Protecting Your Business from Cyber Attacks Using Microsoft Multi-Factor Authentication

Author: Christian Davis, Security and Operations Team Lead

We have recently seen an uptick in threat actor activities designed specifically to thwart current and existing Multi-Factor Authentication security. While most have come in the way of email phishing campaigns, some have come in the form of phone calls to our Help Desk (known as “vishing”).

The most prevalent attack we’re seeing is “Man-in-the-Middle” (MITM). In this attack, users receive an email with either a link or a QR Code which takes them to a webpage with a Microsoft 365 sign-in screen. Users will enter their Microsoft 365 credentials out of habit, unaware that there is an attacker in the middle collecting their credentials & MFA token.

There are sophisticated tools and technologies in place to help fight against cyber crime, but none of them are 100% effective. So, it’s important to remember that your employees play a critical role in keeping your systems secure.

What You Can Do To Protect Your Business

It’s imperative that your employees remain vigilant, always looking out for potential security anomalies and promptly alerting the appropriate resources. To assist, consider these guidelines:

Educate and Remind

Consistently update your team about security’s importance and the prevalent threat landscape.

Stay Vigilant

Urge them to treat unexpected emails, requests, or odd-looking links with caution, even if they seem to originate from familiar entities. Always be suspicious of webpages asking for your Microsoft 365 credentials.

Prompt Reporting

Foster an environment where reporting suspicious activities immediately is the norm. Timely interventions can avert considerable harm.

What Kite Technology Is Doing To Protect Our Clients:

Microsoft continues to add additional features and value to their Microsoft 365 and Azure products to help protect and secure your business. Our security team has compiled a short list of high-value security policy changes aimed at protecting our clients from these new styles of attack. While some of these policies currently exist for our clients, some will be new and may have an impact on employees. We will coordinate with clients to ensure that everyone is informed & prepared for any upcoming changes in security & workflows.

The policies we are enforcing are:

Administrative Accounts

Users who require administrative rights to features in Microsoft 365 will be given a separate “admin account” for those administrative tasks. Any administrative rights the user has on their primary account will be removed. This protects the organization in the event that the user’s primary account is breached.

Disable SMTP (Legacy) Authentication

SMTP is a legacy authentication method some applications use to authenticate with Microsoft 365. It is typically used on scanners & line-of-business applications for sending emails on a user’s behalf. This authentication method is an easy target for attackers as it is NOT protected by MFA. To mitigate this vulnerability, we are moving all clients away from SMTP Authentication in favor of a third-party authentication provider. We will then block all SMTP Authentication requests in your environment.

Require Microsoft Authenticator App

Microsoft will soon be disabling SMS (texting) as an MFA method due to increasing attacks using SMS to gain access to Microsoft 365 accounts. As a result, we will require ALL users to adopt the significantly more secure Microsoft Authenticator app as their primary MFA method.

Block Microsoft 365 Access by Location

Many fraudulent authentication requests originate from foreign countries. As a result, we will block access to Microsoft 365 resources from anywhere outside of the United States, with the exception of countries that are required by your organization’s workflows.

Block Automatic Email Forwarding to External Domains

In the event of a breach, threat actors will often redirect the victim’s emails to an external location, unbeknownst to the victim. To mitigate this attack vector, we will block automatic mail forwarding rules to external domains. This will not affect out of office messages, automatic mail forwarding to internal mailboxes, or forwarding single emails to external domains.

We will begin by enforcing policies that do NOT affect your employees or workflows and auditing the remaining policies to determine if they are in line with our standard. Then we will reach back out to you to schedule a meeting where we will discuss the gaps in your organization and develop a plan to roll out the remaining policies.

Conclusion

The world of cybersecurity is dynamic with new tactics being developed every day. Thank you for your continued trust in Kite Technology Group as we continuously improve our strategies and defenses to counter these challenges.

If you’re not currently working with Kite Technology and would like to learn how we can help protect your organization, please contact us to schedule a conversation. We’d be happy to learn more about your business and how we can help!