PHILADELPHIA — With 155 million monthly active users, Microsoft Office 365 towers over other providers of cloud-connected efficiency software suites in terms of market share.
Because of its broad adoption, auditors and digital forensics say they face frequent security incidents related to the tool.
Though it offers enterprise customers robust cybersecurity measures, like multifactor authentication and free security assessments, these configurations are often missing, deactivated or not turned on by default, analysts say.
"Microsoft provides a lot of fantastic security features," said David Nides, managing director of cyber response services at KPMG, speaking at a panel during the NetDiligence Cyber Risk Summit in Philadelphia. "Like any solution, you need to tailor it to your needs and, unfortunately, not a lot of organizations take the time to do that, hence why we see as many incidents as we do."
For example, audit logging is a key feature for digital forensics. It helps investigators track unauthorized data access more efficiently by narrowing the scope of an inquiry, said Devon Ackerman, managing director at Kroll's cyber risk practice, speaking at the summit.
Until recently, certain types of backend audit logging on Microsoft's software package offered investigators step-by-step looks inside the system. But Microsoft recently nixed, relaunched, then nixed that level of audit logging once more.
"Logging for Office 365 is much more verbose," said Ackerman, when compared to the same capabilities in Google's G-Suite. "As massive as [Google] is, they're very infant in logging capabilities. We're better off dealing with an Office 365 breach."
That said, Microsoft is currently working on the feature.
"They realized they have a problem and they're fixing it," said Ackerman.
Multifactor authentication (MFA) is a key brick in Microsoft Office 365's firewall, especially in large and complex organizations that use it primarily for its email and productivity tools.
When it's not turned on, malicious actors have one less obstacle standing between them and valuable data or financial gain, said Dom Paluzzi, an attorney in the cybersecurity practice of Detroit-based law firm McDonald Hopkins, speaking at the summit.
Paluzzi said some clients experienced a breach because MFA wasn't activated. The clients then failed to enforce the security measure across the ecosystem and were later breached again in similar fashion.
"We've had repeat offenders," Paluzzi said.
Vetting third-party vendors during migrations to the Microsoft system is key. Ackerman recalls one breach that took place after 40,000 emails were transferred from an on-premise system to Office 365.
A year later the company's clients began receiving legitimate email threads, with links to malicious documents.
"The emails were spoofed but the content was legitimate," said Ackerman. "It turns out the managed security service provider (MSSP) never dumped the data. It's an interesting war story, but it's about looking at the risk your third-party vendors represent in a migration."
Paluzzi said email retention and data destruction policies should be in place to reduce exposure.
"We look at these inboxes and [data] goes back before email even existed," said Paluzzi. "Get the data out of emails and put it on secure sites."
But if a breach has already taken place, one way to reduce the impact is to be proactive.
"When the attacker's in there, they're often downloading address books," said Paluzzi. He advises clients to reach out to vendors saying that no bank or payroll information has recently been changed, in a bid to get ahead of malicious actors.
Correction: In a previous version of this article, David Nides was misidentified. Additional language has been added to clarify the nature of Microsoft's logging capabilities. Devon Ackerman's title was also updated.