AV Software Giant Strengthens Microsoft Exchange Online Security Posture

Background

This is a leading global innovator and developer of audio, imaging and voice technologies serving the cinema, television, broadcast, and entertainment industries worldwide. It has a market cap of $7B and employs +2,200 people in more than 20 countries.

It uses Exchange Online as its primary vehicle for business communication and wanted to assess its security posture to make sure that it has the requisite resilience against the emerging cyberrisks and threats.

Challenges

The company recognised that there is a constant security threat towards a critical infrastructure like email and wanted to thoroughly review its current posture sooner than later. In fact, there are reports which say that

• 80% of Organizations fall victim to an email security breach within a span of an year
• 75% of Cybersecurity threats arrive through email
• 48% of Organizations lack confidence in the effectiveness of their email security protections

Given the high vulnerability of email system, the organisation wanted to undertake a holistic review of the governance for Exchange including but not limited to

• Analysis of all mailboxes
• Privacy settings
• Compliance status
• Assessment of all sensitive data stored
• Data retention and archival
• Encryption policies
• DLP policies
• Users and Group settings
• Monitoring and control activities

Solution

Netwoven undertook an in-depth assessment of the current Exchange Online operations and infrastructure against Microsoft best practices and conducted a workshop with the findings and recommendations for improving the security posture for Microsoft Exchange workload. The project was completed in 2 months.

Assessment Items

The following key items were reviewed.

• Microsoft Secure Score Recommendation
• Mailbox Summary
• MFA Status
• Legacy Authentication Protocol
• Mailbox Retention Policy
• Mail Flow Rules
• Connection Filters
  • IP Allow / Block List
  • Tenant Allow/Block List
  • Anti-spam policies
  • International Spam Filter policy
  • Secure Email Gateway
  • Accepted Domains
  • Used TLS encryptions for all connectors
• AntiMalware Filter
  • Anti-phishing policies
  • Anti-Spoofing protection
  • Email Authentication (SPF, DKIM, and DMARC)
  • Spoof sender / Spoof Intelligence Insight
• Policy Rules
  • Data Loss Prevention (DLP) policy
  • Auto apply Sensitivity Labels
  • Client-side labeling
  • Service-side labeling
  • External Identity MailTip
  • First contact safety tip
  • User impersonate safety tip
  • Domain impersonation safety tip
  • User impersonate unusual characters safety tip
  • Unauthenticated senders symbol (?) for spoof
  • Show "via" tag
  • External Tagging on the external emails
  • Mail Quarantine & Release policy
  • Preset Security Policies
  • Zero-hour auto purge (ZAP)
  • SPF record: hard fail
  • Internal/External message limit
  • Daily message limit
  • Block auto-forwarded messages
  • Audit log retention policy
  • Message Approval for Sensitive External mails
• Content Filtering
  • Spam Confidence Level (SCL)
  • Safe Link
  • Safe Attachment
• Access Protection
  • Conditional Access policy
  • Disable login in Shared Mailbox
• Mailbox Data protection
  • Manage Calendar Details Sharing
  • Enable Client Rules Forwarding Block
  • Allow Mailbox Delegation only when authorized
  • Do not override FROM address enforcement
  • Use S/MIME (Secure/Multipurpose Internet Mail Extensions)
• Settings
  • Email Backup
  • Email Encryption
  • Secure email
  • Integrated apps - Report Mail
• Privileged Access
  • Just-in-time (JIT) access control
  • Reduce Global Administrators
  • Exchange Administrators
• Alerts
  • Alert policies
  • NON-DELIVERED Report to Admin (External Users)
• Monitoring
  • Inactive Mailbox
  • Attack Simulation Training
  • Mailbox Permissions

Assessment Findings and Recommendations

Netwoven provided detailed recommendation for each one of the above as a part of the final assessment report. Here are some of the highlights.

1. Microsoft Secure Score - Microsoft Secure Score for this tenant was found to be 42.77%. The following recommendations were made.
   • Not to share calendar information with “Anonymous” and “Any Domains”. Specify any specific domain if required.
   • Restrict additional storage providers in Outlook on the web.
   • Enable the Customer lockbox feature so that Microsoft Can’t access your content to do service operations without your approval.
2. MFA Status - Presently, MFA is being managed by third party IDP. Hence, it is not enabled in Entra Portal. It was recommended that MFA can be migrated to Entra for cost savings and seamless integration with Microsoft ecosystem.
3. Legacy Authentication Protocol - About 8 Applications are using legacy authentication protocol. The recommendation was to disable legacy authentications after configuring the application with Modern authentication.
4. Anti-Spoofing Protection - Only one default Anti-phishing policies was found in the tenant. Only 10 domains out of 46 have been signed with DKIM keys. There were 756 entries on Spoof Intelligence Insight for the last 7 days, but no records was found in Spoofed Senders list. The following recommendations were made.
   • Configure the Anti-phishing policy to its highest possible protection.
   • Enable this feature for all the custom domains to sign messages with DKIM signature while that custom domain is used for sending emails.
   • Allow or block known top domains from the Spoofed Senders list.
5. Data Loss Prevention (DLP) Policies - No DLP policies related to Exchange email was found. The recommendations was to configure DLP policies for sensitive information found within emails.
6. Auto Application of Sensitivity Labels - No Auto Labelling policy was configured in this tenant. It was strongly recommended to configure Client-side and Server-side labelling.
7. Email Encryption - Email encryption in Exchange Online is a security measure that transforms readable plain text into scrambled cipher text. Only an authorized recipient can decode and consume the information. No active mail flow rules for email encryption was implemented. Netwoven recommended configuring the email encryption policies in Microsoft Purview.

Likewise, detailed recommendations were made for each relevant entity to improve the security of the present Exchange Online operation. The items were categorized as high, medium and low such that implementations can be undertaken in a phased manner. This project also led to an overall security assessment of the tenant for establishing the security readiness towards deployment of M365 copilot, going forward. An workshop was conducted with relevant stakeholders to decide on the action plan out of the recommendations made.

Benefits

The result of this assessment helped the organization to tighten the security posture of Exchange Online in more ways than one. It not only identified the present gaps and the remediation steps but also prompted the organization to evaluate future steps for improving its overall operation, productivity, and security by utilizing Microsoft Copilot and other tools optimizing its investment in Microsoft Technology. The major business benefits perceived are:

• Tenant’s email security vulnerability was properly assessed, and reliability of Exchange operation was greatly enhanced.
• Recommendations helped a better adoption of the technology improving business resilience.
• Foundation was laid towards a more secure and more productive business operations in near future.