Vulnerability Assessment
Secure your Office 365 tenant
Our vulnerability assessment of your Office 365 tenant highlighted some potential issues with your current Office 365 configuration. Rest assured, you’ve done nothing wrong. This is due to Microsoft default configurations often not aligning with security best practices; they have many client types, so it’s impossible to provide a one-size-fits-all configuration.
What to do about your vulnerability report
Consult the following explanations to understand what the vulnerabilities in your report mean, and learn which recommended Office Protect setting protects you against them.
Here’s a quick breakdown of how to interpret the guide below:
error
Dangerous files are allowed as attachments
Currently, all file extensions are allowed to reach your users. It is a sure-fire way to expose users to dangerous files. While not perfect, blocking known bad file extensions will reduce your risk.
Recommendation
Block "Bad" File Extension Attachments
This will block bad known file extensions as email attachments
error
International spam is not blocked
Nothing can prevent all spam, but you can reduce the amount by blocking international sources. Presently, your tenant does not reject emails based on country and/or language.
Recommendation
Block Top Spamming Countries
Automatically block all emails from a pre-determined list of spam-friendly countries
error
All meetings and calendars are available publicly
All of your users' calendar information is publicly available. Hackers will use this information to build better attacks, such as phishing, against your organization.
Recommendation
Do Not Allow Calendar Details Sharing
This will prevent users from sharing the full details of their calendar with external users
Authenticated Only
arrow_drop_down
error
Anyone can install 3rd party applications in your tenant
3rd party applications should only be installed by tenant administrators after a thorough vetting process. Currently, regular users can install 3rd party apps.
Recommendation
Do Not Allow Third-Party Integrated Applications
This will prevent your users from giving permissions on O365 to third-party apps
error
Emails can be silently sent outside the organization
The ability to systematically forward all emails outside the organization should be limited and monitored. It is the most common attack vector on businesses. The rules to help reduce the creation of forwarding rules are not present in your tenant.
Recommendation
Enable Client Rules Forwarding Block
This will create a rule preventing auto-forward from your tenant to external organizations
error
Not all admin accounts have 2-factor authentication (2FA)
Having a 2nd authentication factor is the greatest impact you can make to security as 82% of attacks start with a compromised administrator account. Your administrator accounts are not all protected by 2FA.
Extending 2-factor authentication to all users will greatly reduce the chance of a damaging break-in. Not all users in your tenant are protected by 2FA.
Recommendation
Enable Multi-Factor Authentication
Enable Multi-Factor Authentication for admins or all users
Apply to All Admins
arrow_drop_down
warning
Users can execute scripts on their email account
Hackers generally use PowerShell to do a lot of damage to Exchange accounts, quickly. Normal users generally do not use PowerShell, so disabling it is a good idea in most cases. Currently, your users can use PowerShell to execute scripts on Exchange.
Recommendation
Exchange Scripting (Powershell) Access
Disabling the ability to run Powershell commands on Exchange limits possible damage of break-ins
Remove from Non-Admin
arrow_drop_down
warning
CEO-scam phishing email would not be flagged
You are not protected from phishing emails pretending to be an employee of your organization. It is a very common attack method today.
Recommendation
Flag Phishing Emails using Tenant Domain or Staff Name
External emails using an tenant's employee name or domain will be flagged
warning
International spam is not limited
Nothing can prevent all spam, but you can reduce the amount by blocking international sources. Presently, your tenant does not reject emails based on country and/or language.
Recommendation
Only Allow Emails in Specific Languages
Reduce spam and illegitimate emails by limiting the email languages you accept
warning
You will not be contacted if your tenant starts spamming
Microsoft can warn you if one of your users starts spamming the world... but you have not set it up yet.
Recommendation
Set Outbound Spam Notifications
A notification will be sent to the email account set here if one of the organization's account is flagged for sending spam
Quick Start Guide
Follow this guide to identify the security settings you can improve. Then access the Office Protect application to easily perform the adjustments.
Access Office Protect
Or directly from Office Protect’s website: https://app.office-protect.com
In either case, use your Cumulus credentials to log in.
Visit Settings Page
Visit Office Protect's settings page (called the “Set” page) by clicking on the “Set” link in the left-hand side menu.
Select Security Profile
Click on the “Select Profile” drop-down menu to display profile options, then click on any profile.
Choose Security Setup
Our suggested profile is the one called “Recommended Best Practices”, although you may want to select another one depending on your own unique needs. You can then review its settings in the grid below the menu.
Save Changes
Once you’ve made all your desired changes, click “Save and Apply”. Office Protect will then apply your settings to your Office 365 tenant.
Create Custom Profile
Note that Office Protect lets you create custom security profiles. If you have a specific use case that needs particular settings, then go back to Security Setup section and click to select the “Custom Profile” from the profile selection drop-down menu. Then go through all the settings and adjust each one as needed. Click “Save and Apply” to finalize your changes. You’ll be able to reuse this custom profile for any tenant whose needs match the setting.
