SolarWinds fallout turns security eye to Microsoft Office 365

While SolarWinds has garnered much of the attention following disclosure of a sophisticated nation-state attack, companies are asking about the role of Microsoft Office 365 in the compromise. Larger questions persist about the overall security of one of the world's largest email and productivity applications.

Microsoft, by all accounts, has emerged as one of the key partners in the SolarWinds investigation, sharing critical updates and mitigation strategies to supply chain vendors and government agencies over the past two months.

At the same time however, Office 365 has been at or near the center of incidents ranging from points of compromise to the compromise of emails of government officials.

"I think what this Sunburst threat has really underlined for us or clarified for us once again is how significant a target the Office 365 environment is for adversaries and that while Microsoft is very determined to provide a robust and secure environment, there is some level of an intractable problem in terms of securing that environment continuously and successfully in isolation," Mimecast CEO Peter Bauer said in response to a question during the company's fiscal third-quarter conference call.

In January, Mimecast, a provider of email security, said the SolarWinds hackers breached the company by compromising a certificate that authenticated Mimecast Sync and Recover, Continuity Monitor and IEP Products to Microsoft 365 Exchange Services.

Malwarebytes also disclosed in mid-January that it was targeted by the same nation-state hackers that attacked SolarWinds, according to a blogpost by CEO Marcin Kleczynski.

The attackers breached Malwarebytes — which did not use SolarWinds Orion — by abusing applications with privileged access to Microsoft Office 365 and Azure environments, according to the post.

Microsoft in December contacted Malwarebytes about suspicious activity from a third-party application in the company's Microsoft Office 365 tenant that was consistent with techniques found in the SolarWinds attack, according to the post.

" ... we have confirmed several additional compromise techniques leveraged by the [SolarWinds] actor, including password spraying, spearphishing, use of webshell, through a web server and delegated credentials."

Microsoft

The question for many is whether Microsoft is falling short in terms of securing its products or whether Microsoft's broad share of the corporate email and operating system market makes it a ripe target for malevolent threat actors.

"Office 365's popularity and widespread adoption makes it a target for attackers," Joseph Blankenship, VP, research director, security & risk at Forrester Research. "Mostly these are attacks against individual users and organizations, attempting to steal authentication credentials and access systems."

Microsoft controls a large share of the enterprise email and authoring market, holding nearly 88% of the $18.2 billion market in 2019, according to Gartner.

Microsoft has been guarded about any open-ended discussion about SolarWinds, often citing the ongoing investigation into the attacks. However, the company has put out a number of security updates and blog posts, and last week released a Q&A that addressed some of the larger concerns about its role in the attacks.

The Microsoft Security Team said data hosted in Microsoft services, including emails, was a target of the Solorigate attacks but says the hackers got privileged access in some other way.

Microsoft denied it had been used as an initial entry point for the SolarWinds attackers.

"From the beginning, we have said that we believe this is a sophisticated actor that has many tools in its toolkit, so it is not a surprise that a sophisticated actor would also use other methods to gain access to targets," Microsoft security officials said in the post. "In our investigations and through collaboration with industry peers, we have confirmed several additional compromise techniques leveraged by the actor, including password spraying, spearphishing, use of webshell, through a web server and delegated credentials."

Third-party security

Some enterprise customers have added additional layers of security amid lingering concerns about built-in protection from Microsoft.

During a fourth quarter conference call with Wall Street analysts last week, Proofpoint CEO Gary Steele said the company won agreements with a number of major companies that were using Office 365 bundles but decided to "upgrade" their security capabilities to Proofpoint products.

The group included a Fortune 100 retailer that purchased a P1 bundle for 300,000 users, a Fortune 500 transportation company that bought protection and TAP for 85,000 users, as well as consumer foods and health company that bought other security protection from Proofpoint.

"I would say we have a pretty constant pace of customers moving off of Office 365 [security tools] once they have tried those security controls," Steele said in response to an analyst question during the call.

He said Proofpoint has been able to deliver a level of efficacy and visibility to customers to get them to upgrade to their product, and that trend has been ongoing for the past six months.

"While Microsoft has come a long way towards increasing security for their software and services, they are primarily a software company and not a dedicated security company," Jonathan Tanner, senior security researcher at Barracuda. "The security that they have added is for the benefit of their customers, but no security solution can be expected to block every attack, and especially not solutions which are included as part of the software being defended."

Microsoft would likely argue that customers are not properly configuring their environments, but Peter Firstbrook, research VP at Gartner, says the company's solutions have often led customers to seek additional help.

"I also think that Microsoft has been behind the best of breed solutions here in addressing the changing threat environment," he said in an interview.

Microsoft officials say they take the security needs of their customers very seriously and said that is why they provide an added layer of protection.

"The threat landscape is massively expanding in scope and sophistication," a Microsoft spokesperson said in an emailed statement. "Attackers don't think in silos; they are not targeting only endpoints or only mailboxes, they are looking at organizations as a whole to find their weak spots. These are often in the seams that exist between the protections of identities, mailboxes, cloud applications and endpoints."

A security problem or an education problem

Office 365 is a widely used and robust application for enterprise customers, and since the start of the pandemic its use has exploded exponentially as companies were forced to quickly reorganize their workers into remote work environments.

"We have a lot of data points over the last seven years that indicates that the core protections from Microsoft and even Google are good but where they fall down is the customized protection that your organization needs to protect against targeted business email compromise," Kevin O'Brien, co-founder and CEO of email security firm GreatHorn. "That is impersonation of executives, rapid search and remediation tools that allow an organization to say hey, we're being attacked and we [have to] go deal with it in real time."

Security has become an increasingly important part of what Microsoft offers to business customers. The company generated more than $10 billion in revenue from security last year, representing a 40% year-over-year increase, Vasu Jakkal, corporate VP, security, compliance and identity at Microsoft said in a blogpost.

More than 400,000 customers use Microsoft for their security. In addition, Defender for Office 365 blocked more than 30 billion email threats during 2020, according to the company.

Microsoft has a feature in development that would alert customers of suspected nation-state activity in Office 365. The company plans to release the feature this month, according to a security update.

Prior security warnings suggest that Microsoft's problem may be in educating its customers in how to properly configure security environments, thus allowing potential attackers to slip through the cracks. A 2020 warning from CISA suggested that customers were potentially failing to properly manage access privileges, multi-factor authentication and take preventative measures.

"It's a common refrain to single out Microsoft, but we have found that all traditional security solutions and email providers have limitations when it comes to protecting against email related supply chain attacks," Roman Tobe, strategist at Abnormal Security said. "Most notably, attacks from compromised third-party vendors attempting to initiate fraudulent financial transactions."

Large enterprises are finding that traditional solutions, which are able to stop known attacks using threat intelligence, are failing to protect their organizations from more cleverly disguised attacks, Tobe said.

Microsoft says that using best practices, including least privileged access, separating accounts for administrative and employee tasks and deploying strong authentication and advanced protection layers will help protect customers from these advanced threats.

"Protecting our customers is of the utmost importance and we believe the best way to do that is through a model of Zero Trust and assume breach mentality," the Microsoft spokesperson said. "Layered and coordinated defenses make the spread of an attack much more difficult by improving defenders ability to protect, detect and respond across domains to better prevent the spread of an attack."