Office 365’s security features won’t protect users from all cyber security threats.
Microsoft’s cloud-based Office 365 user base is growing at a steady rate. Since the office platform first outperformed Google Apps in 2015, it’s seen a constant uptick in activity.
Now, Microsoft reports it counts its Office 365 users in the hundreds of millions. However, enterprise usage does not always equal enterprise value – particularly when it comes to cybersecurity as it misses out providing office 365 advanced threat protection for users.
Cloud-based technology like Office 365 is more secure than most on-premises solutions within the reach of small to mid-sized businesses. While the cloud platform adds security, there is a gap between the level of security Office 365 users need and the level of security that the natively provides on its own.
This is particularly evident when it comes to advanced phishing protection. Cybersecurity professionals know that 91% of cyberattacks use email as a primary threat vector. A small attachment in an otherwise harmless email can be the opening that cybercriminals use to force their way into your entire organization.
While Office 365 offers useful services through its Advanced Threat Protection add-on, users need a comprehensive third-party solution that compensates for some of the structural issues that Microsoft Office 365 faces in the cybersecurity field.
Improving the Office 365 Security Platform Model
One of the main issues with Office 365 is the fact that while it is an all-inclusive office productivity suite, the vast majority of its users don’t use it that way. Fragmented environments where multiple services compete for user time and attention generate disjointed security profiles that cybercriminals are quickly learning how to defeat.
Unlike other cloud-based productivity services, Microsoft adopts a shared responsibility model. That means that while Microsoft owns the platform and maintains its security framework, the customer is ultimately responsible for the data itself and for using the platform safely.
This is a very different approach than, for instance, Google’s cloud services. Whereas a Microsoft Office 365 administrator can turn off security activity logs, Google maintains logs on its customers’ behalf and makes them available through an API. This makes it much easier for cybercriminals to falsify records in Office 365.
The fact that Microsoft Office 365 administrator has complete and unchallenged power over the security of the network means that the administrator also has unprecedented responsibilities. If a privileged account falls into the wrong hands, it’s very easy for the infiltrator to cover his or her tracks by deleting those activity logs.
Why Office 365 needs additional phishing protection
Having established that Office 365 environments tend to be fragmented and that Microsoft doesn’t accept responsibility for security compatibility beyond the Microsoft environment, it’s easy to see where potential vulnerabilities can appear.
Even though you may have purchased licenses for the entire Office 365 Suite and installed them on every workstation, there is usually a substantial fall-off when it comes to employees using specific processes and applications. According to a Computer World report, many Office enterprise users are only obtaining value from their use of Outlook and the Office mainstays – Word, Excel, and Powerpoint.
Beyond that, SharePoint accounts for 74% of usage, while Teams scored 49%. Yammer, Planner, Delve, and OneNote also featured usage figures on the lower end of the scale.
Under these conditions, it’s easy for email spear-phishing attacks to target the supplemental applications that Microsoft cannot cover. An example of this is reporting to an employee that their password to a competing service needs to be renewed. The link in the email would point to a compromised website and use this lateral opening as a vector for taking over the entire network.
Third-party phishing protection can do much more than Microsoft Advanced Threat Protection is capable of. Since third-party software can be customized to fit the specific needs of an organization’s productivity platform, additional protections can be built in. These include multi-factor authentication and threat detection algorithms looking for specific weaknesses in the enterprise productivity portfolio.
Other areas for Office 365 security improvement
Microsoft’s built-in cybersecurity tools are admirable, but not perfect. While the company does a good job of protecting against advanced spam and known malware threats, it is markedly less capable of defending against exploits cybersecurity experts call zero-day vulnerabilities.
In fact, one of the latest and most damaging malware variants to make waves recently is an Office 365-based zero-day exploit called baseStriker. Cybercriminals took advantage of a flaw in the way Office 365 servers qualify incoming emails to send malicious code through a rarely-used HTML tag that Office 365 doesn’t support or recognize – but that a more secure email server would.
A zero-day vulnerability is a cyberattack that uses a previously unknown exploit. It is one that the tech industry has had no time to accommodate for by creating patches or implementing safeguards for key programs. Whenever a previously-unknown security vulnerability is exploited, the time between the discovery of the vulnerability and the first attack is zero days.
The fragmented security environment that Office 365 offers is not enough to protect against these types of attacks. Microsoft can’t protect you from vulnerabilities it doesn’t know about, and hasn’t established a solid-enough security infrastructure to protect against suspicious behavior.
This is true both for zero-day vulnerabilities and for spear phishing emails. The truth is that spear phishing emails still comprise the main strategy of more than 70% of organized cybercrime attack groups as of 2017.
This means that the biggest obstacle for most businesses remains social engineering and email phishing. Creating an identity perimeter against initial remote access attempts using multi-factor authentication is just one way that third-party security software can help businesses fight the threat of advanced phishing.