As one of the proud contributors to the Center for Internet Security (CIS) Microsoft 365 Foundation Benchmark, I wanted to raise awareness about the new version release by the Center for Internet Security (CIS) released on February 17th, and how it can help a company to have a secure baseline for their Microsoft 365 tenant.

The first CIS Microsoft 365 Foundation Benchmark was released back in December 2018. Version v1.4.0 has now been released and quoting from the guide, [1] “Provides prescriptive guidance for establishing a secure configuration posture for Microsoft 365 Cloud offerings running on any OS. This guide was tested against Microsoft 365, and includes recommendations for Exchange Online, SharePoint Online, OneDrive for Business, Skype/Teams, Azure Active Directory, and Intune.”

This is a community-driven benchmark that collects input from contributors across different industry sectors and is based on a mutual consensus regarding the issues. This means discussing new and old recommendations at a biweekly meeting or in the online forum via tickets and discussions, proof reading and many more.

There are seven sections, namely:

1. Account/Authentication
2. Application Permissions
3. Data Management
4. Email Security/Exchange Online
5. Auditing
6. Storage
7. Mobile Device Management.

The sections are defined by four profiles that are based on licensing, security level and effect.

The document follows a nice structure similar to a penetration test report: title, applicability, description, rationale, impact, audit, remediation, default value and CIS control mapping.

Wherever it is possible for a recommendation to be checked in an automated way, the audit and remediation section will include instructions.

At the end of the document, there is a checklist summary table for helping to track each recommendation outcome.

Below I’ve shared 5 of the most common ways I’ve seen Microsoft 365 tenants compromised in real-world environments, as well as the corresponding CIS benchmarks that can help prevent these specific weaknesses. The attacks considered below are spamming, phishing, password attacks, malicious apps and data exfiltration.

Let’s see now if the foundation benchmark is effective in preventing these Top 5 attacks.

1. Spamming

“Spamming is the use of messaging systems to send multiple unsolicited messages (spam) to large numbers of recipients for the purpose of commercial advertising, for the purpose of non-commercial proselytizing, for any prohibited purpose (especially the fraudulent purpose of phishing), or simply sending the same message over and over to the same user.” [4]

“Microsoft processes more than 400 billion emails each month and blocks 10 million spam and malicious email messages every minute to help protect our customers from malicious emails.” [3]

The CIS Benchmark has the following recommendations against spam:

• 2.4 Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled
• 4.2 Ensure Exchange Online Spam Policies are set correctly
• 5.13 Ensure Microsoft Defender for Cloud Apps is Enabled
• 5.14 Ensure the report of users who have had their email privileges restricted due to spamming is reviewed

2. Phishing

“Phishing is when attackers attempt to trick users into doing ‘the wrong thing’, such as clicking a bad link that will download malware, or direct them to a dodgy website.” [5]

“Microsoft Defender for Office 365 blocked more than 35.7 billion phishing and other malicious e-mails targeting enterprise and consumer customers, between January and December 2021.” [2]

The CIS Benchmark has the following recommendations against phishing:

• 2.3 Ensure Defender for Office Safe Links for Office Applications is Enabled
• 2.10 Ensure internal phishing protection for Forms is enabled
• 4.7 Ensure that an anti-phishing policy has been created
• 4.5 Ensure the Safe Links policy is enabled
• 5.12 Ensure the spoofed domains report is review weekly
• 5.13 Ensure Microsoft Defender for Cloud Apps is Enabled

3. Password Brute-Force and Password Spraying

These two types of password attacks differ in volume and order. Brute-forcing a given user’s password will generate a lot of “noise” as an attacker could try millions of passwords for one user from a wordlist before moving to a different user. Password spraying is a type of brute-force attack which tries a common password for all users and then not more than couple more, with delays between every new password try to avoid user lockouts.

“Microsoft (Azure Active Directory) detected and blocked more than 25.6 billion attempts to hijack enterprise customer accounts by brute-forcing stolen passwords, between January and December 2021.” [2]

“Microsoft says MFA adoption remains low, only 22% among Azure AD enterprise customers” [6]

The CIS Benchmark has the following recommendations against brute-force and password spraying:

• 1.1.1 Ensure multifactor authentication is enabled for all users in administrative roles
• 1.1.2 Ensure multifactor authentication is enabled for all users in all roles
• 1.1.5 Ensure that password protection is enabled for Active Directory
• 1.1.6 Enable Conditional Access policies to block legacy authentication
• 1.1.8 Enable Azure AD Identity Protection sign-in risk policies
• 1.1.9 Enable Azure AD Identity Protection user risk policies
• 1.1.7 Ensure that password hash sync is enabled for resiliency and leaked credential detection
• 1.1.10 Use Just In Time privileged access to Office 365 roles
• 5.3 Ensure the Azure AD ‘Risky sign-ins’ report is reviewed at least weekly
• 5.13 Ensure Microsoft Defender for Cloud Apps is Enabled

4. Malicious Apps

“The Azure Active Directory (Azure AD) application gallery is a collection of software as a service (SaaS) applications that have been pre-integrated with Azure AD.” [5] These SaaS web applications can help automate tasks and extend the functionality of Microsoft 365 services, but there are also add-ons for on-premises Office 365 applications.

The CIS Benchmark has the following recommendations against malicious apps and add-ons:

• 2.1 Ensure third party integrated applications are not allowed
• 2.6 Ensure user consent to apps accessing company data on their behalf is not allowed
• 2.7 Ensure the admin consent workflow is enabled
• 2.8 Ensure users installing Outlook add-ins is not allowed
• 2.9 Ensure users installing Word, Excel, and PowerPoint add-ins is not allowed
• 5.4 Ensure the Application Usage report is reviewed at least weekly
• 5.13 Ensure Microsoft Defender for Cloud Apps is Enabled

5. Data Exfiltration via Automatic Email Forwarding

Attackers often use built-in functionality to move data out from user mailboxes, and one of the most popular methods is automatic email forwarding rules.

The CIS Benchmark has the following recommendations against automatic email forwarding:

• 4.3 Ensure all forms of mail forwarding are blocked and/or disabled
• 4.4 Ensure mail transport rules do not whitelist specific domains
• 5.7 Ensure mail forwarding rules are reviewed at least weekly
• 5.13 Ensure Microsoft Defender for Cloud Apps is Enabled

As you have seen from this post, the newest CIS Microsoft 365 Foundation Benchmarks can not only identify weak points in your tenant’s security, but also offer powerful recommendations to introduce specific mitigations against the most high-impact threats to your Microsoft 365 environment.

[1] CIS Microsoft 365 Foundation Benchmark: https://www.cisecurity.org/benchmark/microsoft_365

[2] Microsoft Cyber-Signals: https://news.microsoft.com/wp-content/uploads/prod/sites/626/2022/02/Cyber-Signals-E-1.pdf

[3] Office 365 helps secure Microsoft from modern phishing campaigns: https://www.microsoft.com/en-us/insidetrack/office-365-helps-secure-microsoft-from-modern-phishing-campaigns

[4] Wikipedia Spamming: https://en.wikipedia.org/wiki/Spamming

[5] NCSC: Phishing attacks: defending your organisation: https://www.ncsc.gov.uk/guidance/phishing

[5] Overview of the Azure Active Directory application gallery: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/overview-application-gallery

[6] Azure AD MFA Adaption tweet: https://twitter.com/campuscodi/status/1489647070466170883