR event” Conor explains: “the first system you bring online is authentication, the second is email. So if they take out your 365 and they take your internal servers or Azure servers, they’ve taken out both which–apart from everything else–means that you can’t even talk to your staff.”
“Make sure the backdoor accounts can’t be abused, and make sure you have the relevant alerting turned on for any admin-level functions. None of this is standard, out of the box M365, but it is available within the product. It just requires the right setup.”
When one local machine gets infected by ransomware, it’s not good, but it’s not game over. The real headaches begin when ransomware infects many hosts through lateral movement, eventually leading to a complete business shutdown.
An attacker could compromise a single local workstation and upload a malicious file to SharePoint. If users interact with this file, perhaps as an attachment to an email or a link shared in Teams, more and more workstations are infected and ransomware begins to take hold. Not following the principle of least privilege adds fuel to the fire, with employees given access to SharePoint libraries they don’t need.
M365 Ransomware Prevention Tips
M365 has the tools baked in to protect against ransomware, but you need to know about them and you need them configured correctly. According to Conor, who is regularly helping organisations recover from ransomware attacks, “There are a lot of things people should do that they’re not doing with M365. Microsoft has introduced a Security Score to help but a lot of it is ignored”.
Since the tools you need already exist within M365, you need to understand and then configure them to suit your business. As a starting point, here are some actionable tips you can implement to prevent ransomware attacks through M365.
Protect endpoints with detection and response (EDR) software: A remote, mobile workforce makes it harder to monitor the behaviour of endpoint devices and the interactions they have with other devices on a network. End-user devices, such as laptops and desktops, must be protected with a dedicated EDR solution. Embedded within M365 is Windows Defender, Microsoft’s EDR product which uses an AI-driven approach with behavioural analytics. Defender detects anomalies that could indicate a compromise, so long as it’s linked to Azure Sentinel for visibility.
Follow the principle of least privilege: The principle of least privilege restricts access rights so that people only get access to the files, apps and data strictly needed to perform their daily work. This security principle helps protect against a situation where someone compromises an account with excessive privileges and manages to propagate ransomware throughout your network. To implement this best practice principle, use the role-based access control (RBAC) and privileged identity management (PIM) within M365.
Force regular password changes: In the Microsoft 365 admin centre, you can set the password expiration policy for your organisation. It’s wise to force a password change every few months. This can be extended to a year if Multifactor Authentication (MFA) is enabled.
Both ISO 27001 (Annex 9.4.3) and PCI DSS (3.2.1) require regular password changes however, the National Institute of Standards and Technology (NIST), a US Department of Commerce, recently reversed the requirement of password changes in favour of MFA. Bear in mind that intruders may use compromised accounts for weeks or months at a time to perform reconnaissance inside the network. Regular password changes stop them in their tracks, which is especially important for administrators.
Use Multifactor Authentication: Users are the weakest link in your companies security defences, so you need to protect them with authentication controls. MFA requests an additional layer of verification beyond a user’s login credentials before letting people log in or perform certain actions. All Microsoft 365 plans have a security default setting that requires MFA–make sure you enable it across your entire organisation.
Implement conditional access: Conditional access lets you set controls that only allow access from trusted IP ranges or specific countries. If your people are based in four countries, a login attempt from a new part of the world would be blocked. You can switch on and configure conditional access through the Azure Active Directory admin centre.
Backup your M365 data: As outlined in our blog on SaaS backup, M365 isn’t backed up out of the box. Microsoft operates a shared responsibility model which means they guarantee the uptime of your platform but are not responsible for your data – this is for you to backup and manage. Backing up M365 is available through third-party providers. When looking for a tool, you need to understand what your M365 backup tool covers – does it include mailboxes only, or does it extend to Teams channels and SharePoint libraries too?
Take action today
Microsoft 365 has an impressive range of security capabilities that will prevent ransomware from wreaking havoc on your business. At Ekco, we offer a range of modern workplace solutions that can improve your M365 ransomware defences:
Our M365 backup solution keeps your data safe and ensures its easily recoverable
We provide enterprise security services, including critical areas such as identity and privileged access management.
Take action today to prevent ransomware because simply, prevention is always better than cure. Get in touch with our expert team today to see how we can help you.
Our specialists have the answer