Office 365 - A Cautionary Tale

If you have Microsoft Office365 or are thinking about switching to it, this is a sort of public service message written for you!

 

Quick Takeaways:

  • Office 365 is complex. You’ll need an experienced administrator to get it configured properly.
  • Expect hiccups… it requires “tuning” to get working for your specific way of working.
  • There will be a learning curve… especially if you are leveraging the web access version and especially if you are used to working with Outlook from several years back.
  • Regardless of the technical partner, all Office 365 is hosted by Microsoft.
  • Office 365 has security issues… be sure to protect your access with “two-factor authentication”

The Story…

I received an interesting Email today from an individual we’ll call Rob for simplicity.

Subject: “Action Required: Complete Docusign”

Here’s what the message said:

Rob used Dropbox to share some document with you. Click REVIEW DOCUMENT to access the documents or click

Download

Please kindly let us know if you have any questions
Kind Regards

Rob
Generic Insurance
“Generic Tagline”
Ph: 800-555-1212
Cell: 800-555-1212
www.generic.com

Sent from my iPhone

I wasn’t expecting a message from Rob, so I manually checked the message headers and it indeed was sent by Rob.

(The headers contain “technical” routing information as well as the path that an Email has followed to get to you.) Here’s a great quick tutorial on Message Headers:

 

TIP: If you think someone is sending you spam, you can leverage this clever tool by Google to validate the message header: https://toolbox.googleapps.com/apps/messageheader

In this case, the header validated. But the body seemed off… particularly the links. I replied back to Rob to see if his Email account was being spoofed or if his account had been hacked.

Rob replied…

They are investment files I shared, I wanted you to have a look.

Rob
Generic Insurance
“Generic Tagline”
Ph: 800-555-1212
Cell: 800-555-1212
www.generic.com

Sent from my iPhone

Really? Rob would NEVER send me this kind of message. I realized he was hacked and in a MAJOR way. Someone was responding to me from WITHIN his account!

Out of concern for his company’s reputation, I reached out directly to Rob by creating a new Email and sending it straight to him. (He moved to Office365 from our Email servers so this was the only action I could take on his behalf.)

The REAL Rob wrote back…

John,

I was hacked and Microsoft is working on my account as I type this. Thanks for informing me! They think they have stopped it.

Of course, while I was on the phone with Microsoft the hacker texted me twice and called me! I’m calling Verizon now to report him and block the number.

Rob

Talk about a scary hacking scenario.

Imagine having your Email accounts so thoroughly hacked that someone could reply from within your environment pretending to be you… it sent shivers up my spine.

The ramifications to Rob’s company as a result of this Email hack are serious.

  • Was the hacker able to see other Email messages? (Probably)
  • Was client data exposed? (Possibly)
  • How about sensitive passwords and other information? Did the hacker see those? ( Likely)
  • Should Rob publicly notify clients he was hacked and that they should take actions to protect themselves? (Probably)
  • Could this impact Rob’s E&O rates? (Likely)

Here’s the thing… I know Rob. He had a decent password.

How could this happen? Rob didn’t have 2-factor authentication and clicked on a message he shouldn’t have which gave the attacker a way to bypass his account password…

…So the hacker broke into Rob’s Office365 Email account and did some serious damage in spite of his strong password.

And while Microsoft’s response to fix this is laudable, the incident demonstrates the potential security weakness of the Office365 platform in its default setting.

And the kicker is OTHER Office 365 users are being hacked in exactly the same way. We’ve seen it across multiple domains that have decided to leverage Office 365 managed by their local techs. Inexperienced admins are implementing Office365 without two-factor authentication.

So, if you decide to roll out Office 365, be prepared to pay for added tech support costs to ensure the environment is properly configured… they will happen.

(Our Office 365 Option is a managed service. While a little more of an investment than Microsoft’s standard fair, it comes backed with full support and a direct line to Microsoft should technical issues arise.)

Office 365 has a place. And we may eventually see this become the only option available from Microsoft in the future…

That said, we think most clients will be well served by continuing with our Enterprise Class and Hosted Exchange products as they have tight security controls and are much easier for folks to administrate. Meanwhile, Microsoft Office apps are quite affordable over at Amazon.com…

 

So what if you have ALREADY moved over to Office365? You can take actions to make your Office 365 implementation more secure.

We highly recommend you implement “two-factor” authentication for accessing your Office365 environment.

You can learn more about implementing two-factor security for Office365 by click here.

This will make it substantially more difficult for a hacker to gain entry into your account.

If you are unsure how to accomplish this or simply lack the Admin access, be sure to instruct your techs to implement two-factor security right away.

Meanwhile, if you are looking for rock-solid Enterprise-class Email without the complexity, reach out to us today! We offer a wide array of managed Email solutions designed to help small businesses get business done without the complexity of worrying about Email service management.

 

 

Pin It on Pinterest

Share This

Share this post with your friends!