An email account takeover (ATO) is a cyber attack where criminals gain access to your email account or system. Access can be gained by social engineering, malware, credential stuffing, cross-site breaches or a multitude of other methods. This article serves as a guide to help administrators prepare for this type of cyber attack. If you have recently been attacked, please follow our guide How to Respond and Recover from an Email Account Takeover or contact our dedicated cyber security team immediately.
Recommended Prevention Tips
1. Enable Reporting
- Microsoft currently does NOT log all activity for Office 365 accounts. By default, most users behavior and interactions with their email and account are never recorded. This is particularly advantageous to attackers, as they can compromise your account, perform all sorts of nefarious activity, and leave without a trace.
- We strongly recommend enabling auditing on your Office 365 account. It takes 30 seconds and prevents the potential headache of determining what happened after a cyber security incident. Log in as an administrator and follow Microsoft Support's guide to enable auditing.
2. Communicate with All Staff
- It is recommended that you communicate with all your employees, informing them of the increased risk of phishing emails, and the danger of clicking on anything dangerous, along with the risks of entering in employee credentials. We recommend including the following warnings:
- Think before you click. Be careful opening attachments or links from people who you don’t recognize.
- Be careful of attachments or links from people that you do recognize but are unexpected, out of the ordinary, or not consistent with their usual communications without first contacting that person by a means other than email.
- Pay attention to any links in emails. It is recommended to hover your mouse over the link to see what the actual path is. If it's something other than what you are expecting don’t click on it.
- Notify the IT department of any suspicious emails, phone calls, or text messages.
- Let employees know that they will likely be targeted, and there is a good chance that a phishing email will come from someone they know and trust.
3. Security Awareness Training
- Provide security awareness training to teach employees how to recognize phishing emails and other types of social engineering attacks. In-person security awareness training while onboarding or annually can be effective, but we have found that mandated on-demand web-based training is the most effective tool to ensure that all users in your organization receive training.
- Consistent training reinforces the mentality to watch out and say something if they see something.
- Combining regular security awareness training with simulated phishing campaigns is also recommended. Consider conducting simulated phishing campaigns monthly at a minimum. Depending on the level of access and significance of the roles within your organization, you may conduct more frequent simulated phishing testing, such as a weekly or bi-weekly basis.
4. Secure Office 365 Administrator Account
- Review list of all current Office 365 administrators and determine if their level of access is necessary and appropriate to complete their assigned duties. Revoke any users with unnecessary access. If you initially deployed Office 365 with the assistance of a reseller and they no longer assist you in administering the console, revoke their delegated access.
- Create an emergency access Office 365 administrative account, also known as an "firecall id" or "break glass" account. This account is dedicated for emergencies only such as a breach or critical MFA failure. This account should have a strong password protecting it that is documented in a password manager or digital vault. More information about emergency access accounts can be found in this Microsoft Support article.
5. Use A Strong & Unique Password
- Attackers do not need to phish for your credentials if they already have them from another site that has recently been breached. Ensure that you are not recycling or reusing credentials from any other sites or accounts.
- Use a strong and unique password for your Office 365 account. If you have not changed your password recently, it is recommended to change it now. For additional guidance see our team's blog post on NIST recommended password policies and updates.
6. Enable Multifactor Authentication
- We strongly recommend enabling MFA on all privileged accounts (those with administrative access) and all executive team members. It is also recommended to enable MFA for all publicly visible accounts as well. Having email addresses available on the company's website or on LinkedIn would constitute public visibility.
- When a privileged user or executive does fall for a phishing email and provides credentials, the attacker will not be able to access the account without the other factor of authentication (app-based authenticator, SMS code, phone call, etc..).
7. Disable Auto-Forwarding
- We have observed that once cyber criminals gain access to an account, they will usually set up an auto-forwarding rule to siphon copies of all incoming and outgoing emails to an account controlled by the criminal.
- While there are some legitimate reasons where a company may wish to allow auto-forwarding of business email to a non-business email account, most of the time, the best course of action is to simply disable email auto-forwarding functionality for additional security.
- Our team has created a blog post with detailed instructions on how to disable auto-forwarding by default.
8. Enable Office 365 Advanced Threat Protection Features
- Microsoft has recently released new security features as part of their Office 365 Advanced Threat Protection licensing (included in all E5 licenses and also available as an add-on for certain subscriptions). These features are very powerful and help prevent your users from falling victim to a phishing attack.
- We recommend enabling Safe Attachments and Safe Links at the minimum. More information about ATP features can be found on Microsoft's website.
9. Incident Response
If you do experience an account takeover (ATO) you can immediately follow our detailed article on How to Respond and Recover from an Email Account Takeover.
Let our cybersecurity team know immediately of the breach and we can also provide further assistance to remediate the threat.