In recent times, attacks on Microsoft 365 accounts with enabled MFA have become more frequent and successful. Unfortunately, users often remain unaware that their accounts have been compromised.

Watch our short video on how the attack works, and what we’re doing to stop it.

Traditional Phishing Methods

Historically, attackers would create fake login screens to deceive users into entering their credentials. If MFA was enabled, this often thwarted the attack, as the second authentication step (like a mobile app or SMS code) acted as a barrier.

Microsoft reported that 99.9% of these identity-based attacks were thwarted by MFA, and started requiring it as part of their Security Defaults rollout, leading to widespread adoption among Microsoft 365 tenants.

Rise of New Attack Methods

EvilGinx GCIT Securing Microsoft 365 Against MFA Attacks

Recently, open source tools like Evilginx have emerged, enabling attackers to steal authenticated session cookies. Attackers craft convincing phishing emails with fake login URLs that closely mimic legitimate sites. Unsuspecting users, seeing what appears to be a familiar login screen, enter their credentials and complete MFA, unknowingly handing over their session cookies to attackers.

With stolen session cookies, attackers gain full access to victims’ Microsoft 365 accounts, including emails, files, and sensitive company data. This access allows them to impersonate users effortlessly.

Current Countermeasures

Clarion – First Line of Defense

Clarion Identifies Potential Phishing Attacks in Microsoft 365

To combat evolving threats, our team employs Clarion, an open-source tool designed to detect phishing attempts. It warns users when they land on a suspicious login page, preventing them from entering their credentials.

24×7 Security Operations Center (SOC) Monitoring

Recognizing that 90% of attacks occur outside regular business hours, our SOC ensures immediate response and mitigation, even over weekends.

Enhanced Phishing Protection

Utilising advanced AI mail filtering tools, we intercept and prevent malicious emails from reaching users’ inboxes, minimizing the risk of phishing attacks.

Country-Based Restrictions

Previously, we were blocking a list of high-risk countries and enforcing MFA on all other login attempts. Moving from a high-risk country block list to an allow list model ensures that access attempts from unauthorized countries are automatically blocked, reducing exposure to external threats.

Stricter VPN Authentication

Implementing upgraded security measures for VPN access ensures that only authenticated and authorized users can connect, mitigating the risk of attackers using VPNs to bypass country restrictions.

Security Awareness Training

Regular online training sessions educate staff on identifying and avoiding phishing attempts, empowering them to be the first line of defense against cyber threats.

Ongoing Phishing Simulations

Regular phishing simulations test users’ ability to recognize and avoid phishing emails, reinforcing security awareness throughout the organization.

Advanced Security Options

For organisations requiring higher security standards, we offer passkey implementation, hardware key authentication and a zero-trust security model. Contact us to discuss tailored security solutions.

Conclusion

Protecting your Microsoft 365 environment against sophisticated attacks requires proactive measures and continuous adaptation to emerging threats. By implementing robust security strategies and educating your team, you can significantly reduce the risk of account breaches and data loss.

For more information on securing your Microsoft 365 environment, please contact us at 1300 369 111 or info@gcit.com.au.

8 ways to improve the security of your personal data - GCITS Gold Coast

In 2022 we are online more than ever before, and many services that were previously done in person, such as banking, booking appointments and paying bills, are now completed through websites or mobile applications. As a result, the risk of cyber-attack has never been higher.
In the circumstances surrounding the Medibank and Optus hacks, there is not a lot that current and previous Optus customers could have done to prevent the exposure of their personal data. However, some steps can be taken to minimise the risk of exposing confidential data.

1. Use Antivirus Software

An often-overlooked step antivirus is an essential piece of software that can reduce malware attacks on your system. Once installed, you can let it run in the background, and it will automatically conduct malware scans and removal. Most antivirus can also offer several other features, including scanning removable devices such as USB drives, blocking spam websites and advertisements and detecting spyware.

While paid 3rd party antivirus software such as Bitdefender and McAfee can achieve the best results by activating and using Microsoft Security features, you can still get a fundamental level of protection. For Business, Microsoft 365 Defender is also a great choice to detect, manage and remove cyber security threats from your devices.

2. Protect your devices with strong passwords

It is good practice to password-protect your digital devices, including computers, tablets, and mobile devices, through strong, unique passwords. These devices can hold some of your most personal information as they now have access to everything from email accounts, social media accounts, banking apps, and an assortment of other information. If these devices fall into the wrong hands, a strong password will make it harder to access your device.

When creating your passwords, use a mix of symbols, numbers, and letters. Don’t use easy-to-guess passwords such as ‘123456’ or ’password’ or include information such as your birthdate or home address. This may sound like common knowledge, but research suggests that there is still a worrying amount of people using these easy-to-guess passwords. Make sure to use different passwords for different accounts. If you use the same password across multiple accounts and a hacker gains access to one account, it may compromise many others.

3. Set-up Two Factor Authentication on your Accounts

In addition to using strong passwords, two-factor authentication further improves your security. In a worst-case scenario, where your login details are compromised, a potential hacker will be blocked from accessing your data as they will still need to use an additional authentication method.

Many financial applications, online accounts and government logins now have two-factor authentication as standard or have the option to activate it. You can either get your authentication code via an app such as Google Authenticator, which creates time-based codes that renew every few seconds, gain a code via an email or get an SMS code directly to your mobile.

4. Learn to identify and avoid phishing scams

According to the ACCC (Australian Competition & Consumer Commission), Phishing scams are ‘attempts by scammers to trick you into giving out personal information such as your bank account numbers, passwords and credit card numbers.

These scams often pass off as legitimate businesses such as internet service providers, banks, or energy companies and try to gain your personal data by asking to confirm your details, login to your account or alert you to ‘unauthorised or suspicious activity on your account.’

As a rule, it is a good idea to never open emails from people you don’t know, and don’t download email attachments without knowing what they are. Never give out personal information when contacted by a business, bank or other entity and make sure your email spam filters detect phishing attempts.

Phishing scams may also appear as fraudulent websites, disguised to look the same as a legitimate website such as a bank, government agency or online shop. These are designed to gain your information, such as credit card information, login details, and personal addresses. Before you enter any personal data onto a website, be sure to check that it is legitimate. Signs of a legitimate website are an SSL certificate, a padlock icon, a green bar, or HTTPS at the beginning of the URL. Never enter personal information into a website accessed via a suspicious link from an email, SMS or social media message.

5. Setup alerts through your bank

Fraud alerts can be set up through your online bank account through emails, text messages or a phone call if your bank suspects suspicious activity may have occurred on your account.
Some banks, such as Commonwealth bank, also allow you to temporarily lock the use of credit cards if they have been lost to stop unauthorised use of your account. These measures have the ability not just to protect you against fraud but to save you money as well.

6. Follow the news to learn about data breaches.

As we have found in recent months, hackers don’t just target individuals. One of the ways your data can be compromised is when it is handled by a 3d party that becomes the target of a cyber-attack. Like the situation with Optus and Medibank, hackers will also try and often succeed in infiltrating businesses, government agencies, higher education institutions, health care facilities and any other organisations that gather personal or sensitive information.

When an organisation is subject to a data breach, they are legally required under the Privacy Act 1988 to notify affected individuals and the OAIC (Office of the Australian Information Commissioner). However, these situations can change rapidly, as seen with Medibank; initially, it was not known that personal medical history had been compromised. However, as the story developed, it was revealed that all customer personal data had been compromised. This is an example of why it is essential to keep informed about data breaches that may affect you, so you can be prepared to update or change any personal information or passwords asap.

To see the latest alerts, you can follow the ACSC (Australian Cyber Security Centre) on Facebook and Twitter, check out their alerts page on the website and sign up for email alerts.

7. Keep your devices and software updated.

Hackers will often try to exploit flaws in software and operating systems. They are looking for vulnerabilities they can use to insert malicious code. Microsoft and Apple regularly update operating systems with security patches, closing these vulnerabilities as they are found. Keeping your operating system and software up to date reduces how a hacker can access your device. As a best practice, updates should be applied within two weeks of release or 48 hours if a security exploit exists.

8. Use the GDPR (General Data Protection Regulation) to your advantage.

Many companies operating outside of Australian borders or with customers within the European Union must follow the GDPR. As a result, you may be able to get international companies such as Apple and Microsoft to delete your personal data based on this compliance. Be prepared for rejection however, as European Union laws do not apply to Australian Citizens, and companies can deny your request on this basis.

Not all security breaches can be prevented but taking steps to avoid violations and cyber-attacks can reduce the chances of them occurring and better protect your personal data in the long run, potentially saving you from the stressful or costly consequences of a cyber-attack.

 

At GCIT, we are specialists in providing Cyber Security services to numerous businesses across Queensland and New South Wales. Our Award-winning cybersecurity experts can take the stress out of IT Security and make sure your data is secure.

Contact GCIT to find out how we can help your Business protect against cyberattacks.

Improvements to Azure AD Identity Protection have launched, making it easier to identify and manage identity risks in your organization.

What is Azure Active Directory Identity Protection?

Azure AD Identity Protection uses machine learning to identify signs of suspicious activity or issues that might cause you to have a compromised identity in your organization. We can use Azure Identity Protection to configure policies that impose conditions on sign-ins or users that are deemed risky by Microsoft 365. We can also use it to manage, investigate and remediate risk alerts when a suspicious sign-in or user is detected.

Azure Identity Protection can generate alerts based on the following risk events:

  • Atypical travel
  • Anonymous IP
  • Unfamiliar sign in properties
  • Malware linked IP addresses
  • Leaked credentials
  • Azure AD Threat intelligence (activities that match known attack patterns)

The leaked credential alert is especially useful because it will let you know whether some of your users have credentials that are exposed on the dark web or in another breach. We use this in conjunction with the Have I Been Pwned API to alert our customers to compromised credentials.

Where can I find Azure Active Directory Identity Protection?

  1. Sign in to portal.azure.com
  2. Open Azure Active DirectoryAzure Identity Protection In Azure Portal
  3. Scroll down to Security on the left rail
  4. Open Identity Protection.Open Azure Identity Protection

What’s new in Azure Active Directory Identity Protection?

Azure Identity Protection has been updated with new controls for managing, investigating and remediate issues with our identities.Azure Identity Protection Improved Controls

We can use these improved controls to manage risk events in bulk, easily confirming a compromised user or dismissing alerts. These new controls are handy for larger organisations who generate many alerts each day. Azure Identity Protection Managing User Risk Events In Bulk

For each alert, we can drill down and see more information on the user’s recent activities. We can see other user sign-ins and risk detections, as well as reset passwords, confirm compromise, block access and investigate further in Azure ATP. Choosing to investigate further opens up Cloud App Security, providing more insight into the user’s recent activities that contributed to the alert.Azure Identity Protection User Risk Event Details

What license do I need for Azure Identity Protection?

Azure Identity Protection is included in Azure AD Premium P2 license. Azure AD Premium P2 is available under the following licenses:

  • Azure Active Directory Premium P2  standalone SKU
  • Microsoft 365 E5
  • Office 365 E5
  • Enterprise Mobility Suite E5

You get some limited reporting on risky users, risky sign-ins and risk detections in Azure AD Premium P1, which is included in Microsoft 365 Business Premium.

Since Microsoft licensing can change, see here for up to date licensing requirements.