Heads-up, test your tenant security before hackers attack your users using Office 365 Threat Intelligence

Announced late february 2018, Microsoft facilitates security tests such as Phishing Attach, brut force and spray attacks. To use these tools you’ll need one user under Enterprise license E5.

In this way, you can test the security of your office 365 tenant and evaluate how your users will respond to a fake office 365 log-in page (phishing attack) or ensure your users have set a complex password (brute force attack) different than “password” or their birthdate.

Security is an important topic of an office 365 tenant, users shall be aware of those : don’t hesitate to communicate around those threats within your organization often.

Many companies around me got their users giving their password or IBAN Bank account to third party pretending they are from the company (example they use an email such as gogle.com instead of google.com).

Let’s have a tour of those attacks simulators

Image 003.png
Advanced threat management – Office 365 Admin Center

Prerequisite:

First, you need to activate the MFA (multi-factor authentication) for at least one user. Jethro Seghers explained how to do so via youtube.

1/2 Conduct a phishing attack on your office 365 users

This attack method aim is to check how many users will be tricked by a login page looking like Office 365 sign-in page or by any other login page you would like to “phish”. To achieve so : Create a phishing attack campaign from the Threat Management / Attack simulator menu in your office 365 admin menu.

You will be invited to select the users you want to target for this campaign.

Up to 500 users.

Image 010.png
Phishing attach simulator – Office 365 Admin Center

Once you have given a name you can select a phishing attack template :

Image 026.png

Once the setup is completed, the user will get such email in his mailbox :

Image 027.png
Create a phishing attack from a template – Office 365 Admin Center

And a page that really looks like Office 365 sign-in page. If they key in their login, it will lead to a 404 page and the administrator review which users got POWNED !

Image 029.png
Fake Office 365 login page

Review user that got powned :

Image 031.png
Report of the attack campaign

2/2 Test a brute force attack

When you configure a brute force campaign, you are invited to select the users as well as the phishing attack. Then you will enter the password that the test will enter for you.

You can load a file with a lot of most used password. You could generate a list of password to from this website, listing the most common password used.

Image 019.png
Brute force campaign

Again you can review the results of your campaign

Image 023.png
Results of brute force campaign

Conclusion

That is a good start to initiate some vulnerabilities tests within your organization. I wonder how to perform a phishing attack to 200 000 users….

There is much more to cover about security for your office 365 tenant, for example :

  • Using third-party tools to perform penetration test
  • Code review (if you have a developer that creates custom codes for your tenant).

Make sure you think about security in your roadmap… It is as important as planning features.

Tests shall be conducted often to prevent your security to be comprised. What are the security best practices ? Many more in this article from goptg.com (Data Loss Prevention etc).

Securing your apps is as a travel insurance, only boring and useless until you need it….

So assess the risks, define actions against those password being stolen, phishing attacks etc.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: