It’s Monday morning and your inbox is full. You grab a fresh cup of coffee and begin to work your way through them. About halfway through your inbox, you find a Microsoft email telling you a message can’t be transcribed. further, the email provides a phone number and a message length with a link to the message. You click on the link and the Microsoft Office 365 portal displays, where you enter your 365 credentials without 2FA or SSO.
Unfortunately, the email that looked like an Office 365 message was part of a phishing attack. Cybercriminals have become proficient in creating emails that mimic Office 365. They even use Microsoft logos for authenticity. Then, these emails ask the end-user to click on a link that directs the user to what appears to be the Microsoft Office 365 portal. The portal is a phishing site that captures your 365 credentials the moment they are entered.
In the world of cybercrime, phishing has been around for a long time. Remember the emails from Nigeria? Today’s hackers are more sophisticated. Indeed, they can mimic a legitimate sender such as FedEx or Amazon with enough skill that it is hard to tell that the email isn’t authentic.
According to a 2109 report on phishing, 25% of phishing emails bypassed Office 365 security. That means Office is only 75% effective in identifying and blocking phishing attacks. Of the phishing attacks, about 40% were attempting to steal credentials, and 50% were deploying malware. If you’re counting on Microsoft’s security to stop phishing emails, you’ll be wrong 25% of the time.
Two Factor Authentication (2FA)
What can you do to prevent a successful phishing attack? In the case of Office 365, enable the 2FA option. Once 2FA is enabled, two forms of authentication are needed to access Office. Microsoft uses a one-time code as the second form of authentication, but 2FA can include biometrics, physical security keys, or SMS and email authentication. If more than two identifying pieces of data are required, the solution is a multi-factor authentication process (MFA) and not a 2FA.
After 2FA is in place, Office will require your username and password. It will then send a one-time code to your phone or email address. The code is entered as the second form of authentication. Generating a different code at sign-on makes it difficult for hackers to steal your Office credentials. Microsoft is only one of many companies to use 2FA to reduce the odds of a credential compromise.
Single Sign-On (SSO)
Single sign-on (SSO) allows the user to enter a digital identity that is used across multiple domains. In a work environment, you only log on once to access multiple applications. When you use your Google or Facebook credentials to log on to a social media site, you are using SSO. Behind the scenes, the social media site is asking Google or Facebook for authentication based on your Google or Facebook credentials.
Although SSO makes it easier for users to manage and remember their credentials, the single sign-on is really about security. When you log into an application, you provide hackers with another opportunity to capture your credentials. Thus, the fewer times your digital identity is exposed, the lower the chances of being hacked.
If you are like most people, you have more password than you can remember, or you use the same password for everything. Neither option works. First, if you have too many passwords, you are always resetting them. Second, if you use the same password for everything, you’re a hacker’s best friend.
You can use applications to store your passwords, so you don’t have to remember or reset them, but what about the one-time codes of 2FA?
The Myki Password Manager and Authenticator simplifies the process of 2FA. Myki holds the 2FA tokens and enters them alongside your username and password. This solution creates securely stored information on a Myki-enabled device. PC Magazine recognized Myki as its Editor’s Choice for Password Managers in 2019. That’s why we use Myki as part of our Managed IT Services. Contact us to learn more about our Managed Services.