We’ve all seen the news about the M&S, Co-Op and Harrods Cyber Attacks, but we may not be entirely sure as to how these attacks actually began. A group called “Scattered Spider” have claimed responsibility for these devastating attacks that have completely changed the way (at least) M&S is now doing business. The group reportedly used a new ransomware called “DragonForce” to encrypt critical files on M&S’s servers, causing parts of their business to become non-operational. Scattered Spider are prolific at Social Engineering so it’s highly likely that they actually managed to impersonate M&S staff members to have passwords reset to gain entry into the M&S network [2].

On the topic of social engineering, we have also seen a massive shift in the way that adversaries gain access to M365. One such method that NovaBytes has been monitoring is “Token Phishing”; where an attacker will socially engineer an employee over Teams or WhatsApp into entering a unique code into a phishing page they set up that looks like a Team Meeting invite. The attacker gives the employee a code to get into the “meeting” but the code actually allows attacker to gain access to that employees account. Other forms of M365 Access Token theft can occur and, once the attacker has this Access Token, they have instant access into the employees M365 account. In rare conditions an attacker can steal your M365 Access Token if you accidentally visit a compromised, trusted website that has an XSS vulnerability.

Another development across the past year has been the use of sanctioned tools by cyber criminals. Referred to as “living of the Land”, attackers can utilise various software tools that are already allowed in your business. For example, they might use the IT helpdesks remote access software like TeamViewer, AnyDesk, or Splashtop in order to move across the network, from machine to machine. This is almost impossible to detect unless you have a really effective monitoring solution or Access and Application Control in place.

Typical mistakes made by companies are really very simple and usually come down to being an employee being deceived by an adversary. It’s not hard for an employee to be tricked into thinking they are speaking to the CEO, especially if the attacker has gained access to the CEO’s M365 account. As with the Token Phishing example above, it’s also easy for companies to think that they are covered if they have MFA set up – which is just not true. The same applies to Windows OS. You may believe it’s enough to continue to use the version of Microsoft Defender that comes with Windows but that also isn’t enough to protect your business against modern attacks. Most antiviruses use signature-based detection methods which rely on the malware being known to the ecosystem already. What if the virus is not already known? What if the attacker is not using a virus and is living of the land? This would be where good Application and Access Control, and proper Endpoint Protection come into play.

Based on our experience of the recent developments in the threat landscape, we have several recommendations to protect your M365 environment. First of all, yes, utilise MFA. There are different levels of protection that you can implement with Microsoft MFA, ranging from two-factor text messages, right through to hardware tokens such as YubiKeys, and passkeys. We would recommend any “phishing resistant” types of MFA which means it’s harder (or nearly impossible) for an attacker to steal the information through phishing. Hardware Tokens are really good examples of this because an attacker cannot physically touch your hardware token and. Passkeys are also a great example of phishing resistant MFA because they utilise cryptographic keys and don’t store passwords. On the other hand, text message verification actually has a lot of vulnerabilities so we would using a stronger authentication method where possible.

Even with the best security practices in place, it is still possible for an attacker to gain access to your M365 environment. Therefore, we would also recommend having monitoring and auto-remediation in place. This typically involves exfiltrating your M365 logs to a Security Operations Centre (SOC) (like ours) who will monitor that data for any suspicious activity. Sending this data to a SOC team means they can scrutinise every event and carry out Incident Response where necessary. Having auto-remediation in place will also help by quickly shutting out attackers and automatically disabling the users account.

For Windows OS we would firstly recommend having next-gen Endpoint Protection and Response (EDR) in place – something like Sentinel One. Sentinel One is our tool of choice as it a) monitors for suspicious activity as opposed to just relying on signature-based detection (already knowing about a virus), b) utilises very up-to-date threat intelligence, and c) also provides ‘ransomware rollback’. Ransomware rollback is where Sentinel One constantly looks for files being encrypted and, if it sees a few files being encrypted one-after-the-other, it shuts the process down, stopping any more files from being encrypted and stopping the ransomware from destructively spreading through your network.

On top of having good EDR in place, we would also suggest having tailored Application and Access Control in place – something like Threat Locker. A tool like this will firstly build a baseline of what is allowed in your company, figuring out what apps are allowed to be utilised. Employees are then blocked from downloading any apps outwith this sanctioned list of applications. To stop adversaries moving laterally through your environment or silently installing malware using elevated permissions, a tool like this can also be used to remove standing admin rights and give users temporary admin access to specific applications for a small period of time. At the same time, this tool will also keep all your applications patched, and can make sure no malicious USB’s or other storage devices can be plugged into the machines.

Putting the above recommendations in place can have massive advantages for business including reduced risk, a stronger compliance posture, lower insurance premiums, and greater peace-of-mind.

The overarching message here is – it’s not about blocking threats, it’s about keeping your business running, your data safe, and your reputation in-tact. Just like M&S, a breach could halt business operations, lose clients, and trigger fines, but these protective controls could avoid that happening.

NovaBytes helps businesses with these cyber security controls every day but it’s not a one-size-fits-all and expert setup and ongoing tuning are key to establishing a good security posture.

Want to know how well your Microsoft environment would stand up to the threats above? Book a quick, no-pressure call with our team.