[German]Companies using Office 365.com as a cloud solution may run into security issues if they have booked the ‘wrong’ license plan. This is because Microsoft keeps log files for a different period of time (90 days to 1 year) depending on the subscription. This can lead to the problem if an attack on Office 365 is noticed very late.
For many IT decision-makers, the cloud is currently the panacea for having the IT infrastructure provided by third-party providers. Then you ‘only have to worry about the software that runs in the cloud’. Microsoft offers cloud solutions with Azure and Office 365.com – and the sales team never tired of praising the many great advantages.
Careful what you subscribe to
Microsoft’s customer has several subscription plans for Office365.com . There are Office 365 E3 and Microsoft 365 E3 plans, and there are Office 365 E5 or Microsoft 365 E5 subscriptions. At first glance, you might only see the price differences. But there are interesting implications in choosing a subscription that I came across in the following German tweet in connection with Microsoft Office.
— Datenschutz Aktuell (@DSAgentur) March 3, 2020
It says: Microsoft Office Cloud: IT security is a licensing issue. The German site Datenschutz Aktuell discusses in the linked article the question that IT security depends on the choice of plan for Office365.com.
The Problem: Security incident in Office 365
There are always security incidents where an Office 365 account is compromised by attackers, for example via spear phishing. The attackers try to use a fake login page, often hosted on a hijacked server, to phish access data for an Azure or Microsoft 365 account.
The logon attempt of the user is then logged by the attackers and rejected in the first attempt. This allows the user to re-enter this logon data so that the attackers can verify it (compare it with the first entry). If the phishing attempt succeeds, the attacker can, depending on the account, pull contact data or search and watch the Office365 mails. In addition, Exchange Online accounts and Outlook could be misused to send mails. With Azure accounts, even more abuse can be committed. If accounts are connected to an Active Directory, attackers may also be able to move around the corporate network.
Audits based on log files no longer possible
Now we come to the core problem: If an account in Office365 has been compromised, security experts must find out when this happened, what caused it and what data was accessed. IT forensics look at the log files of the systems. So far so good.
And this is where people in the cloud run into serious trouble. Microsoft provides the option of so-called audit logs in Office365.com. You can activate these audit logs and then have the logs searched for mailbox usage, user logins, administrative activities, etc. This is the task of forensics experts to handle a security incident. The crux of the matter, however, is that depending on the Office 365 plan selected, the required log files are available for varying periods of time.
- 90 days for Office 365 E3 and Microsoft 365 E3 plans
- 365 days for Office 365 E5 or Microsoft 365 E5 plans
If you are now experiencing a security incident and have an E3 plan for your Office 365 or Microsoft 365, you really need to hurry. If an attack is more than 3 months in the past before it is discovered (and it often is), there is no log data available through the cloud and audit logs for the account. The clarification of a hack is no longer possible via this channel.
Anyone who is affected by this problem or interested in the details should read the German-language article here. While writing this article I remembered my German article Sicherheitsinfos (25.2.2020). There I had outlined in the section Microsoft Office 365 patzt beim Schutz vor Emotet that most Office 365 versions ignore Group Policy defaults when switching from a local Office to Office 365 without reporting this.
This episode shows me once again that switching to the cloud puts a ‘sword of Damocles’ hanging over every IT professional. The idea that some managers can save on staff and skills by ‘outsourcing to a cloud provider’ turns out to be a fata morgana that lasts right up to the first issue and can quickly end in disaster. The many security incidents that have occurred recently, including data in the cloud, speak for themselves – or what do you think?