Ramp up security to mitigate Office 365 attacks

As businesses make greater use of Office 365 in the cloud, the Microsoft platform is likely to see increasing attacks from hackers. This means IT needs a multi-layered approach to security.

Speaking to Computer Weekly, Lastline’s director of threat intelligence, Andy Norton, described how securing email has always caused major problems for IT security administrators.

“Email is intolerant to aggressive security decisions, which means you may quarantine an important business file such as a purchase order or bank account transfer information, which all have legitimate uses, and if they are lost, the effect can cost companies a lot of money,” he said.

This means IT security professionals tend to strike a balance on email scanning to prevent false positives, where legitimate email messages are quarantined. In Norton’s experience, attackers can play between the gaps in a security policy arising as a result of security professionals needing to balance the needs of the business with a strong IT security stance.

“The old advice people were given, such as ringing to confirm the legitimacy of an email, is not good practice,” he said. In the past, IT security professionals looked at products that ran checks based on file attributes, such as blocking executable files. But this type of analysis can easily be mistaken.

The other problem is that while executable files may be quarantined, other scripting, like JavaScript, has legitimate uses. But these scripts can easily be used to download and execute malicious code from rogue websites.

Norton said that while it would make sense to block all forms of executable code in email, such as the way macros used to be disabled in Microsoft Office files, JavaScript does have legitimate uses in email messages. This means hackers can use the scripts as an attack vector by targeting email users with scripts that surreptitiously download malware.

Rather than attempt to scan emails using malware signatures to identify known attack vectors, Norton said: “We should not rely on static analysis anymore. We need to dynamically analyse files.”

Norton has written a short paper, Malscape snapshot: Malicious activity in the Office 365 cloud, describing the risks in Office 365, which warns that signature-based static malware analysis is not sufficient to protect users.

The document states: “For a threat to get through the extensive checks deployed by Office 365, it must deploy a multitude of deceptive techniques. Any anti-malware solution relying on signatures must make a choice: either they choose to cover an extended hash (leading to more false positives) or cover a smaller and more specific hash, which creates the risk of introducing false negatives.”

As Office 365 becomes more of a collaboration platform, it presents a bigger threat area for would-be attackers to target. Norton said: “People need to apply dynamic analysis on everything that comes into the environment and go through behavioural analysis before a file is considered safe.

He recommends businesses adopt a defence-in-depth approach to IT security when using cloud services like Office 365.

“Sophisticated actors know Microsoft has a number of security controls in place, so they don’t send out malware campaigns that will get blocked,” he said. “In the enterprise, you tend to adopt a best-of-breed approach to security. This needs to continue in the cloud.”