Office 365 has been a real benefit to a lot of large enterprises compared to the hassle of having to maintain on-premises versions of the popular Microsoft productivity suite. Yet, Office 365 is starting to become a conduit for cyber-attacks and, as is often the case, money is at the root of the problem.

Take for example a recent call from a large enterprise customer who believed its email had been hacked with one of its suppliers claiming a spurious email had come from them asking for a fictitious invoice to be paid. Upon investigation, it was the recipient whose Office 365 email account had been compromised and a malicious actor had gained access to one or more of the recipient’s O365 accounts.

Attacks like these begin with a set of stolen credentials which allows the malicious actor to use the service to spam everybody in the contact book with phishing or malware filled emails. In more sophisticated attacks the malicious actor will ‘lie in wait’ keeping an eye out for high value invoices and cherry picking the ones to compromise. Worse still, administrators routinely ‘whitelist’ domains of trusted parties allowing these rogue emails to bypass traditional spam and malware controls.

What are the different options for both large enterprises and SMEs that want to tackle cyber-attacks on their Office 365 software?

This shouldn’t be a major problem as Office 365 has built in multi-factor authentication (MFA). However the standard E3 licence only comes with a basic set of features – namely enabling MFA but not allowing administrators to write policy around its use. To be able to use features like conditional access or identity protection the Azure AD Premium licences (either P1 or P2) are required, or a pricey upgrade to the Enterprise Mobility and Security suite. Even though Microsoft has stated that “[Its] internal studies show that customers can cut their risk of account compromise by 99% by enabling MFA” – few companies have set up MFA which is an effective foil against credential theft.

For SMEs with a small number of licences, the best option is to simply turn on the built-in MFA and make do with the features provided. For larger organisations, the cost of a third party, full blown MFA from the likes of Okta, Duo, Ping Identity or others, is often much less expensive than the added cost of a P1 or P2 licence upgrade. All of the above also add more security functionality such as a wider range of authentication options and deep integration with threat intelligence.

Perhaps the biggest benefit of this approach is that the same MFA and single sign-on technology can be deployed across several SaaS platforms such as Salesforce or GitHub.

This example of the Office 365 tiered licensing model, which makes deploying what should be considered as standard practice security controls more expensive, is not uncommon in the IT industry. Other vendors that have a similar model include Atlassian (with Atlassian Access) and LastPass. However, there are several enlightened vendors that are going the other way. For example, Mailchimp, a popular bulk email sender provides a subscription discount for 3 months if users turn on MFA by default.

This type of progressive approach to financially encouraging the wider business community to deploy better security should be applauded and could teach the likes of Microsoft a thing or two.


Please reach out to us or get in touch with your account manager if you require assistance in configuring these services or are looking to review your stance on O365 security.

Written by David Peters, Technical Director & James Preston, Security Architect for ANSecurity