A Q&A with Brett Anderson of Tracepoint

Used widely among small to medium enterprises (SMEs), Microsoft 365® is a prime target for cybercriminals. While this software as a service offers a money-saving solution for cloud computing, it may be creating vulnerabilities for your organization. I spoke to Brett Anderson of Tracepoint about these security gaps and how to better harden your system against them.

What are the security issues associated with Microsoft 365?

What’s happened over the last six or seven years is that CISOs and IT departments have moved away from on-premise computing into cloud productivity tools, and as they’ve moved onto the cloud, they have lost some of the internal control they had over security. One way we see is that they lose visibility into specific log files that should be regularly analyzed for security breaches. A lot of features are turned off when you migrate to the cloud solution—until last year, Microsoft 365went to default settings on several key areas. Unless you were aware of this and adapted, it could have been a big problem. The other issue is that it’s such a popular email platform that it’s been exploited by more phishing incidents in general with malware that goes undetected by the security features. Microsoft provides additional security controls you can purchase but the highest level is going to cost more. Small businesses trying to stay cost-effective will likely lose out on these safeguards.

What specific cyber threats emanate from Microsoft 365 attacks?

It will always stem from someone clicking something in an email message, but we see all of the incident types that are out there. Ransomware has been common. We also see business email compromise (BEC) with associated wire fraud. Inboxes are taken over and used for wire fraud via spoofing, and that’s been a big concern. With the way Microsoft 365’s email protocols are configured it’s easy to get away with phishing, and we saw a lot of this over the last 10 years. But more recently we’ve seen a ton of Ransomware and many times it starts with a phishing email.

What safeguards and action steps can a client take to mitigate these cyber risk exposures?

I’d say there are five things to focus on:

1. Roll out multifactor authentication (MFA). It’s not the be-all-end-all and some security incidents have even bypassed MFA. More often than not, though, implementing MFA will make it harder for someone to break in and gain control.
2. Disable legacy protocols. Microsoft has supported legacy POP, IMAP and SMTP platforms for a long time and most of us don’t need them anymore, but that’s where the vulnerabilities often lie.
3. Clean house. Make sure you know your data retention policy and execute it. You should not be holding on to old emails—there are ways to responsibly archive them so you can still access them if needed.
4. Turn on all logging functions. This will give your security folks and incident responders insight into data breaches. Otherwise, you don’t know what was accessed and when.
5. Apply as many technical controls as possible. Some will cost money and/or require IT configuration. But domain-based message authentication, reporting and conformance (DMARC), sender policy framework (SPF) domain keys, identifying mail sender and other email integrity controls will help prevent phishing exploits. I don’t blame users or user training because the bad actors are extremely sophisticated—it’s about investing in and using the best technology available and using it correctly.

What technologies can a cyber underwriter use to vet or scan an SME to verify the existence of poor Microsoft 365 settings?

That’s the billion-dollar question! If you could figure out a technology that underwriters could use, it would save everyone a lot from a risk perspective and help make underwriting more predictable. There are some things out there, such as automated scanners. One thing you can do is purchase the data from those scanners that will pick up information about the target, such as whether they have SPF or DMARC. You can also scan for a Spam Score. Carriers are also offering Microsoft 365 assessments up front, working with vendors such as Tracepoint that have the capabilities to help them score security and better understand the risks their clients have at hand.

In summary…

We want to thank Mr. Anderson and Tracepoint for these thoughtful insights about a very important topic impacting both cyber insured clients and our cyber insurance carrier partners. Our own Annual Cyber Claims Study underscores that rampant rise of the 365 BEC peril, with an average cyber claim loss for wire fraud of over $100,000 and some cyber claims reaching several million dollars lost per incident. Brett also points out some very effective cybersecurity measures that any organization can implement to significantly mitigate their exposure, such as enforcing for all email users the 2FA/MFA feature in 365. One final non-technical policy recommendation is to verify all e-payment and wire requests either in person or via a known telephone number. If your COO or CEO sends you an email request for an urgent wire payment today, simply pick up the phone and verify before your organization becomes the latest crime statistic.