Addressing the many security vulnerabilities in the Microsoft 365 productivity suite requires baselines, recommendations, and security advice from a range of trusted, industry-leading sources.

Microsoft 365 (M365)—originally introduced as Office in 1990, rebranded as Office 365 in 2011 when the bundle moved to a cloud subscription model, and given its current name in 2020—is the leading productivity suite in the world today. It accounts for 48% of the global market, with 70% of Fortune 500 firms having licenses for M365. Companies worldwide have long relied on the traditional Office apps (Word, Excel, Outlook, and PowerPoint), but in recent years, they’ve come to also embrace the new collaboration tools of SharePoint, Teams, Exchange Online, and OneDrive to share documents, calendars, and ideas, and to work together in real time via chat, team workspaces, or audio/video conferencing. The pandemic led to an exponential expansion of these collaborative tools. From March to June 2020, Teams usage increased by 894%, and it more than doubled again, from 115 million active daily users in 2020 to 250 million in 2022.

Unfortunately, with the ubiquity of M365 within enterprises, it’s not surprising that it has become a prime target for attackers. Here are a few mind-boggling statistics about M365-related data breaches over the last couple of years.

• Eighty-five percent of organizations using Microsoft 365 have suffered email data breaches, and 6 in 10 ransomware attacks come via email.
• Organizations using Microsoft 365 are more likely to experience accidental email data leakage, with 26% reporting incidents caused by an employee sharing data in error via email, compared to just 14% of organizations without Microsoft 365.
• Forty-seven organizations exposed 38 million personal records due to a Power Apps misconfiguration.

Beyond the numbers, hackers are getting increasingly sophisticated. Recently, attackers targeting M365 users were able to craft specialized links that took users to their organization’s own email login page. After a user logged in, the link prompted them to install an innocuously named app that gave the attacker persistent, unfettered access to all of the user’s emails and files. That data was then interrogated to launch malware and phishing attacks against others. “Of those who got attacked, about 22% were successfully compromised,” said Ryan Kalember of Proofpoint. Considering all this distressing data on successful hacks and breaches, it is imperative to make this essential business suite as secure as it possibly can be.

To address these potentially devastating vulnerabilities, it is important to get recommendations and advice from trusted sources. Synopsys, one of the world’s leading application security testing providers with a highly regarded security consultancy, notes that although M365 is a business-critical application platform and a repository of confidential company data, it often is not afforded the level of security that it should be given. So it developed a service offering based on a proprietary framework that assesses risks, identifies deficiencies, recommends remediations, and develops metrics to track improvements, and then provides a roadmap for customers to follow to achieve a desired level of protection. There are several crucial elements in the Synopsys Microsoft 365 Security Assessment that should be considered by every organization serious about making M365 as secure as possible. The list of resources utilized and recommended to all organizations trying to secure M365 includes

• The Center for Internet Security Microsoft 365 Foundations benchmark
• The Cybersecurity and Infrastructure Security Agency Secure Cloud Business Applications recommendations
• Microsoft’s own M365 security tools and other best practices

CIS Microsoft 365 Foundations benchmark

The Center for Internet Security (CIS) is a nonprofit entity whose mission is to identify, develop, validate, promote, and sustain best practice solutions for cyberdefense. It draws on the expertise of cybersecurity and IT professionals in government, business, and academia from around the world. CIS Critical Security Controls (CSC) map to many established standards and regulatory frameworks including the NIST Cybersecurity Framework and NIST SP 800-53, the ISO 27000 series of standards, PCI DSS, HIPAA, and others. With more than 100 benchmarks that themselves map to the CSCs, each is a community-driven set of benchmarks that collect input from contributors across different industry sectors and is based on a mutual consensus regarding the issues, leading to broad input across many types of businesses.

First introduced in 2018 and now on version 1.5, the CIS Microsoft 365 Foundations benchmark was developed by the CIS together with Microsoft to provide guidance for establishing a secure baseline configuration for M365. The benchmark should not be considered as an exhaustive list of all possible security configurations and architecture, but rather as a starting point. Each organization must still evaluate their specific situation, workloads, and compliance requirements, and tailor its environment accordingly. The CIS Microsoft 365 Foundations benchmark not only identifies weak points in an M365 tenant’s security, it also offers effective recommendations to implement specific mitigations against the most high-impact threats to the M365 environment. The benchmark is comprised of 60 recommendations for Exchange Online, SharePoint, OneDrive, Teams, Azure Active Directory, and Intune, but significantly, it is missing integration with some of Microsoft’s newest security tools as well as the useful automation tool, Power BI, illustrating that relying on a single guidance framework or set of benchmarks can leave some areas uncovered.

CISA Secure Cloud Business Applications project

The Cybersecurity and Infrastructure Security Agency (CISA) is the nation’s pre-eminent cyberdefense agency and is tasked with securing our nation’s networks and infrastructure from cyberthreats. CISA recently announced the launch of the Secure Cloud Business Applications (SCuBA) project to provide guidance and capabilities to secure agencies’ cloud business application environments and protect federal information that is created, accessed, shared, and stored in the cloud through consistent, effective, modern, and manageable security configurations. Although SCuBA was developed specifically to be adopted by federal agencies, as with other standards like the NIST Cybersecurity Framework, virtually all the recommendations are applicable for securing civilian networks and assets, and they can be used as a model for all organizations, regardless of size, industry, or country of origin.

In October 2022, CISA published its Microsoft 365 SCuBA baselines and encouraged federal agencies to pilot and provide feedback, some of which has already been incorporated into the second preproduction version, v0.2, released January 2023. This ongoing feedback will help refine these security configuration baselines, and those utilizing SCuBA are encouraged to reassess the baselines with each new prerelease to take advantage of any new enhancements. In addition to the more than 300 individual recommendations across multiple security domains, CISA also offers a tool to help automate the task of auditing many of M365’s security settings to verify whether a M365 tenant’s configuration conforms to the policies described in the SCuBA standard. Although it is much more detailed and fine-grained than the CIS M365 benchmark, CISA’s SCuBA baselines are still under development, so it is advised to defer to CIS guidance if there is ever a conflict between the two baseline recommendations. However, given that they have already undergone a first round of feedback and refinements, CISA’s M365 SCuBA baselines are recommended as part of an organization’s comprehensive M365 security program.

Microsoft security tools and recommendations

In addition to using CIS and CISA baselines as excellent building blocks of a well-rounded M365 security program, the third cornerstone of the security foundation is Microsoft itself, which offers multiple tools, services, and best practice recommendations. It’s important to not rely solely on Microsoft, however—it is a best practice to look beyond the vendor for frank, honest, and independent advice when evaluating a product or service. A perfect illustration of this is that searching for “Microsoft 365 security vulnerabilities” in Google gives a different result that using Microsoft’s own Bing search engine. They both return relevant results, but there are differences, and those differences might be significant.

The first place to look for security recommendations is Microsoft’s Secure Score, a calculated measurement of an organization’s security posture—the higher the number, the more recommendations have been implemented. Following the Secure Score recommendations can protect organizations from threats by raising unknown vulnerabilities and reducing the attack surface. From a centralized dashboard in the M365 Defender portal, Secure Score helps organizations identify the current state of their security posture; improve their posture by providing discoverability, visibility, and guidance; compare their own score to benchmarks; and establish key performance indicators (KPIs). Many of Secure Score’s recommendations align with one or both of the aforementioned baselines. One nice feature is that it informs the user of how much impact an action will have on the score, making it easier to prioritize remediation efforts.

Next, Identity Score inside Azure Active Directory provides organizations with increased visibility and control over their security posture by identifying opportunities to improve identity and access management (IAM) in Azure AD. These opportunities are surfaced as recommendations, which are coupled with the guidance and workflows necessary to help security administrators implement each recommendation. The score helps organizations objectively measure their identity security posture, plan identity security improvements, and review the success of improvements. As with Secure Score, the impact that recommendations will have on the overall score assist in prioritization.

Finally, while this tool has been retired and much of what was in it is included in the tools already mentioned, it is worthwhile to review the recommendations in the Office 365 Security Assessment (this was released before the M365 name change). The O365 Security Assessment was a structured engagement developed by Microsoft to be conducted by security partners and that used an automated O365 Secure Score tool to evaluate and prioritize the security settings of an organization. The O365 Security Assessment offering was designed to help these partners create and present a customized, prioritized, and actionable roadmap for their customers based on the recommendations from the tool. Viewing those recommendations outside of the tool itself is illuminating even now. Also, in addition to these resources, it should be noted that Microsoft offers an incredibly wide-ranging amount of training, white papers, and other documentation to support the goal of enhancing an organization’s M365 security posture.

Future-proofing M365 security practices

While the resources outlined here are foundational for a strong M365 security program, they are not the only ones an organization should rely upon. Quite often, companies implement novel scenarios not necessarily covered in these guidelines, or a new threat emerges before there has been time to incorporate recommendations into these and other guidance documents, so relying solely on these authoritative sources is not enough. That’s where Synopsys comes in. Synopsys Software Integrity Group, a global leader in application security testing and security consulting, has taken the guesswork out of M365 security by preparing a service offering that incorporates the strongest elements of the CIS M365 Foundations benchmark, CISA’s SCuBA recommendations, and Microsoft’s own M365 security advice, and adds our own knowledge and best practices gained from years of working with clients from all sectors. This M365 Security Assessment was designed to help customers achieve the highest level of security assurance by working with Synopsys subject matter experts to identify strengths and weaknesses in an organization’s M65 security posture, and creating a roadmap to achieving optimal security.

Security leaders in an organization must stay current with the ever-changing threat and business landscape. Staying current also means that each new release of a guideline must be evaluated, and recommended changes implemented on regular basis. Additionally, making changes that new research indicates are necessary is prudent, even if the action is contrary to an existing recommendation. Examples of the need to re-evaluate the existing security posture include

• When significant changes are made to an environment, such as the implementation of a zero-trust architecture model that moves defenses from network-based perimeters to focus on users, assets, and resources
• Keeping track of the security community’s assessment of the impact of the integration of AI and Chat GPT into Word, Outlook, and other apps, and acting if research indicates there is a need to do so
• The release of new pubic-facing M365 or Azure products and services

Whether performing security updates in-house or utilizing a service like the Synopsys M365 Security Assessment, creating a foundation of security with trusted baselines and recommendations, combined with the ability to make documented, informed, and urgent updates in response to changing conditions, will lead to the most secure and dynamic posture for an organization’s Microsoft 365 environment.

Learn more about cloud security solutions