In dealing with both Superfast IT clients and consulting with other IT companies, we’ve noticed an increase in users being tricked by attackers into disclosing their Office 365 passwords.
The unsuspecting user receives an email which seems to be genuine, with a link to access an attachment. Upon clicking the link, the user is prompted to enter their Office 365 email address and password into a website which looks just like the real Office 365 portal. Providing these login credentials then gives the attacker access to the user’s mailbox and other Office 365 services.
We’ve seen that these attacks automatically send further similar malicious emails to everyone in the user’s contacts, which leads to further compromised accounts both inside and outside the organisation.
As well as the embarrassment and reputational damage caused by this type of attack (imagine your email system is used to attack customers and suppliers), there is a risk of this being a data breach requiring notification to the Information Commissioners Office under the General Data Protection Regulations. It can lead to a whole heap of hassle you can do without.
How to enable multi-factor authentication on your Office 365 mailbox
Our advice to protect against this type of attack is to use multi-factor authentication to provide additional access control for Office 365 accounts. With multi-factor authentication, both the account password and a continually changing code (from an app on the user’s phone) are needed to access the Office 365 account from new systems. Because the attacker won’t have access to the app, the attacker cannot compromise the account even if he tricks the user into disclosing their password.
The team at Superfast IT all use multi-factor authentication to secure login accounts, not just for Office 365 but for any system which supports it. We advise all clients to do the same, and we’re already in the process implementing these controls for many of them.
Enabling multi-factor authentication for Office 365 requires the addition of the Microsoft Azure Multi-Factor Authentication option which is around £1.05 per user per month at the time of writing.
To find out more about having multi-factor authentication set up for your Office 365 tenant, get in touch.