Over the past decade, we’ve seen over 90% of our clients move from hosting on-premise email servers leveraging Microsoft Exchange or Microsoft Small Business Server to hosting in the cloud, almost exclusively on the Microsoft 365 platform. In the hosted 365 email platform, administrators have the option to enable an additional layer of security: multi-factor authentication (MFA). This feature allows administrators to require two or more verification methods authorize user login attempts and other transactions.
Since 365 account credentials are directly tied to so many resources, email and otherwise, it becomes a highly valuable target for attackers. As a result, if an attacker is able to obtain someone’s 365 credentials, they have gained at minimum the ability to review received emails and send outgoing messages as the compromised user, and at maximum, potentially have access to everything that compromised user can see or do on all corporate computing resources. If the compromised user has access to sensitive data, intellectual property, or Personally Identifiable information, the bad guy does as well.Phishing attacks designed to steal credentials, known as credential harvesting, are on the rise. Relying on fake login sites, such as a counterfeit 365 login page, attackers are able to trick users into handing over usernames and passwords.
When MFA is employed, however, having just the username and password is not enough. Without that additional form of verification, the attacker cannot access the account. To quote a blog article from the Director of Identity Security at Microsoft, “Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA”.
One of the major objections we’ve heard about MFA implementation was that it required the use of an employee’s personal phone to receive the MFA prompt if leveraging the Microsoft Authenticator app. However, one approach many clients have used is to update their Acceptable Use policy stating if the employees wish to access the companies WiFi /services, they also have to install MS authenticator for company services. For those employees who don’t want to use the MS Authenticator application on their personal devices, there are options available for using hardware based tokens.
Clients with 365 accounts who do not currently leverage MFA are strongly encouraged to enable this added security feature. By leveraging MFA, we can put a plan into action and our clients can Keep Calm and Compute On.