How do I secure my Office 365 or G-Suite email?

The threat landscape has shifted greatly this year as there has been a dramatic rise in email security attacks, resulting in loss of business data and direct theft of cash. These schemes have become more organized and sophisticated, resulting in the need for more aggressive policies and procedures to protect your company.  

The goal of this article is to make you aware of the seriousness of these attacks, then provide the 4 key basic steps you should put in place to protect your business email accounts.  

The recommendations are based on Core Vision’s experience in helping our clients protect their accounts and leverage best practices from the National Institute of Standards & Technology (NIST), Microsoft and other industry leaders.

What are email security threats?   

One of the key items to understand is that email attacks aren’t only targeted at business owners and managers, or those that have access to “important” data.  The attacks often aren’t targeted at your specific business but are scanning for vulnerabilities against any business account. 

The attacks are against any and every user as each account can be used to generate cash for the attackers.

Using sophisticated and automated software tools, attackers identify and leverage vulnerabilities like weak passwords, short passwords, published usernames, social media, and other online information to break into email accounts.  The attackers are full-time professionals and can be anywhere in the world – they just need internet access and the right tools.

Once the tools find a weakness and break into an account, the attackers are notified and can carry out many different schemes designed to inflict damage to your business and maximize the amount of cash they can generate.  

Examples of email security threats

Hacked email accounts

It doesn’t matter if an attacker breaks the password of the CEO or the janitor, as each is of equal value in terms of potential payoffs.  Once they access an email account, they can do any number of things:

○  Send an email from the valid employee account to all other employees with a ransomware link, often disguised as something of interest like the new benefits package, next company event flyer, new building evacuation policy, etc.

○  Scan the account for sent or received emails to identify the payroll company, then make what looks like a valid request from that users’ valid email to change their direct deposit account to a fraudulent one.

○  Scan sent emails to identify the HR contact, then spoof that contact and account to send an email to the payroll company using the HR person’s name and email signature to redirect the entire payroll to fraudulent accounts.

○  Send emails from the hacked account to specific clients, requesting new ACH payments to bogus bank accounts, sending ransomware or malware links, and other effective schemes as the email looks to be from someone they trust.

Phishing & spear-phishing attack

You’ve probably seen these emails as they appear to be from you or someone you know, but then realize the @domain doesn’t quite match or something else seems off.  The spear-phishing attacks target individuals in key positions, normally using social engineering from sites like LinkedIn or Facebook to make them more effective. 

These attacks are incredibly effective and circumvent even the best network security services because they prey on the weakest link in your organization — your people.  Recent examples of well-known spear-phishing attacks include the Pentagon data breach, and the breach of Hillary Clinton’s campaign emails, and thousands of others. 

Simple but very effective phishing techniques include:

○ Send impersonation emails to the CEO, CFO or accounting contacts with instructions for wire transfers to bogus accounts.

○ Send impersonation emails to other employees with ransomware links or other embedded malware.

○  Send impersonation emails that contain a pop-up that looks like your Microsoft or Google login screen, asking you to enter your credentials.

Again, these aren’t hypothetical scenarios but are actual attacks hitting our clients and every other business right now.

4 key steps to protect your business email accounts

How can you help protect your business email?   

Short of disconnecting from the Internet, there are 4 key basic steps that can help minimize the likelihood of these attacks.  Each of these is critically important, and they work together as a group – so don’t think you can just do one or two and still be safe.

1. Enable two-factor authentication (2FA)

This is especially important to protect Microsoft Office 365 and Google G-Suite accounts and is an included feature of both services – it just needs to be turned on and setup. 

2FA requires the use of a second level of authentication (i.e. text message, phone call, or authentication app) beyond just your normal password in order to access your account.  The authentication request is typically used when accessing your email through a web browser or portal and should be required for all users.

For desktop or mobile email applications such as Microsoft Outlook, Apple Mail, Mailbird and other email apps, these should be set up with a one-time application password that is set up with your 2FA settings.  This is a unique second password that is used in addition to your normal login credentials.  

The app password is entered once on a trusted device (e.g. desktop, laptop, cell phone), which keeps someone else from impersonating you through an unauthorized email application.  The time spent on setting this up will help thwart brute force password attacks from occurring.

2. Create longer, complex passwords 

Assuming that you require two-factor authentication for access to email portals, require application passwords for email clients, and require secure remote access to your network (e.g. VPN access), then you can make your passwords a bit more friendly – but longer – and stop changing them.

This recommendation follows current best practices from NIST, Microsoft, and other vendors.  The password breaking tools for shorter passwords have become very effective, so the additional length is key … as is the avoidance of common words.  Current tools can break a basic 8-character password on an unprotected account in less than five minutes.

Password Tip: In general, using an uncommon combination of words in a passphrase that the user can remember is better than a complex character combination (e.g. “nothing but tundra dogs” is better than “K1lltime2019”).  Studies have found that making passwords hard for users to remember actually makes them shorter and easier to break as they tend to be simple words with just a couple of special characters thrown in.

Eliminating the need to change the passwords will also reduce the user behavior of making simple changes from one password to the next (e.g. from “P@ssword2019” to “P@ssword2020”).  The recommendation is that you should only force a password change if there’s a reason to suspect an account may have been compromised … but your compliance or other policy requirements might still require scheduled changes.

At the current time, we recommend using Microsoft’s Group Policy feature to enforce a password length of 12 or more characters, and a change frequency of never.  Ideally, it will be a passphrase combination of 4 or more uncommon words, however, Microsoft Group Policy does not have enforcement for that yet (third party tools can be added for this). 

The other key is that this password and username should only be used for their business and email login, and not reused on websites and portals where they can be exposed through other data breaches.

These password recommendations are only applicable if you have two-factor authentication required for email accounts, as well as secure remote access to your network.  For further information on NIST’s 2019 federal government recommendations and info on best practices, see these links:

NIST Digital Identity Guidelines

Modern Password Guidelines from Pluralsight

3. Phishing and impersonation protection 

This requires a third-party service as it’s not built-in to either Microsoft or Google’s services.  This functionality is relatively new but has proven to be very effective at eliminating most phishing emails, specifically focusing on two areas:

Domain spoofing  

The service will block emails with key user names displayed, but incorrect domains – including those that are only a single letter off from the valid domain.  (e.g. cvits.com vs. cvitz.com)

Identity spoofing  

The service uses a list of limited names to filter and test an email for validity (e.g. John Smith is allowed, but J R Smith is not).  The service can block the filtered email or pass it through but mark it as potentially dangerous to warn the recipient.

We recommend and provide an email security service from AppRiver that provides this protection for about $2.25 per account per month.  Similar services are available from ProofPoint, Mimecast, Vade Secure and other vendors.

4. Email backup & data protection services 

When something does happen, having a consistent backup of your email accounts is the only way to recover them.  It’s often the only way to find records of compromised email account activity. 

Neither Microsoft or Google actually provides email backup as an option, so a third-party tool is needed to take regular copies of your accounts for quick restoration when needed.  We use and recommend Datto’s cloud backup service.

In addition to cloud-based backups for your email, having a consistent data protection service for your servers and other critical data sources is critical.  This service allows you to recover quickly from ransomware and other cyberattacks that enter via email or other compromised accounts. 

Additional steps to protect your business email accounts

As mentioned above, these 4 steps are really the initial baseline you need for securing your email accounts in order to prevent data loss and theft.  There are additional recommendations to consider for added security such as password managers, mobile device management, security awareness training, email encryption, and others … but these four are the basic ones to start with.

Need help or recommendations to secure your email?

Securing your business email may seem like a daunting task, but these basic steps can help reduce your exposure to the number one source for cyberattacks.  While they’re not fool-proof, they will help to greatly reduce the risk for your business and should be included as part of your overall security plan for your systems. 

If you’re ready to secure your email, or still have questions on what the best approach is for your business, feel free to reach out and we’ll be happy to provide you with recommendations.