In this way, you can test the security of your office 365 tenant and evaluate how your users will respond to a fake office 365 log-in page (phishing attack) or ensure your users have set a complex password (brute force attack) different than “password” or their birthdate.
Security is an important topic of an office 365 and users shall be aware of those, don’t hesitate to communicate around those threat within your organization.
I know many companies around me that have users giving their password or IBAN Bank account to fake email looking like their company name (example they see an email asking for a password frominstead of ).
Let’s have a tour of those attacks simulators
1/2 Conduct a phishing attack on your office 365 users
This attack method aim is to check how many users will be tricked by a login page looking like Office 365 sign-in page or any other login page you would like to “phish”. To achieve so : Create a phishing attack campaign from the Threat Management / Attack simulator menu in your office 365 admin menu.
You will be invited to select the users you want to target for this campaign.
Up to 500 users.
Once you have given a name you can select a phishing attack template :
Once the setup is completed, the user will get such email in his mailbox :
And a page that really looks like Office 365 sign-in page. If they key in their login, it will lead to a 404 page and the administrator review which users got POWNED !
Review user that got powned :
2/2 Test a brute force attack
When you configure a brute force campaign, you are invited to select the users as well as the phishing attack. Then you will enter the password that the test will enter for you.
You can load a file with a lot of most used password. You could generate a list of password to from this website, listing the most common password used.
Again you can review the results of your campaign
That is a good start to initiate some vulnerabilities tests within your organization. I wonder how to perform a phishing attack to 200 000 users….
There is much more to cover about security for your office 365 tenant, for example :
- Using third-party tools to perform penetration test
- Code review (if you have a developer that creates custom codes for your tenant).
Make sure you think about security in your roadmap… It is as important as planning features.
Tests shall be conducted often to prevent your security to be comprised. What are the security best practices ? Many more in this article from goptg.com (Data Loss Prevention etc).
Securing your apps is as a travel insurance, only boring and useless until you need it….
So assess the risks, define actions against those password being stolen, phishing attacks etc.
Angama, J. (2018). Heads-up, test your tenant security before hackers attack your users using Office 365 Threat Intelligence. [online] Jeff ANGAMA OFFICE 365 NOTES. Available at: https://jeffangama.wordpress.com/2018/04/16/tenant-security-attack-office365-office-365-threat-intelligence/ [Accessed 23 Apr. 2018].