Best Practices to Prevent Credential Theft and Account Takeover

In this, our second blog in the series where we delve into the top issues which impact your M365 service, we look into how you can help to protect yourself from having your credentials being stolen or your accounts being taken over.

As we’ve previously wrote about, Microsoft’s M365 service has become the backbone of productivity for a huge variety of organisations across the UK, not matter how big or small. As a consequence of the scale of adoption, it’s made your M365 accounts, especially those with elevated privileges, prime targets for attackers to compromise.

Published reports, including from Microsoft themselves, provide many statistics that regrettably reveal that too many organisations using M365 have been victims of these attacks already.

Understanding the Threat of Credential Theft and Account Takeover

Credential theft occurs when attackers obtain your login details through various means, whilst the account takeover is when they use the unauthorised access and take control of your M365 account. Once they have control of your login details, and depending on the amount of privilege your account has, it’s not unusual for attackers to try the following:

  • Access and exfiltrate sensitive information from your M365 service
  • Use your account to discover and compromise other accounts
  • Impersonate staff to facilitate financial fraud
  • Infiltrate and deploy ransomware or other malware
  • Launch attacks against your customers, suppliers and business partners

The consequences from any number of these attacks can be devastating to your business – whether from an ICO reportable data breach, to financial losses, operational disruption and significant reputational damage.

Essential Security Measures for Your M365 Environment

Implement Multi-Factor Authentication (MFA)

MFA remains the one of the most powerful defence against account takeover, as it mandates an additional verification stage beyond your passwords. Published research indicates that more than 99% of account compromise attacks are stopped by MFA.

  • Make MFA mandatory for all users, not just administrators
  • Activate Security Defaults in M365 service to mandate the enforcement of MFA for all administrator accounts
  • Prioritise using app-based authenticators from known companies (such as Microsoft, Google or DUO) rather than SMS, as they provide stronger protection

By implementing MFA across your organisation, your adding that extra lock to your front door, as even if the password has been compromised, they still have another barrier to overcome – it’s simple but extraordinarily effective.

Establish Robust Password Controls

While deploying MFA is critical, enforcing strong password practices remain your first line of defence:

  • Enforce long passwords, 12 characters as a minimum, and if possible, no maximum
  • Avoid making passwords to complex as it encourages bad behaviours (such as writing them down or incrementing numbers when changing)
  • Encourage users to use websites such as what3words to generate passwords
  • Educate users to not reuse password across different services
  • Consider implementing a password manager to help users maintain unique their passwords
  • Educate users to change their passwords if they think it may have been compromised or inadvertently shared
  • Set automatic account lockout after several failed login attempts

Deploying strong and robust password practices for all your users, you’re making it that bit harder for the attackers to pick the lock in the first place.

Safeguard Administrator Accounts

Your admin accounts usually have elevated privileges and are very attractive targets for attackers, as once compromised, they’re seen as providing them with keys to the entire castle:

  • Create separate admin accounts for administrative tasks only (don’t use them to surf the web if possible and be extremely careful when opening emails)
  • Ideally, use dedicated, highly secured devices for admin activities
  • Deprovision admin accounts promptly when staff leave your organisation
  • Regularly audit admin privileges to ensure they’re assigned only to those who genuinely need them

The administrator accounts are the equivalent to someone having master keys to all your locks, so restricting who has access to it and how they can use it is crucial to protecting it.

Advanced Protection Strategies

Disable Legacy Authentication

Where possible, disable legacy authentication protocols (such as IMAP, POP3, and SMTP) which are unable to support modern security features like MFA:

  • Block legacy authentication entirely where possible
  • If legacy protocols are required for specific applications, limit their use to only those necessary accounts and implement additional security measures such as conditional access policies, or TLS encryption.
  • Document all uses of legacy authentication protocols, assign an owner and review at least annually.

Implement Email Authentication Protocols

Configure modern email authentication to help prevent email spoofing and phishing attempts:

  • Deploy SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance)
  • Set DMARC policy to “quarantine” or “reject” to prevent unauthorised use of your domain

Leverage Microsoft 365 Security Features

Utilise Microsoft’s built-in security capabilities where possible:

  • Exchange Online Protection (EOP) service, is usually included in all M365 plans that offer Exchange Online, and provides a very effective baseline set of defences
  • Microsoft Defender for Office 365 is a paid for service that offers advanced anti-phishing and anti-malware protection
  • Use Safe Links and Safe Attachments to automatically scan for malicious content
  • Implement Conditional Access policies to restrict access based on user, location, device, and risk factors

Education and Awareness

Regrettably technology is never the only solution, so you must continuously educate and reinforce the training so that your staff recognise and respond to these constantly evolving threats:

Deliver Regular Security Training

  • Conduct phishing simulations, either with the Microsoft Attack Simulator or one of the many specialist services available
  • Create clear and simple procedures which enable your users to report suspicious activities
  • Provide specific training on how to recognise BEC attempts and credential phishing
  • Where possible, ensure training incorporates real-world examples relevant to your businesses

Foster a Security Culture

  • Encourage staff to question unusual requests, especially those involving financial transactions, credential verification or privileged actions
  • Create a blame-free environment where security concerns can be raised without fear. By celebrating security-conscious behaviours, you’ll help to create and reinforce positive habits

Detecting the Undetectable

Despite best preventative efforts, some threats may still penetrate your defences so doing what you can to detect them as early as possible is your last line of defence:

Implement Continuous Monitoring

  • Use Microsoft 365 Defender’s threat detection capabilities
  • Set up alerts for suspicious login activities, particularly from unusual locations or devices
  • Monitor for unusual mail flow rules or inbox configurations that could indicate compromise

Establish an Incident Response Plan

  • Create a clearly documented incident response plan for handling suspected account compromises
  • Assign specific roles and responsibilities within the incident response plan
  • Include communication templates for internal and external stakeholder, and consider your regulatory requirements (informing the ICO, financial authorities, NHS England etc)
  • Practise your incident response plan regularly with tabletop exercises which include the entire incident response team

A Layered Approach to Microsoft 365 Security

Although we’ve covered a lot in this post, you’ve hopefully seen that to prevent credential theft and account takeovers against your M365 service requires a sensible, layered approach. By considering the practices outlined above, with a focus on deploying MFA, strong password policies, and where possible, continuous monitoring, you can significantly reduce your risk profile against this type of attack.

However, as these threats continue to evolve so too must your strategies to resist, detect and counter them. We suggest that by executing regular security assessments, staying informed about emerging threats, and fostering a security first culture amongst all your staff will ensure your M365 service is protected as best as possible.

Much that we would all like a single technical solution to solve these problems, the strongest protection will always be derived from the deployment of multiple layers of sensible defensive controls, all working in tandem.

By engaging with Somniac Security we can help you to secure your M365 service leaving you safe in the knowledge that you won’t suffer from these common attacks.  Contact us at info@somniacsecurity.com today to help safeguard your business against tomorrow’s challenges!