Announced late february 2018, Microsoft facilitates security tests such as Phishing Attach, brut force and spray attacks. To use these tools you’ll need one user under Enterprise license E5.

In this way, you can test the security of your office 365 tenant and evaluate how your users will respond to a fake office 365 log-in page (phishing attack) or ensure your users have set a complex password (brute force attack) different than “password” or their birthdate.

Security is an important topic of an office 365 and users shall be aware of those, don’t hesitate to communicate around those threat within your organization.

I know many companies around me that have users giving their password or IBAN Bank account to fake email looking like their company name (example they see an email asking for a password from gogle.com instead of google.com).

Let’s have a tour of those attacks simulators

Advanced threat management – Office 365 Admin Center

Prerequisite: 

First, you need to activate the MFA (multi-factor authentication) for at least one user. Jethro Seghers explained how to do so via youtube.

1/2 Conduct a phishing attack on your office 365 users

This attack method aim is to check how many users will be tricked by a login page looking like Office 365 sign-in page or any other login page you would like to “phish”. To achieve so : Create a phishing attack campaign from the Threat Management / Attack simulator menu in your office 365 admin menu.

You will be invited to select the users you want to target for this campaign.

Up to 500 users.

Phishing attach simulator – Office 365 Admin Center

Once you have given a name you can select a phishing attack template :

Compose email

Once the setup is completed, the user will get such email in his mailbox :

Create a phishing attack from a template – Office 365 Admin Center

And a page that really looks like Office 365 sign-in page. If they key in their login, it will lead to a 404 page and the administrator review which users got POWNED !

Fake Office 365 login page

Report of the attack campaign

2/2 Test a brute force attack

When you configure a brute force campaign, you are invited to select the users as well as the phishing attack. Then you will enter the password that the test will enter for you.

You can load a file with a lot of most used password. You could generate a list of password to from this website, listing the most common password used.

Brute force campaign

Again you can review the results of your campaign

Results of brute force campaign

Conclusion

That is a good start to initiate some vulnerabilities tests within your organization. I wonder how to perform a phishing attack to 200 000 users….

There is much more to cover about security for your office 365 tenant, for example :

• Using third-party tools to perform penetration test
• Code review (if you have a developer that creates custom codes for your tenant).

Make sure you think about security in your roadmap… It is as important as planning features.

Tests shall be conducted often to prevent your security to be comprised. What are the security best practices ? Many more in this article from goptg.com (Data Loss Prevention etc).

Securing your apps is as a travel insurance, only boring and useless until you need it….

So assess the risks, define actions against those password being stolen, phishing attacks etc.

Reference:
Angama, J. (2018). Heads-up, test your tenant security before hackers attack your users using Office 365 Threat Intelligence. [online] Jeff ANGAMA OFFICE 365 NOTES. Available at: https://jeffangama.wordpress.com/2018/04/16/tenant-security-attack-office365-office-365-threat-intelligence/ [Accessed 23 Apr. 2018].