Protecting our clients through automated security intelligence
Microsoft 365 adoption since the start of the pandemic has increased dramatically, improving remote working capabilities for Small & Medium businesses (SMBs) that are often supported by managed IT services providers (MSPs) like BlueDot.
To protect these remote workers, MSPs have partnered with
security companies like Fortinet, Sophos, Barracuda, and others to detect and
block phishing attempts, ransomware attacks, and remote takeover
vulnerabilities and should be enforcing multi-factor authentication, or MFA,
for their tenants. MFA is an additional authentication measure, typically a six-digit
number sent to a mobile phone or accessed through an app, or a push
notification verifying access.
While MFA helps in preventing unauthorized access by having a
user’s credentials, hacker toolkits are making it easier to bypass this measure
and gain access to a user’s Microsoft 365 account. So how do we continue to
secure our customer environments when threat actors have so many tools
available to them to bypass these measures?
New statistics released by Microsoft show that just 22% of Azure Active Directory identities utilize “strong” authentication in the form of MFA
While we continue to improve prevention techniques, we need to also focus more on early detection of breaches. We need to be aware that, ultimately, someone will give up their credentials through a phishing email or other vector and expose valuable or sensitive information outside of their organization or be victimized by ransomware.
Recognizing the inevitability of unauthorized access to client tenants, BlueDot is partnering with Trawl AI to detect unauthorized access to user accounts, and intelligently detect anomalous activity by authorized users that may indicate they are a threat to their company.
While beta-testing the Microsoft 365 protection service from Trawl AI, we were able to detect unauthorized access through several methods, but we were also able to better serve our clients during this time of Great Resignation by providing reports on activity of employees on their notice period in highly competitive industries or those with access to sensitive company information.
Our first detection came last fall when we received notification that a mailbox rule was created that directed all incoming email to the RSS folder. An executive of a company was the victim of a phishing attack, and the attacker created the rule so they could send out emails and inbound messages wouldn’t give away that his contacts were being spammed from his account. We were able to react quickly, logging out all users and blocking logins until we could analyze what was accessed.
The second notification we received was a bit different. It indicated a change in SharePoint anonymous link usage. It was different because it didn’t indicate that a user at our client had been exploited, but instead a user at a company our client does business with. We believe that someone at another company that had received a link to access non-sensitive files had a hacker access their email and find links, likely sharing them throughout their community, leading to a significant increase in link usage which triggered an alert through the Trawl AI platform.
The third notification came recently and was yet another successful phishing attempt. It was early on a Sunday morning, and we received a text saying there were anomalous logins to the account of a company director. Looking at the data, there were three consecutive successful logins from three different countries in less than two minutes, so we immediately logged out all sessions and blocked logins until we could determine if any data was accessed and re-secure the account.
Using an intelligent, early detection service like Trawl AI allows BlueDot to better serve our clients by providing additional cybersecurity protection through early detection of anomalous sign-ins, suspicious admin activity, and changes in user activity. For more information, reach out to us today.