Outlook 365 is a cloud-based email service designed to help meet your organization’s needs for robust security, reliability, and user productivity. It is widely used by enterprises globally for its ease of use, seamless integration, mobile access, and enhanced productivity.
When you move your organization to a cloud service, you must be able to trust your service provider with your most important, sensitive, and confidential data. Microsoft has robust policies, controls, and systems built into Outlook 365 to help keep your information safe. Microsoft’s security team is world class and it covers physical and network security for your email infrastructure. If you migrated from an on-premise/hybrid cloud setup of Outlook to cloud based Outlook 365, then congratulations. But while Outlook 365 offers a number of built-in data protection features, those features alone are usually not enough for the robust security posture required by the modern enterprise.
Let’s examine a recently discovered Outlook 365 vulnerability and how you can securely configure your Outlook setup to thwart this and similar future vulnerabilities.
Security researchers revealed an attack method to bypass a security feature of Microsoft Outlook 365, which is originally designed to protect users from malware and phishing attacks. Safe Link, part of Microsoft's Advanced Threat Protection (ATP) offering, works by replacing all URLs in an incoming email with Microsoft-owned secure URLs. Every time a user clicks on a link provided in an email, it first sends the user to a Microsoft owned domain, where it immediately checks the original URL for anything suspicious. If Microsoft's scanners detect any malicious element, it then warns users about it, and if not, it redirects the user to the original link.
The baseStriker attack sends a malicious link, which would ordinarily be blocked by Microsoft, past security filters by splitting the URL into two snippets of HTML: a base tag and a regular hypertext reference tag. The malicious URL is let through because the email filters are not handling the base HTML code correctly. ATP only performs the lookup on the base domain, and ignores the URL in the rest of the body. Because only part of the URL is tested, it mistakenly appears to not exist in the malicious URL database and the email is let through. Furthermore, Safe Link does not replace the malicious link. Consequently, the user gets the original malicious link and can click it to navigate to the phishing page.
In summary, this attack method may be the most severe security flaw in Outlook 365 since the service was created. Unlike other attacks that can be learned and blocked, this vulnerability allows hackers to completely bypass all of Microsoft’s security features and is the email equivalent of a virus that blinds the immune system. Even if the attack is already known, Microsoft does not have a way to see it and lets it through. We have only seen hackers using this vulnerability to send phishing attacks, but it is also capable of distributing ransomware, malware and other malicious content…potentially unleashing risks that its users have not been accustomed to on the platform.
Defense in Depth to Protect Outlook 365
There is no single solution to mitigate the attack described above and it is an example of a failure of controls at many levels. You cannot rely on a single Outlook 365 security feature, such as Safe Links, to reduce the likelihood of that attack, or any other, being successful. A layered defensive strategy using multiple Microsoft security features and controls stands a much better chance of preventing the attacker from succeeding.
The initial phishing attack can be mitigated using Microsoft EOP (Exchange Online Protection) and ATP. These security features go beyond just Safe Links, which was the source of the reported vulnerability. An attacker's email has to make it past every layer of EOP and ATP to successfully reach a user’s Inbox. It may also be removed from an Inbox by ATP if it is later determined that it was malicious, potentially before the user has even read it.
The user credential reuse risk can be mitigated by Azure Identity Protection. When Microsoft becomes aware of a breach containing a re-used set of credentials, you can have Azure Identity Protection alert you and automatically force the user's password to be reset. That security feature can also identify suspicious login patterns, such as an attacker logging in from a remote country. Azure Identity Protection is just one way to mitigate the re-use of compromised user credentials. Another security feature is enabling MFA (multi-factor authentication), which prevents user credentials being used by anyone but the account owner. Azure Active Directory conditional access can enforce MFA and other conditions on logins, such as requiring all logins to originate from trusted devices.
If the attacker manages to gain remote access to a user's computer, Windows Defender ATP can detect the suspicious behavior of the attacker's exploit tools and alert you to the breach immediately. If the attacker is performing reconnaissance of your network and attempting privilege escalation, Azure ATP can alert you to that suspicious activity immediately. On the chance that the attacker still manages to figure out who to send a phishing email to, the use of MFA and other identity protection measures mentioned earlier prevents them from directly exploiting a mailbox. That leaves them with email spoofing or impersonation as a vector, which can be mitigated with ATP once again.
All of those security measures mentioned above must be evaluated, tested, and deployed to be effective and some of them require additional investment in licenses. Unfortunately, there isn’t a single button to push that will turn on all of those security features; some of the features work in isolation, some of them are tightly integrated with other features. All of them work together to secure your organization’s Outlook 365 setup.
baseStriker is a perfect example of a very simple exploit which has a huge possibility to cause significant damage to your organization. As more organizations move further into cloud offerings, we will need keep more aware of the potential security risks and remain vigilant.
As you know, unlike MFIDII or other pan-European regulations, the General Data Protection Regulation (GDPR) reaches it beyond the EU and impacts those businesses that formerly thought they were safely ensconced in the U.S. For some, they are still wondering if they have to comply with it….I mean, shouldn’t they be getting a letter in the mail or something? But then, there are the rather large fines they might hear about…20mn EUD or $28mn USD depending on exchange rate and all of a sudden, the veil of willful ignorance must lift and they must ask: What about us?
What is GDPR and Why does it exist?
The short answer to that question is public concern over privacy. The EU has long had more stringent rules around how companies use the personal data of its citizens. In 1995, the EU enacted the Data Protection Directive. This was well before the Internet became a constant data marketplace that it is today. Consequently, the directive is outdated and does not address the many ways in which data is stored, collected and transferred today. Thus, EU Parliament adopted the GDPR in April 2016, replacing the outdated data protection directive from 1995. GDPR consists of 11 chapters and 91 articles that outline the requirements and regulations required of businesses to protect the personal data and the privacy of EU citizens for transactions that occur within EU member states. GDPR also regulates the exportation of personal data outside the EU. The regulation is consistent across all 28 EU member states, which means that a company thankfully has just one standard to meet within the EU.
As noted above, foreign companies that collect data on citizens in European Union (EU) countries must also comply with GDPR. More specifically, if your foreign company interacts with any customer data from the EU’s 28 member states, then your company must comply with the pending regulation because it is subject to the aforementioned fine. If your company is in the clear, then rejoice, but I still encourage you to continue reading because this will prepare you for that moment when your company works with EU customer data. Most importantly, if your company is US based, with each Facebook debacle we are inching closer toward stricter data privacy regulation in the U.S.
Compliance with GDPR will cause some concerns and new expectations of your security team because the regulation takes a wide view of what constitutes personally identifiable information. Your company must utilize the same level of protection for data such as an individual’s IP address or cookie data as it does for Name, Address and Social Security number. Like any regulation, it is an inch deep and a mile wide with a lot to be desired in interpretation and candor. GDPR states that a company must provide a “reasonable” level of data control for personal data, but does not define what constitutes “reasonable”. This ambiguity gives EU’s GDPR governing body a lot of leeway when it comes to assessing fines for data breaches and non-compliance.
What types of data does the GDPR protect?
How does GDPR define “data control”?
GDPR states that data can’t be kept indefinitely. It requires a company to completely erase data when a data subject revokes its consent or a third-party requests data deletion or a third-party agreement comes to an end.
Which companies do GDPR affect?
The regulation affects any company that stores or processes personal information about EU citizens even if it does not have a business presence within the EU. Specific criteria is below:
Come again? The last criteria effectively encompasses almost all companies with less than 250 employees because it’s interpreted as any company processing, storing and exchanging data points on EU citizens.
When does my company need to be in compliance?
By now, you should have a good inclination about your company’s requirement to comply with GDPR. Your company must be compliant with GDPR by May 25, 2018. That’s this month!
Who within my company is be responsible for compliance?
The GDPR regulation defines several roles that are responsible for ensuring compliance:
GDPR holds Data Processors liable for breaches or non-compliance. It’s entirely possible that both your company and processing partner such as a cloud provider will be liable for penalties even if the fault is entirely on the processing partner. Yes, GDPR just injected third-party risk to your data processing and storage strategies and ultimately changes your company’s third-party selection and business interactions.
How does the GDPR affect my company and its third-party service providers?
The GDPR regulation places equal liability on a Data Controller (a company that owns the data) and a Data Processor (third-parties that manage or interact with a Data Controller’s data). The regulation is interpreted as such that a third-party Data Processor not in compliance with GDPR equals your company isn’t in compliance.
This means that all existing and new agreements with third-party Data Processors (IE, cloud providers, SaaS vendors, or payroll service providers) must explicitly declare data responsibilities within the GDPR structure. Also, agreements must define data management and protection processes, and data breach reporting.
GDPR has strict rules for reporting breaches:
What happens if my company isn’t in compliance with the GDPR?
GDPR allows for steep penalties ranging from 10-20mn EUD or 2-4% of global annual revenue for non-compliance. If your company isn’t compliant due to technical measures, the fine imposed may be up to 10mn EUD or 2% of global revenue from the prior year, whichever is greater. If not compliant due to key provisions of the GDPR, such as transferring data to third-parties with inadequate data protection measures, fines imposed may be up to 20mn EUD or 4% of global annual revenue from the prior year, whichever is greater.
What should my company do to prepare for the GDPR?
You want to know what data you store and process on EU citizens and understand the risks around it. Your risk assessment must outline measures taken to mitigate those risks.
Your company may already have a plan in place, but it must review and update it to ensure that it aligns with GDPR requirements. Data breach reporting is one of the trickiest areas of GDPR compliance, especially given the short timeframe of 72 hours because your company will still be trying to figure out the scope of a data breach and the appropriate response during that time frame. Given the required rapid response, it’s best to have a preexisting relationship with law enforcement or understand who you would reach out to. Typically, this would be either the Federal Bureau of Investigations or the Secret Service.
GDPR doesn’t clearly state whether the DPO needs to be a discrete position, so presumably your company can appoint someone as long as that person can ensure the data protection with no conflict of interest. In practical terms, this means that your IT manager or director, CTO or security manager are bad choices for your DPO. Your marketing manager is a conflict of interest while sensible options could be your head of finance, risk or legal. Your DPO doesn’t need to be someone within your company and so it may be easier to appoint a lawyer or external expert. GDPR states that a DPO may work for multiple organizations, so even HLC could function in such a role.
When it comes to GDPR compliance, your legal or compliance departments can’t do it alone. Instead, any department or employee at your company with involvement in processing personal data must be involved and trained appropriately about the GDPR.
The ability to collect personal data and contact individuals is the lifeblood of the charity and not-for-profit sectors. However, under GDPR, both must be in compliant with the same rules as every other company.
Smaller companies will be affected by GDPR, some more significantly than others. If your company is small, then it may not have the resources necessary to meet GDPR’s requirements. HLC is available to provide advice and technical expertise to help you through the process and maximize internal resources.
GDPR isn’t a simple checklist or one size fits all framework, it speaks in terms of broad standards instead of specific rules, requiring your company to take measures for compliance. Those measures will vary from your company to another one. GDPR is a comprehensive legal and regulatory framework that imposes complex initial requirements and ongoing duties upon your company. Compliance is a marathon, not a sprint.