Announced late february 2018, Microsoft facilitates security tests such as Phishing Attach, brut force and spray attacks. To use these tools you’ll need one user under Enterprise license E5.
In this way, you can test the security of your office 365 tenant and evaluate how your users will respond to a fake office 365 log-in page (phishing attack) or ensure your users have set a complex password (brute force attack) different than “password” or their birthdate.
Security is an important topic of an office 365 tenant, users shall be aware of those : don’t hesitate to communicate around those threats within your organization often.
Many companies around me got their users giving their password or IBAN Bank account to third party pretending they are from the company (example they use an email such as gogle.com instead of google.com).
Let’s have a tour of those attacks simulators
Prerequisite:
First, you need to activate the MFA (multi-factor authentication) for at least one user. Jethro Seghers explained how to do so via youtube.
1/2 Conduct a phishing attack on your office 365 users
This attack method aim is to check how many users will be tricked by a login page looking like Office 365 sign-in page or by any other login page you would like to “phish”. To achieve so : Create a phishing attack campaign from the Threat Management / Attack simulator menu in your office 365 admin menu.
You will be invited to select the users you want to target for this campaign.
Up to 500 users.
Once you have given a name you can select a phishing attack template :
Once the setup is completed, the user will get such email in his mailbox :
And a page that really looks like Office 365 sign-in page. If they key in their login, it will lead to a 404 page and the administrator review which users got POWNED !
Review user that got powned :
2/2 Test a brute force attack
When you configure a brute force campaign, you are invited to select the users as well as the phishing attack. Then you will enter the password that the test will enter for you.
You can load a file with a lot of most used password. You could generate a list of password to from this website, listing the most common password used.
Again you can review the results of your campaign
Conclusion
That is a good start to initiate some vulnerabilities tests within your organization. I wonder how to perform a phishing attack to 200 000 users….
There is much more to cover about security for your office 365 tenant, for example :
- Using third-party tools to perform penetration test
- Code review (if you have a developer that creates custom codes for your tenant).
Make sure you think about security in your roadmap… It is as important as planning features.
Tests shall be conducted often to prevent your security to be comprised. What are the security best practices ? Many more in this article from goptg.com (Data Loss Prevention etc).
Securing your apps is as a travel insurance, only boring and useless until you need it….
So assess the risks, define actions against those password being stolen, phishing attacks etc.