4 Reasons Why Microsoft Is Losing the War to Secure Office365 And How You Can Protect Yourself
Before I start, let me say, I have ton of respect for Microsoft and what the security precautions that they have built into the Office365 (O365) environment. I won’t critique their decisions or their tools. I would like to discuss the systemic reasons that they can’t win this war and why others can.
To start with the problem: let’s see what Microsoft has said about why they can’t totally secure Office365 from hackers, malware and ransomware. https://blogs.technet.microsoft.com/exovoice/2016/09/16/why-exchange-online-protection-didnt-blocked-this-virus-and-what-can-i-do/
In my mind, Microsoft is working hard to secure o365. They have thrown a ton of resources in order to address the issue. So why can’t they win this war? It all boils down to four over riding factors.
1 – Microsoft is a victim of their own success.
According to Microsoft’s own reports, they are about to surpass 100 million users on the O365 environment. That is almost 100% growth from a year ago. When there are that many users on any system, there are bound to be issues. From Microsoft’s viewpoint, they can’t make security too tight so that it restricts users unnecessarily. After all, how many of those 100,000,000 users will put up with 2 factor verification with each log on attempt? Or 7 day password renewals before they jump ship to a more convenient solution? And what is Microsoft’s acceptable level of infected accounts? Even if it is a tiny 0.001% of the total 100 million users, it is still a staggering 100,000 users.
However, the largest issue with being the big player in the market. For a monthly reoccurring fee, ever hacker has a copy of the most up to date software. Gone are the days of servers hosting individualized local email systems. Hackers now have a system to test, refine and circumvent the basic security that is part of the Office suite. For example, Microsoft is proud of the Advance Threat Protection and of the fact that it monitors all inbound emails. BUT, it does not monitor outgoing nor internal emails. Every threat actor knows that and uses that fact to spread their malware through a network almost unchecked.
2 – It is an ugly world sometimes, you have to get dirty.
OK, OK… No one has ever accused Microsoft of having too much heart.
But the ugly truth is the cyberwar that has been heating up for the past decade. Winning a war takes getting your dirty. That is just not something that Microsoft has not been able to do. In order to infiltrate a hacker group, it takes time to build up your ‘street cred’ in those circles. It appears it is not something a white-hat publicly traded company like Microsoft is willing to do. It isn’t in their DNA.
3 – Everyone is playing in the same sandbox
Similar to my first point, there is an upgraded sandboxing feature for office. This is the same sandbox the hackers have access to.
A new zero-day threat is released in the wild that has already been tested your sandbox. And your anti-virus isn’t enough. You will find that threat in your Office 365 inbox. Waiting…
Some of the most recent malware and phishing attempts are quite sophisticated even if they are not part of the weaponized NSA hacker tools that were released earlier in the year.
4- Microsoft has to deliver 100% of the legitimate email all of the time
Amid all of the attacks across the internet, Microsoft has to be perfect in their defense. While hacker groups have the ability to try and try again, until they uncover a exploit. The hacker community is focused in their attempts. They are bolstered by the triple whammy of state sponsored hacking, the rise of SaaS and IaaS popularity and the new monetization of information theft through Dark Web & Bitcoin and other cryptocurrencies.
Every day these groups, like Fancy Bear that are linked to Russia, and Lazarus that is linked to North Korea, are trying to probe and test the boundaries of the defenses. The popularity of cloud based SaaS like O365, Slack, Box, Salesforce, Dropbox and Google Gmail / GSuite and their integration with one another is another opening for hackers. Seemingly ‘worthless data’ now has value in the right hands (used for sphere phishing) and a way to monetizing it through the dark web and the cryptocurrency like bitcoin and at least 2 dozen others.
Conclusion:
The bad news:
Keeping one step ahead of the threat actors and their arsenal of botnets, DDoS attacks, malware, ransomware, spoofing and phishing tools is a constant game of cat and mouse. It appears that the best that Microsoft can hope for with their Office 365 and Google can hope for with their Gsuite / Gmail is an uneasy truce in their war against the hacking community, but there is no sign of one on the horizon.
The good news:
There are solutions available that are customized to protect O365 environment. These solutions deploy the best countermeasures available today in protecting data just as if it was stored on-premise. How do you protect SaaS data from spreading malware when SaaS is purposefully built to spread data automatically? Oh yes, and when you don’t own the system or the infrastructure?
If you would like to see a webinar on the topic, click here. If you have any questions or need assistance with this or any other threat vectors, please reach out to your Teneo engineering team.