The trade-offs in Microsoft 365’s native security

Securing the enterprise’s largest attack surface

Inadvertently, the technologies we adopt to improve efficiencies within our organization can often have the same effect on malicious actors trying to gain access.

Business productivity and collaboration suites like Microsoft 365 and Google Workspace provide great examples of this trade-off. These suites include an impressive variety of applications designed to be easy to access, use, and move data between that consequently, also make for a large attack surface, facilitate lateral movement, and illicit access for any attacker who finds a way in.

With higher adoption of these application suites, the more incentive attackers have to find vulnerabilities within them. As Microsoft 365 boasts roughly twice as many customers as competitive offerings, according to a recent Okta survey, it is a particularly high-value target.

This is not a reason to avoid using Microsoft 365. Microsoft invests heavily in security and offers native security as part of the 365 suite. Rather, Microsoft’s popularity — and accompanying risk — is a reason to supplement the suite with additional security services as suggested in its shared responsibility model. Doing so will strengthen your organization’s security posture against both isolated Microsoft vulnerabilities and more systemic weaknesses.

What are the most important first steps? And how can organizations take these steps without compromising the efficiency Microsoft 365 brought them in the first place?

Step 1: Improve phishing protection

The vast majority of cyberattacks start with phishing — over 90%, according to recent research.

To prevent phishing, Microsoft 365 uses native email scanning to filter out malicious messages. Data shows that this service will not stop every attack. Cloudflare found that in 2020, Microsoft 365 email users had over 900,000 phishing emails slip through native security. Of these overlooked emails, roughly 50% involved a recently created domain and another 15% included a malicious URL.

Additionally, Microsoft email — like most cloud email providers — is vulnerable to other kinds of attacks:

In keeping with Microsoft’s ‘shared responsibility’ philosophy, additional layers of protection may be required to prevent attacks. An important place to start is:

  • Email link isolation: To protect users from malicious links that either slip through the cracks or replace benign ones after the fact. Microsoft offers general browser isolation as a plug-in, but running isolation locally is memory-intensive and can slow the user experience. Instead, consider a more robust service — which runs in the cloud, doesn’t use traffic-heavy screen-streaming, and prevents users from taking potentially dangerous actions like entering login information into non-approved sites.

  • Advanced cloud email security: This incorporates sentiment analysis, sender trust graphs, automated blocking, and other tools which can be calibrated to catch malicious emails Microsoft 365 is known to miss.

Step 2: Improve malware scanning

Preventing phishing is an important security step, but it’s far from the only one. Other attack types are used to install malware onto endpoint devices and integral network infrastructure. This can occur via email, on malicious websites that automatically trigger downloads, or by other methods.

Microsoft 365’s main anti-malware service is called Defender and is installed on endpoint devices. Application Guard, a browser plug-in, can also help by keeping malicious websites — and any malware — safely sandboxed.

In keeping with Microsoft’s broader commitment to security, Defender is no slouch when it comes to malware detection. However, some studies have found that its detection rates lag behind those of similar products. In addition, certain elements of its functionality create potential gaps:

  • The service allows users to exclude locations on their systems from malware scanning — a common practice for apps using non-standard code, but still a potential risk. In addition, security researchers found that the list of excluded locations was stored unsecured in certain versions of the Windows operating system. This meant attackers with local access could see which system locations to install malware to avoid detection.

  • Defender only works by default on the Microsoft Edge browser. Plug-ins are available for other browsers. But if users don’t install the plugin for whatever reason, those other browsers could also function as weak links.

Regarding Application Guard, the same plug-in challenge applies and local browser isolation often causes poor device performance, which could result in the user simply turning it off.

To bolster these protections, organizations should consider several practices:

  • Supplementary endpoint protection: Informed by the best possible threat intelligence and whose rulesets and blocklists are not too easy for users to disable.

  • Multi-factor authentication (MFA): Which uses more than just a username/password combination to provide access to applications. Other authentication ‘factors’ include hardware security tokens and one-time codes sent to the user’s phone. If attackers can install malware, MFA prevents them from being able to use that malware to access corporate applications.

  • Email link isolation: As mentioned previously, isolated web activity should run in the cloud, easily work with any browser, and use modern technology to avoid breaking sites.

Step 3: Prevent privilege escalation

Even with strong email and malware protections in place, organizations should be prepared for attackers to gain some form of access to their Microsoft 365 instance. Such preparation is a central tenet of modern security — often summed up by the Zero Trust tenet of “never trusting, always verifying” requests moving between any location in a network.

Microsoft 365 offers several services for managing what access and permissions users have. However, in recent years, privilege escalation has been the most common form of Microsoft 365 vulnerability, according to BeyondTrust research. In these incidents, attackers gain access to a user account and expand the variety of systems and settings it can access, facilitating lateral movement, credential theft, and the compromise of targeted applications.

One important step towards prevention is logistical — removing admin rights from as many users as possible. An overburdened IT department might be tempted to give users excessive access to improve efficiency and reduce support tickets — but as helpful as it can seem in the short-term, giving users as little access as possible is another important tenet of modern security. Additionally, the aforementioned BeyondTrust report found that removing admin rights could also reduce support tickets more broadly, noting that “computers just work better when you don’t have privileges to break them.”

Organizations may also consider cloud access security broker (CASB) systems, which enable visibility and control into how users access cloud services like Microsoft 365 — including which files and data those users share. Microsoft does offer a native CASB service. But organizations may wish to select a third-party CASB that is built into a broader Zero Trust platform, allowing for integrations with other Zero Trust services and applying a separate body of threat intelligence to their security posture.

Minimizing the effects on efficiency

Organizations often adopt Microsoft 365 to improve overall team productivity and technological efficiency. As such, those organizations may well wonder whether the aforementioned recommendations will add onerous steps to their user’s workday, slow down their Internet usage, or prevent them from using some applications altogether.

Relying solely on Microsoft’s centralized native security may seem like the most efficient approach. But the right supplementary services will close lingering gaps without hurting efficiency. Organizations should look for security services offering:

Together, these qualities give organizations and their employees flexibility, strong network performance, and significantly ease the process of security modernization.

The road forward

Cloudflare offers many of the aforementioned security capabilities as part of its broader Zero Trust security services, including cloud email security, email link isolation, a cloud access security broker, and integrations with MFA providers.

But, as discussed, supplementing Microsoft 365’s native security also requires a laser focus on preserving efficiency. Cloudflare is uniquely architected to deliver this efficiency, thanks to:

  • A highly interconnected network sits within milliseconds of about 95% of Internet users, ensuring that workforces anywhere retain fast, direct access to Microsoft servers.

  • A homogenous network fabric in which every security service can run anywhere, ensuring that traffic passing through Cloudflare doesn’t suffer from added latency.

  • A strong partnership with Microsoft, which ensures Cloudflare security services integrate seamlessly with Microsoft 365 tools.

Learn more about Cloudflare Zero Trust to explore how our unique architecture makes security and business efficiency go hand-in-hand.

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.

Microsoft and Microsoft 365 are trademarks of the Microsoft group of companies.

Key takeaways

After reading this article you will be able to understand:

  • Microsoft 365’s native security protections

  • Microsoft’s shared responsibility model

  • Strategies for supplementing Microsoft 365’s security foundation without compromising employee efficiency

Related resources

Dive deeper into this topic.

Learn more about implementing Zero Trust security for all kinds of cloud services in, A Roadmap to Zero Trust Architecture.

Receive a monthly recap of the most popular Internet insights!