How to Protect Your Microsoft 365 Business Environment

For small businesses, a compromised email can lead to big problems, from losing sensitive information to damaging your reputation. Did you know that 61% of small businesses were the target of a cyberattack in 2021? That's a pretty alarming number!

That's where ITDR (Incident Detection and Response) comes in, especially when it comes to protecting your Microsoft 365 environment. ITDR isn't a term that most businesses are familiar with, and that's ok. What's important is what it does: It keeps your most valuable data in the cloud from being stolen by someone who has gained access to your accounts. Think of it like a 24/7 security system that calls the police (Managed Nerds) the moment a thief breaks in, and then we come and kick them out before they can do additional harm.

Let's talk a bit more about what exactly can happen to your Microsoft 365 business account if a black-hat hacker gets their hands on it.

Business Email Compromise (BEC)

Business Email Compromise, or BEC for short is a type of cyberattack where hackers gain access to a business email account and use it to trick employees, customers, or partners into sending money or sensitive information. It's a sneaky and effective way for cybercriminals to cause a lot of damage.

BEC attacks often involve impersonating a trusted person within the company, like a CEO or a financial officer, to request urgent payments or confidential data. These attacks can be hard to spot because they look like legitimate emails from someone you know. Think of it as a form of very targeted phishing - but instead of using a fake account, the attacker is using your business account.

BEC is on the rise, and small businesses are particularly vulnerable because most don't have any protection in place. BEC scams cost businesses over $1.8 billion in 2020 alone as per the FBI. The financial and reputational damage from these attacks can be devastating, especially for businesses who don't have cybersecurity insurance coverage.

Case Studies on Business Email Compromise

Since BEC is becoming more common every day, it's likely you've either experienced it first-hand, or know someone who has. But here are some examples of what scammers did once they gained access.

Plymouth, Connecticut - $208,000 Stolen from the City

In this case, the criminals gained access to the email account of a legitimate vendor who provided services to the city. The vendor failed to detect the hack. The attackers sent multiple invoices to the city from the compromised email where they had replaced the vendor's payment information with their own account. The city did not verify the change in account information and proceeded to pay the full amount of the invoices.

What is still unknown is the liability of the vendor themselves, who failed to secure their systems. The city did manage to recover some of the money, but not all of it was recoverable. Who is on the hook for the rest of that money? It is still unclear whether the city will pursue a case against the vendor, but at least they did have a cyber insurance policy in place.

Orinda, California - $398,359.50 Stolen from a Silicon Valley Exec

Rana Robillard was ecstatic when she managed to secure a house, after duking it out with three other bidders. When her mortgage broker sent her directions to wire the payment, she didn't hesitate and sent the money as soon as possible. The email looked legitimate, and it came from her broker. Imagine her surprise when she got another request for payment, a day later.

As it turns out, the email was a fake. Robillard wired the money to the fraudsters, who immediately transferred the money through multiple accounts making it harder to recover. Five months later, she finally got the money back, causing her to miss out on buying the home.

The mortgage company denied being hacked, but odds are after hearing that story not a lot of folks are going to want to use them again. If they didn't have proper email security measures like DMARC in place, the attackers could have spoofed an email from them without having access to their environment.

Elkin, NC - $793,000 Stolen from a Church

Elkin Valley Baptist Church was finally ready to begin building their brand-new sanctuary. They received an email from their builder with instructions on how to transfer the funds. Soon after, a nearly identical email also arrived. When checking the emails, the church paid the invoice in the wrong email.

A week later, the builder reached out to the church because they hadn't paid the invoice yet. The money the church had spent 7 years raising had been transferred to scammers. The church ended up starting a GoFundMe to be able to afford the construction. The case is still under investigation by the FBI, so it's not known yet whether it was the church or the builder who had the email compromise.

Securing Microsoft 365

The approach we normally recommend to businesses looking to avoid these worst-case scenarios consists of multiple layers. There isn't a one-stop solution for this problem, but you can decrease the odds stacked against you by implementing these security measures:

Cybersecurity Awareness Training with Simulated Phishing Attacks

We recommend monthly training modules on the latest phishing techniques used by scammers to convince your employees to click a link, wire money they shouldn't, or call a fake tech support number after they get a browser popup. That training should be re-enforced by sending realistic phishing emails, allowing you and your employees to put your knowledge into practice.

While there are a lot of solutions out there, we personally prefer Huntress Security Awareness Training, and that's what we offer to the small businesses we work with. This kind of training does not break the bank - we're talking about less than a cup of coffee here a month per employee - so it's a no-brainer for businesses of any size.

DMARC to Prevent Email Spoofing

We've written several articles about this in the past and even recorded a short video about DMARC. This is something that anyone with even a small amount of knowledge can set up. Here are the instructions for Microsoft 365 as well as the instructions for Google Workspace.

We work with EasyDMARC to make it easier to configure, manage, and monitor the DMARC settings of ourselves and our clients. There are a number of other solutions out there on the market too. If you're not sure whether your business email has DMARC setup, try our free Email Domain Scanner.

Higher Security Settings in Microsoft 365 Exchange

Microsoft 365 Business Premium has a good amount of email security built-in to protect you from scams, but you have to turn on the features. If you aren't using Business Premium and are instead on Basic or Standard, the upgrade is definitely worth it.

24/7 ITDR Protection for Microsoft 365

Sometimes attackers still get through your security measures. Even if you haven't entered your credentials into a fake Microsoft login portal, if they have access to your computer, they can steal your cookie from your browser and hijack your session. That trick will get them access, even if you have followed best practice and added multi-factor authentication to your login. So, what's the best way to stay safe?

We use Huntress and their ITDR platform. It helps us provide 24/7 monitoring of our client's environments and even protects against session hijacking. There are other solutions out there too; the most important thing is that you have something in place to protect your business.

Closing Thoughts

Keeping your business email secure is crucial as AI makes it even easier to create convincing phishing emails and fake login portals. We'd love to help you protect your business from email compromise if you don't have the security measures mentioned above in place. Don't delay, contact Managed Nerds today if you're worried about your business email security.