The Latest Office 365 Security Vulnerability Highlights the Need for Defense in Depth

I’ve spent a lot of time lately looking at Office 365 security. The main reason is I’ve been working on my latest Pluralsight course, which coincidentally has been released this week.

Today as I’m looking for good security topics to write about, along comes the news of the latest Office 365 security vulnerability.

Dubbed “baseStriker” by the security company that discovered it, the vulnerability exists in how Office 365 ATP Safe Links interprets URLs in HTML messages. Email messages that use the HTML base tag to specify a base URL in the head of the document were found to bypass Safe Links.

The security researcher disclosed their discovery to Microsoft a week before their public blog post, and report that…

…we have only seen hackers using this vulnerability to send phishing attacks, but but it is also capable of distributing ransomware, malware and other malicious content.

By the time you’re reading this it’s possible that Microsoft has already plugged this hole in their product. I’m yet to see a public statement either way. I’m not sure we’ll see a direct response, because Microsoft doesn’t always discuss specifics. But I imagine a general statement will be released sometime soon.

If you have any immediate concerns, you can mitigate the potential attacks. Mail flow rules in Exchange Online can be configured to detect the presence of “<base href=” in email messages and act on them. I would caution you against outright blocking the emails for now. The HTML base tag is a legitimate tag, although probably not used a lot. A reasonable approach may be to quarantine the items. You could also prepend a message to the email warning users to be careful of clicking links in emails from unknown sources.

Other than that, what should we do? Throw out Office 365 entirely, as some have suggested?

Probably not. I had an oil leak in my car last year, but it got fixed. I didn’t need to throw out the entire car and buy a new one that might have the same problem anyway. The security researchers reported that other products also have the same flaw as Safe Links.

Let’s take the opportunity to have a discussion about how vulnerabilities like this reinforce how we should approach security in Office 365.

As I wrote in my last blog post, security concerns are one of the biggest barriers to cloud adoption. There are people with decision-making power who don’t trust the cloud at all. There are people who can see the benefits of the cloud, but can’t see how they can secure themselves in cloud.

There are two main reasons behind this:

• Misunderstanding of where the cloud vendor’s security responsibilities end, and where yours begin
• Trying to apply legacy IT security models to the cloud

The Shared Responsibility for Office 365 Security

Office 365 is software-as-a-service (SaaS). Like most SaaS, it operates with a shared responsibility for security.

Microsoft secures the Office 365 infrastructure from physical and network attacks. They’re good at it. They’re among the best in the world, in fact. Putting your infrastructure security in the hands of Microsoft is a good idea.

Microsoft also provide a range of security features and tools to customers (that’s you and I). We are responsible for applying those security features and tools to secure our organization.

The security of an organization is dependent on how well we’re able to identify the risks that apply to us. Then, how well we mitigate those risks with the available tools. Where Microsoft doesn’t provide a tool that addresses a particular risk, we can apply third party solutions (e.g. next-gen firewalls, secure web proxies) or human solutions (e.g. training, better processes) to fill those gaps.

Where we tend to run into trouble is by trying to apply legacy IT security models to Office 365.

The Modern Threat Landscape

Legacy IT security usually involves implementing:

• A perimeter firewall
• Email antivirus and anti-spam server or software
• Antivirus software on servers and workstations
• Monitoring of servers and logs

When we move to the cloud, those measures are no longer effective.

• The perimeter firewall doesn’t protect roaming users and mobile devices. It also doesn’t stand between attackers and your cloud services.
• Traditional email antivirus and anti-spam software fails to detect zero-day attacks.
• Signature-based antivirus software doesn’t detect sophisticated attacks and suspicious behaviour.
• Server and log monitoring often provides a fragmented view of the environment. Also there is often no shared intelligence between systems.

So what does a modern approach to IT security look like, now that we need to adopt the cloud in a secure way? Let’s consider the three pillars of IT security:

• Identities – user and admin accounts used to access and manage cloud services.
• Devices – servers, workstations, and mobile devices used to access applications and data.
• Information – the data itself, stored in the cloud.

To enable customers to secure those three pillars, Microsoft offers a range of security features in Office 365 and Azure Active Directory.

• Securing identities with multi-factor authentication, Privileged Identity Management, conditional access, and Azure Identity Protection.
• Securing devices with Office 365 ATP, Windows Defender ATP, and Azure ATP (which protects on-premises AD infrastructure).
• Securing information with Azure Information Protection, Data Loss Prevention, and Office Message Encryption.

And those are just some of what Microsoft provides in the way of security features. Windows 10 has further endpoint security features available through Windows Defender such as Exploit Guard. Windows Server has a wide range of security features also available. Group Policy has enabled us to apply secure configurations to our endpoints for years. Not to mention patching, end user education, and all the rest of what makes up a good security strategy.

All that exists today, ready for us to adopt and put in place to address security risks for our organization.

An important point to make here is that any single vulnerability doesn’t cause Office 365 to go from “secure” to “not secure”, because security is not an on/off switch. A flaw in Safe Links  would be a serious problem if Safe Links was the entirety of our security strategy. Which it should never be. A strategy of defense in depth is necessary to protect Office 365, or in any other security scenario.

An Example Attack – Fraudulent Invoices

Let’s walk through a hypothetical attack scenario. I use this scenario in my course to make the same point about defense in depth. I’ll simplify it a little here for the sake of time.

A financially motivated attacker is looking for companies that they can exploit through fraudulent transactions or extortion.

Reconnaissance of social networking sites like LinkedIn make it trivial to discover the names of key staff who are likely to be able to authorize financial transactions.

Attackers can use several methods to gain access to the accounts of those members of your staff. The might also target related staff, such as executive assistants. We know that phishing is a problem, as is the re-use of credentials. Patching is also a big problem for organizations. So it’s possible for an attacker to use a combination of those weaknesses to gain remote access to a user’s workstation.

From there the attacker is able to download more attack tools to the compromised machine. They can conduct further reconnaissance inside your network, and attempt privilege escalation. In the ATA Suspicious Activity Playbook from Microsoft, which you can use to test drive Azure ATP or Microsoft ATA, privilege escalation is demonstrated in detail. With elevated rights the attacker can reset passwords to gain access to any user’s account that they need.

Once the attacker has access to the network and one or more user accounts and mailboxes, they can discover the business process for handling invoices from suppliers. They can also discover opportunities to launch their attack, such as a key individual being absent from the office on vacation.

At the right time, the attacker can reset the key individual’s password, then use their mailbox to send a fraudulent invoice for payment. If a legitimate account can’t be used, the attacker could fall back on spoofing the email to appear to come from within the company or a lookalike domain.

If the accounts payable team processes the invoice and makes the payment, the attacker has been successful. The attacker also has persistent access to the network for further attacks.

Using Layered Defenses to Protect Office 365

There is no single solution to mitigate the attack described above. This is a failure of controls at many levels. You could not rely on a single Office 365 feature, such as Safe Links, to reduce the likelihood of that attack, or any other, being successful.

But, a layered defensive strategy using multiple security features and controls, stands a much better chance of preventing the attacker from succeeding.

• The initial phishing attack can me mitigated using Exchange Online Protection and Office 365 ATP. This goes beyond just Safe Links, which was the source of the reported vulnerability mentioned earlier in this blog post. An attacker’s email has to make it past every layer of EOP and ATP to successfully reach an inbox. It may also be removed from the inbox by ATP if it is later determined that it was malicious, potentially before the user has even read it.
• The credential re-use risk can be mitigated by Azure Identity Protection. When Microsoft becomes aware of a breach containing a re-used set of credentials, you can have Azure Identity Protection alert you and automatically force the user’s password to be reset.
• The use of compromised credentials by the attacker can be mitigated in several ways. Multi-factor authentication can prevent the credentials being used by anyone but the account owner. Azure Identity Protection can identify suspicious or risky login patterns, such as an attacker logging in from a remote country. Azure AD conditional access can enforce MFA and other conditions on logins, such as requiring all to be from trusted devices.
• If the attacker manages to gain remote access to a user’s computer, Windows Defender ATP can detect the suspicious behaviour of the attacker’s exploit tools, and alert you to the breach immediately. Immediate notification is a lot better than the average 100 days that attackers spend within a network before they are detected.
• If the attacker is performing reconnaissance of your network and attempting privilege escalation, Azure ATP can alert you to that suspicious activity immediately. Again, this is much better than a prolonged period of undetected activity.
• On the chance that the attacker still manages to work out who to send a fraudulent invoice to, the use of MFA and other identity protection measures mentioned earlier prevents them from directly exploiting a mailbox. That leaves them with email spoofing or impersonation as a vector, which can be mitigated with Office 365 ATP once again.
• The business process that deals with invoice payments can’t necessarily be protected with technology. This is a good example how secure business processes are also crucial. In this example, a payment process for new suppliers that involves multiple confirmations of the supplier’s details would likely mitigate the risk.
• Further attacks such as stealing data for extortion purposes can be mitigated if the data is protected with Azure Information Protection.

Effective Security is Hard, But Possible

All of those security measures I mentioned above need to be evaluated, tested, and deployed to be effective. Some of them require additional investment in licenses.

There’s no single button to push that will turn them all on. Some of the features work in isolation. Some of them are tightly integrated. All of them work together to secure your organization in Office 365.

Any one of them can fail, and the others still will be there to continue working against attackers.

You’re going to need stakeholder support for security initiatives, especially from those who make decisions about where IT budget is spent. Your end users will need training for the user experiences changes that some of these measures introduce. Your IT staff will need training in order to support users when a security feature impacts them in some way, and to respond correctly to security incidents.

And when new vulnerabilities arise, such as the Safe Links flaw or any other vulnerability that comes our way in future, you’ll adapt and respond, just like the attackers do.