Cloud-based email, most notably Microsoft Office 365, has changed the way organizations implement email services, offering much needed flexibility to businesses enduring today’s disruptive pandemic. Cloud-based email is available for employees from outside the corporate network, requires no patching and is readily scalable. But the convenience of email everywhere comes at a price: access is also convenient to today’s crafty hackers — anywhere, anytime.
The fact that attackers need only credentials to compromise email accounts has given rise to large-scale business email compromise (BEC) attacks. After compromising a single business email account through credential harvesting websites, credential stuffing or password spray attacks, attackers can exploit the trust and familiarity of colleagues and supply chain partners to harvest additional credentials or request fraudulent transactions. Beware. Attackers have become extremely creative, utilizing mailbox rules and scripted searches to streamline their quest for new targets and exploitation opportunities.
Key steps to help foil attackers
The most common cloud-based email services come with a suite of authentication and monitoring capabilities as add-ons, which can help security teams to be equally creative in foiling attackers. Monitoring rules can effectively detect malicious activity. However, they should be carefully maintained to limit false positives.
- Enable multi-factor authentication (MFA). MFA forces the attacker to compromise the second form of authentication. Be aware that some sophisticated attacks are requesting the current token code to log into a fake website that is immediately used to log into the actual Office365 account.
- Enforce conditional, IP-based MFA for access to cloud-based email services. We see clients implementing IP-based restrictions suffering far fewer email related compromises. A secondary option is to only allow email access from within the corporate network, while this removes the benefit of a globally accessible email, it still reduces risk.
Set up, monitor and respond to suspicious activity alerts. These can include alerts for impossible travel (a user logging in from two geographic areas within an impossible timeframe); new inbox rules created on a user’s account; and excessive failed log ins indicating a potential brute force attempt.
The excerpt was taken from KPMG Thought Leadership, Securing the cloud — the next chapter