It’s on the evening news, in your social media, in nearly every vendor presentation you attend, and the theme of most large IT conferences – security. And the security threats to M365 have never been larger. Luckily, Hornetsecurity’s Cyber Security Report 2024 is now out and contains cutting-edge research on the most critical M365 security.

In this article, we’ll look at the main takeaways and cyber risk management steps you should implement in your tenant to combat email threats and reduce your chances of ending up on front page news (for the wrong reasons).

If you’re in a large corporation with supportive executives and a clear mandate to improve your cyber resilience, you probably know exactly what steps you need to take. For the rest of us, whether you’re in a large or small business, the huge wave of security advice for the cyber threat landscape can be hard to surf (apologies for the Aussie reference). What do you do first? What’s going to give you the most resilience against cybersecurity threats?

Here are the four major takeaways from the Cyber Security Report 2024.

Email threats – still the primary vector

Let’s start by looking at different types of email security threats. Regular spam entices you to buy something, and then there’s phishing. This type of attack relies on social engineering to trick the user into clicking on a link, entering their username and password into a fake login page, or opening an attachment they shouldn’t. Variants include smishing in SMS/text messages, vishing in voice messages or calls, and spear phishing, a specially crafted, targeted email threat that lures specifically for particular recipients.

Another type of email security threat, which poses a significant risk to businesses, is Business Email Compromise (BEC), which also relies on social engineering to trick users, but here, the criminal is inserting themselves into a legitimate email conversation thread and (for example) at the right time, sends an email advising that a bank account number has changed for the upcoming transaction, of course leading to the criminal’s bank account. 

Spoofing is often a part of these attacks where the email looks like it’s coming from a trusted or known sender, but there are slight changes to domain names or sender display names that’ll fool a casual observer. Overall estimates (criminals don’t submit financial reports) say that BEC losses worldwide are actually outstripping ransomware costs.

The final category of email threats is malware delivery, either directly as an attachment or tricking the user into clicking a link to download the malware, often leading to system compromise.

Here’s an example of an email threat malware attack, covered in depth in the Cyber Security Report 2024.

A Growing Industry

The days of a group of hackers performing every step of a compromise are long gone. Today, the cybercriminal marketplace has evolved into specialization, where each group completes a single step and then sells that to the highest bidder. So, you don’t write your own access tools; someone else does, and you buy it from them (or rent, and they take a cut from your “earnings”). You also procure a ransomware kit from someone else. 

Perhaps you buy access to a victim organization from an Initial Access Broker (IAB). In this gig economy of criminality, you don’t get the whole pie for yourself, but the overall efficiency is improved because everyone is focused on their link in the chain. And the barrier to entry is lowered considerably, inviting more players into this burgeoning “industry” of data breaches.

Also, with the move to “big game” ransomware attacks where payouts in millions of dollars aren’t unheard of, expect the criminals to do their homework on sites such as LinkedIn and ZoomInfo – they’ll know exactly what you can afford to pay once they spring their trap. And they’ll focus on targets most likely to pay, such as hospitals and critical infrastructure, whose function in society will increase the pressure to pay. Some are even state-sponsored ransomware attacks, which are generally harder to defend against.

IABs has a few different ways to gain access to your organization. They might buy credentials from a data breach and try matching emails/passwords against your Microsoft 365 tenant; it’s no secret that most users re-use their “favorite” password across personal and business accounts. Your best protection here is MFA – preferably a phishing-resistant flavor such as FIDO2 key or Windows Hello for Business. Also, block commonly used passwords using Password Protection in Azure AD / Active Directory.

But as the report reveals, the preferred way of compromising patient zero is through Phishing. Nearly 5% of all emails in our data (25 billion emails over the year) are classified as malicious, and 40% of attacks involving emails are phishing. Send a specially crafted email to the user with an enticing attachment or an important-looking link in the email itself, and wait for the users to do your work for you. Once they enter the credentials on a fake Microsoft 365 login page (this is why you should customize backgrounds and logos so that users are more likely to stop and think when the login page doesn’t look familiar) or open the malware-laden attachment, it usually only takes minutes before the criminals use the access.

By now, it should be obvious that you need a strong and easy-to-use email hygiene solution to keep your organization and your sensitive data safe from cybersecurity threats such as 365 Total Protection. But technology alone isn’t enough to combat email threats; you need to improve your “human firewalls” by training your users, another conclusion we made in the Cyber Security Report 2023. 

The combination of well-trained people, secure processes (call to check with the person in the other company whenever a bank account number is altered, for example), and technology creates a cyber-resilient business. You can’t combat many cyber threats individually, but you can increase your organization’s overall security defenses by combining people, processes, and technology.

We also found that brand impersonation is very common in email threats. Users are much more likely to fall for a phishing attack if the email looks legitimate, with all the right logos and text. Cyber security vulnerabilities aren’t just about technical flaws; they’re just as much about psychology and creating the right approach and culture to manage cyber risk.

Beyond Email Threats

A growing attack vector is phishing and other cybersecurity threats spreading beyond emails. The mantra for years (in the Microsoft world) has been to move internal and external collaboration into Microsoft Teams. We see attacks increasing, particularly as it’s getting easier to collaborate with users outside your business in Teams.

Speaking of Teams, we also noted that the desktop app itself has some security implications as it runs as an Electron app and recommends that users stick with the web version instead, as all of the modern security enhancements in browsers protect you.

A worrying trend is the shortening of exploit timelines. The gap between a cyber security vulnerability being publicly disclosed and attacks against your users and system has shortened considerably in the last few years. This increases the pressure on already strained security teams to prioritize the right systems to patch based on the level of cyber risk in your particular context. A hospital or a school will have different systems and priorities compared to a critical infrastructure provider, which will affect their security posture.

Another interesting finding in the report was the impression some IT staff have that “if it’s in the cloud, it’s secure.” Nearly 25% of staff were either unsure or thought that Microsoft 365 was immune to ransomware attacks, which it’s not. In the shared responsibility model from Microsoft (and any other cloud provider), you are responsible for your data, endpoints, and identity governance as part of your overall cyber risk management. A good backup solution for Microsoft 365 (including Teams data) is a must to protect against data loss and ransomware.

A Strong Defense

There are several layers in protecting against email security threats. For any email system, ensure that your Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) DNS records are in place and correct. Collectively, these records help your email hygiene solutions to spot incoming spam and filter out phishing scams and spoofed email threats.

A good email hygiene solution should integrate seamlessly with Exchange Online. For any email threat that does slip through, frequent and easy-to-digest user awareness training and simulated phishing attacks increase the resiliency of your end users against falling for the threat actor’s tricks.

Finally, if an email threat gets through these layers and starts a compromise or attack, a good backup solution for all your critical data gives you a way to recover, should it be necessary.

Read the Full Report

In this article, we’ve only scratched the surface of the Cyber Security Report 2024 and what you should do about email security threats to increase your security posture. The full report goes deep into the statistics cyber risk, and also covers other predictions and advice for time-poor IT and security staff. Enjoy reading it!

The post Email Threats Have Never Been Bigger – 4 Key Cyber Security Report Findings appeared first on Altaro DOJO | Microsoft 365.

When the CEO realizes they deleted a vital email thread three weeks ago, email recovery suddenly becomes an urgent task. Sure, you can look in Outlook’s Deleted Items folder, but how can you recover what has undergone “permanent” deletion? This article reviews how you can save the day by bringing supposedly unrecoverable email back from the great beyond.

Deleted Email Recovery in Microsoft And Office 365

Email Recovery for Outlook in Exchange Online through Microsoft and Office can be as simple as dragging and dropping the wayward email from the Deleted Items folder to your Inbox. But what do you do when you can’t find the email you want to recover? First, let’s look at how email recovery is structured in Microsoft 365. There are a few more layers here than you might think! In Microsoft 365, deleted email can be in one of three states: Deleted, Soft-Deleted, or Hard-Deleted. How you recover an email and how long you must do so depends on the email’s delete status and the applicable retention policy. Let’s walk through the following graphic and talk about how email gets from one state to another, the default policies, how to recover deleted emails in each state, and a few tips along the way.

Items vs. Email

Outlook is all about email, yet it also has tasks, contacts, calendar events, and other types of information. For example, just like email, you can delete calendar entries and may be called on to recover them. For this reason, the folder for deleted content is called “Deleted Items.” Also, when discussing deletions and recovery, referring to “items” rather than limiting the discussion to just email is common.

Policy

Various rules control the retention period for items in the different states of deletion. A policy is an automatically applied action that enforces a rule related to services. Microsoft 365 has hundreds of policies you can tweak to suit your requirements. See Overview of Retention policies for more information.

‘Deleted Items’ Email

When you press the Delete key on an email in Outlook, it’s moved to the Deleted Items folder. That email is now in the “Deleted” state, which simply means it moved to the Deleted Items folder. How long does Outlook retain deleted emails? By default – forever! You can recover your deleted mail with just a drag and drop to your Inbox. Done! If you can’t locate the email in the Deleted Items folder, double-check that you have the Deleted Items folder selected, then scroll to the bottom of the email list. Look for the following message: If you see the above message, your cache settings may be keeping only part of the content in Outlook and the rest in the cloud. The cache helps to keep mailbox sizes lower on your hard drive, which in turn speeds up search and load times. Click on the link to download the missing messages.

But I Didn’t Delete It!

If you find content in the Deleted Items and are sure you did not delete it, you may be right! Administrators can set Microsoft 365 policy to delete old Inbox content automatically. Mail can ‘disappear’ another way. Some companies enable a personal archive mailbox for users. When enabled, by default, any mail two years or older will “disappear” from your Inbox and the Deleted Items folder. However, there is no need to worry. While missing, the email has simply moved to the Archives Inbox. A personal Archives Inbox shows up as a stand-alone mailbox in Outlook, as shown below.   As a result, it’s a good idea to search the Archives Inbox if it is present when searching for older messages. Another setting to check is one that deletes email when Outlook is closed. Access this setting in Outlook by clicking “File,” then “Options,” and finally “Advanced” to display this window: If enabled, Outlook empties the Deleted Items when closed. The deleted email then moves to the ‘soft-delete’ state, which is covered next. Keep in mind that with this setting, all emails will be permanently deleted after 28 days.

‘Soft-Deleted’ Email

The next stage in the process is Soft-Deleted. Soft-deleted emails are in the Deleted-Items folder but is still easily recovered. At a technical level, the mail is deleted locally from Outlook and placed in the Exchange Online folder named Deletions, which is a sub-folder of Recoverable Items. Any content in the Recoverable Items folder in Exchange Online is, by definition, considered soft-deleted. You have, by default, 14 days to recover soft-deleted mail. The service administrator can change the retention period to a maximum of 30 days. Be aware that this can consume some of the storage capacity assigned to each user account, and you could get charged for overages.

How items become soft-deleted

There are three ways to soft-delete mail or other Outlook items.

1. Delete an item already in the Deleted Items folder. When you manually delete something that is already in the Deleted Items folder, the item is soft-deleted. Any process, manual or otherwise, that deletes content from this folder results in a ‘soft-delete.’
2. Pressing Shift + Delete on an email in your Outlook Inbox will bring up a dialog box asking if you wish to “permanently” delete the email. Clicking Yes will remove the email from the Deleted-Items folder but only perform a soft delete. You can still recover the item if you do so within the 14-day retention period.

3. The final way items can be soft-deleted is by using Outlook policies or rules. By default, no policies will automatically remove mail from the Deleted-Items folder in Outlook. However, users can create rules that ‘permanently’ (soft-delete) email. If you’re troubleshooting missing emails, have the user check for such rules, as shown below. You can click Rules on the Home menu and examine any created rules in the Rules Wizard below.

Note that the caution is a bit misleading as the rule’s action will soft-delete the email, which, as already stated, is not an immediate permanent deletion.

Recovering soft-deleted mail

You can recover soft-deleted mail directly in Outlook. Be sure the Deleted Items folder is selected, then look for “Recover items recently removed from this folder“ at the top of the mail column or the “Recover Deleted Items from Server” action on the Home menu bar. Clicking on the recover items link opens the Recover Deleted Items window. Click on the items you want to recover or Select All, and click OK. NOTE: The recovered email returns to your Deleted Items folder. Be sure to move it into your Inbox. If the email you’re looking for is not listed, it could have moved to the next stage: ‘Hard-Deleted.’ While users can recover soft-deleted emails, Administrators can also recover soft-deleted emails on their behalf using the ‘Hard-Deleted’ email recovery process described next (which works for both hard and soft deletions). Also, Microsoft has created two PowerShell commands that are very useful in this process for those who would rather script the tasks. You can search and restore soft-deleted emails using the Get-RecoverableItems and Restore-RecoverableItems cmdlets.

Hard-Deleted Email

The next stage for deletion is ‘Hard Delete.’ Technically, items are hard-deleted when items are moved from the Recoverable folder to the Purges folder in Exchange Online. Administrators can still recover items in the folder with the recovery period set by policy which ranges from 14 (the default) to 30 (the maximum). You can extend the retention beyond 30 days by placing legal or litigation hold on the item or mailbox.

How items become Hard-Deleted

There are two ways content becomes hard-deleted.

1. By policy, soft-deleted email is moved to the hard-deleted stage when the retention period expires.
2. Users can hard-delete mail manually by selecting the Purge option in the Recover Deleted Items window shown above. (Again, choosing to ‘permanently delete’ mail with Shift + Del results in a soft delete, not a hard delete.)

Recovering Hard-Deleted Mail

Once email enters the hard-delete stage, users can no longer recover the content. Only service administrators with the proper privileges can initiate recovery, and no administrators have those privileges by default, not even the global admin. The global admin does have the right to assign privileges so that they can give themselves (or others) the necessary rights. Privacy is a concern here since administrators with these privileges can search and export a user’s email. Microsoft’s online documentation Recover deleted items in a user’s mailbox details the step-by-step instructions for recovering hard-deleted content. The process is a bit messy compared to other administrative tasks. As an overview, the administrator will:

1. Assign the required permissions
2. Search the Inbox for the missing email
3. Copy the results to a Discovery mailbox where you can view mail in the Purged folder (optional).
4. Export the results to a PST file.
5. Import the PST to Outlook on the user’s system and locate the missing email in the Purged folder.

Last Chance Recovery

Once hard-deleted items are purged, they are no longer discoverable by any method by users or administrators. You should consider the recovery of such content as unlikely. That said, if the email you are looking for is not recoverable by any of the above methods, you can open a ticket with Microsoft 365 Support. In some circumstances, they may be able to find the email that has been purged but not yet overwritten. They may or may not be willing to look for the email, but it can’t hurt to ask, and it has happened.

What about using Outlook to backup email?

Outlook does allow a user to export an email to a PST file. To do this, click “File” in the Outlook main menu, then “Import & Export” as shown below. You can specify what you want to export and even protect the file with a password. While useful from time to time, a backup plan that depends on users manually exporting content to a local file doesn’t scale and isn’t reliable. Consequently, don’t rely on this as a possible backup and recovery solution.

Alternative Strategies

After reading this, you may be thinking, “Isn’t there an easier way?” A service like Altaro Office 365 Backup allows you to recover from point-in-time snapshots of an inbox or other Microsoft 365 content. Having a service like this when you get that urgent call to recover mail from a month ago can be a lifesaver.

Before We Go

As you can see, it’s become abundantly clear that having a robust recovery strategy is not just an option but a necessity. Below are compelling arguments to illustrate why a well-structured recovery strategy is pivotal in the realm of email management in Microsoft 365:

• Unexpected Deletions are Inevitable: Accidental deletions are more common than one might think. Whether it’s the CEO or a new intern, anyone can mistakenly delete crucial emails. A recovery strategy ensures these accidents don’t turn into crises.

• Compliance with Legal and Regulatory Requirements: Many industries are governed by stringent laws and regulations that mandate the retention of electronic communications, including emails, for specific periods. Having a recovery strategy in place ensures compliance with these legal obligations, thus avoiding potential legal ramifications and hefty fines.

• Protecting Against Malicious Activities: Cyber threats are increasingly sophisticated, with emails often being the main target of malicious actors. An effective recovery strategy can be the difference between quickly restoring lost data and suffering prolonged downtime or permanent data loss.

• Mitigating the Impact of Technical Failures: Technical glitches, system crashes, or server issues can lead to loss of email data. A recovery strategy ensures that you have backups and processes in place to restore lost emails, thereby minimizing operational disruptions.

• Maintaining Business Continuity: Emails are often the lifeline of business communications. Loss of access to important emails can halt decision-making processes and project workflows. A sound recovery strategy maintains business continuity, ensuring that email data is always accessible, even in the event of accidental or malicious deletions.

• Safeguarding Intellectual Property and Sensitive Information: Emails often contain proprietary information, trade secrets, and sensitive data. Loss of such emails not only affects business operations but can also lead to competitive disadvantages and breaches of confidentiality. A robust recovery strategy protects this vital information.

• Ease of Administration and Time Efficiency: Time is of the essence in business. A recovery strategy streamlines retrieving deleted emails, saving valuable administrative time and effort that might otherwise be spent navigating complex recovery processes.
• Cost-Effectiveness in the Long Run: While setting up a recovery strategy might seem like an upfront investment, it is cost-effective in the long run. It mitigates the risks of losing crucial business information, spending on legal battles due to non-compliance, or losing business due to operational delays.

• Reinforcing User Confidence: Knowing there is a safety net for email recovery enhances user confidence in using the email system. Users are more likely to utilize the system effectively and without fear of irreversible mistakes.

• Adaptability to Organizational Changes: As your organization evolves, so do your communication needs and practices. A flexible recovery strategy can adapt to these changes, ensuring that email recovery processes remain efficient and relevant.

The importance of a well-considered recovery strategy for Microsoft 365 cannot be overstated. It’s a critical component of modern business practices, ensuring your organization’s email communications remain resilient, compliant, and efficient. Remember, it’s not just about recovering a lost email; it’s about preserving the integrity and continuity of your entire business operation.

Summary

Users can recover most deleted emails without administrator intervention. Often, deleted emails simply sit in the deleted folder until manually cleared. When that occurs, email enters the ‘soft-deleted stage’ and is easily restored by a user within 14 days. After this period, the item enters the ‘hard-deleted’ state. A service administrator can recover hard-deleted items within the recovery window. After the hard-deleted state, the email should be considered uncoverable. Policies can be applied to extend the retention times of deleted mail in any state. While administrators can go far with web-based administration tools, the entire recovery process can be scripted with PowerShell to customize and scale larger projects or provide granular discovery. Using a backup solution designed for Microsoft 365, such as Altaro Office 365 Backup, is always a great idea.

The post How to Recover Deleted Emails in Microsoft 365 appeared first on Altaro DOJO | Microsoft 365.

Spurned on by the onset of the global pandemic, since the beginning of 2020, organizations worldwide have been aggressively migrating to cloud Software-as-a-Service (SaaS) offerings. As a result, the business workforce is now more hybrid than ever before. The modern distributed workforce is often comprised of employees from all over the world. This article

Microsoft 365, together with Microsoft Teams, has become wildly popular among businesses. As organizations look for modern productivity, communication, and collaboration, Microsoft Teams has many great features that allow enterprises to empower remote workers with the tools needed.

What is Microsoft Teams?

Microsoft Teams is a communication and collaboration app that allows distributed team members to stay organized, have conversations, and share resources in a single location. It has become wildly popular with businesses, especially since the onset of the global pandemic. Microsoft has touted the platform has surpassed 250 million monthly active users.

Microsoft Teams has over 250 million monthly active users

In Teams, users can see an easy listing of all the teams they are a part of, along with the various channels found in each team. Channels can be built based on topic, department, or other purpose needed by team members. In channels, team members can have conversations, hold meetings, and share files.

Microsoft Teams enables collaboration and productivity

You can think about Microsoft Teams as the central location for communication and collaboration for team members. It allows organizations to consolidate many smaller applications used for bits and pieces of functionality and consolidate these with the functionality provided by Teams. These capabilities may include:

• Chat

• Voice calls

• Video conferencing

• File sharing

• Shared calendars

• Internal Wikis

• Others

Even with the app consolidation and streamlined collaboration and communication platform provided by Microsoft Teams, organizations may begin to find it challenging to manage and control the use of Teams across their organization. As a result, businesses need to have a plan to enforce Teams governance and security

What is Teams Governance and Why is it Important?

A tremendously important requirement for businesses today is governance. With today’s compliance and security requirements, organizations must have a standardized way of ensuring their processes and procedures align with the business’s overall objectives. This structured or formal framework is known as IT governance.

With IT governance in place, companies can meet business goals and legal obligations and mitigate risks associated with security concerns. Without governance measures in place, the opposite is true. As a result, businesses open themselves up to compliance issues, data leak risks, and other major security concerns.

Microsoft Teams is a robust collaboration and communication platform that allows businesses to move into the modern era of cloud-centric productivity applications. However, with Teams, governance issues can quickly arise. As businesses begin using Microsoft Teams, several questions need to be considered, including:

• Who can create Teams?

• Who is allowed to invite people to become part of a Microsoft Team?

• Do you allow external users to connect with internal users?

• How do you avoid Microsoft Teams sprawl?

• How are “stale” Teams and channels controlled?

• How is data retained?

• How do you audit Teams content and provide reporting?

• How do you provide security guardrails around end-user activities in Microsoft Teams?

As you can tell by the questions listed above, businesses must think about the management and technical details of Teams day-to-day operations and how Teams activities and data align with the established overall governance policies decided upon by the business.

When Microsoft Teams governance is not in place, several challenges and issues can develop quickly. What are some of these?

• Informal processes emerge – With little or no governance in place, informal processes and procedures may emerge that may not be consistent or align with governance objectives decided upon by the business.

• Slow adoption – With additional challenges as a result of poor implementation of Microsoft Teams due to little or no governance, end-users in the organization may be slow to adopt Teams, causing issues with collaboration, communication, and overall productivity.

• Exaggerated IT tickets – Governance helps to make sure processes and procedures are carried out in a particular way. When these guardrails are not in place, IT tickets often show a dramatic uptick.

• Shadow IT issues – A lack of governance usually leads to lax security policies and protections in place. It can lead to shadow IT development in the organization where end-users are using and integrating unsanctioned solutions into the cloud SaaS environment.

• Inconsistent processes between departments – Inconsistent policies, processes, and workflows can develop between departments, exacerbating confusion, inconsistency, and overall direction.

• Compliance issues – A lack of governance when using Microsoft Teams can lead to compliance issues, which can lead to serious fines and other penalties.

Microsoft Teams Security Configurations

In terms of security, Microsoft has designed Teams focusing on security. Many built-in mechanisms help to ensure Teams is trustworthy by design and by default. What security components has Microsoft built into Teams? It provides the following security protection by default:

1. Strong PKI features – Microsoft has designed Teams with strong PKI features. It is built on top of the PKI infrastructure found in Windows Server. It includes key data exchange over TLS connections.
2. Denial-of-service protection – Attackers can carry out denial-of-service attacks on networks as a scheme for extortion. Teams helps to mitigate denial-of-service attacks using Azure DDOS network protection and client access throttling with AI-backed intelligence.
3. Eavesdropping protection – With Teams mutual TLS server communication architecture and TLS from clients to the service, it is extremely difficult for attackers to carry out an eavesdropping attack.
4. Identity spoofing protection – Microsoft Teams encrypts all traffic using TLS. This encryption helps to prevent an attacker from performing IP address spoofing on a specific connection. In addition, the certificate authentication used by Teams also makes it difficult to spoof the address of the domain name system (DNS) server.
5. Protection against man-in-the-middle attacks – Teams use SRTP to encrypt media streams in Microsoft Teams. After cryptographic keys are negotiated between two endpoints, then secure communication begins.
6. Real-time Transport Protocol (RTP) replay attack protection – Teams’ SRTP-enabled secure signaling protects transmissions from replay attacks.
7. Spim protection – Teams protect against instant messaging SPAM by providing the ability to block messages from senders as well as disable federation from partner connections with Teams.
8. Protection against viruses and worms – Teams work in harmony with standard client security best practices such as virus scanning and next-generation endpoint protection, leveraging AI-based threat intelligence.

Let’s take a look at Microsoft Teams security configurations that help to minimize cybersecurity threats to your business-critical data. The core of Microsoft Teams security revolves around key areas of the architecture:

1. Azure Active Directory
2. TLS and MTLS security protocols
3. Encryption
4. User and client authentication
5. Customer ownership of security

1. Azure Active Directory

Microsoft Teams uses Azure Active Directory (Azure AD) as the identity source for user accounts and authorization. Azure AD stores the account information and policy assignments used by Microsoft 365 and Office 365. In addition, Azure Active Directory enables security filtering and other solutions to be identity-based.

2. TLS and MTLS security protocols

Microsoft Teams secure communication is built on top of both TLS (Transport Layer Security) and MTLS (Mutual Transport Layer Security) protocols. These protocols provide encrypted communications and endpoint authentication on the Internet. These two security protocols are used to establish secure, trusted communication between end-users and Microsoft Teams services.

TLS handles user authentication to connect to Teams servers. The client requests a valid certificate from the Teams server. Upon verifying the certificate is valid, the client uses the public key in the certificate to encrypt the symmetric encryption keys to be used for communication. Then, the valid certificate owner (Teams) uses the private key of the certificate (only known to Teams) to decrypt the communication.

Microsoft Teams server-to-server communication relies on MTLS. All communication between servers relies on the exchange of security certificates between the servers. The certificates prove the identity of each server in the communication. Both of these security protocols are essential in preventing eavesdropping and man-in-the-middle attacks.

3. Encryption

Encryption is a vital security layer to protect the contents of your data. Encryption ensures the information contained in business-critical data is unreadable to unauthorized users. Microsoft Teams uses multiple layers of encryption to secure your data. Microsoft Teams data is encrypted in transit and at rest in Microsoft data centers.

Microsoft also uses TLS and SRTP to encrypt all data in transit between users’ devices and Microsoft data centers and between data centers.

We mentioned the MTLS encryption in server-to-server communications. Media, such as call flows, are encrypted using Secure RTP (SRTP). It provides confidentiality, authentication, and replay attack protection for RTP traffic. To protect against man-in-the-middle attacks, Teams uses a 20-digit security code from SHA-256 thumbprints of the callers’ and callees’ endpoint call certificates.

4. User and client authentication

Going back to Azure AD, trusted users are users who have credentials validated using Azure Active Directory in Microsoft 365 or Office 365. Authentication provisions the user credentials to a trusted server or service. Microsoft uses a specific implementation of OAuth 2.0 for client-to-server communications called Modern Authentication (MA).

User and client authentication is carried out using Azure AD and OAuth. Clients’ requests to the server are authenticated and then authorized using Azure AD and OAuth 2.0 (MA). Only users with valid credentials are trusted and pass through the same process that scrutinizes native users.

5. Customer ownership of security

Microsoft cloud SaaS services, like other hyper-scale cloud service providers, operate on a shared responsibility model. It means that you, as the customer, are ultimately responsible for your data and its security. Note the published shared responsibility model from Microsoft regarding the various levels of responsibility for cloud data:

Microsoft shared responsibility model

As shown in the infographic above, the customer always retains the responsibility for information and data, devices (mobile and PCs), and accounts and identities. This underscores the importance of enforcing strong cybersecurity hygiene for end-users, accounts, and devices used to access Microsoft Teams and other Microsoft cloud infrastructure.

Even with the built-in cybersecurity layers in Microsoft Teams, as mentioned above, there must be additional “people and processes” security protections in place. Organizations must do their due diligence to ensure users receive the appropriate security training and decide how to secure end-user devices that access Microsoft Teams.

This ownership of information and data also means organizations must take data backups of their Microsoft Teams data into their own hands and ensure they have a way to recover from data loss.

Microsoft Teams Security Issues

Along with governance issues commonly encountered with Microsoft Teams, security is a critical area that must be given attention when deploying Microsoft Teams. Teams allow end-users to easily collaborate, share data, communicate, and even connect with users who may exist outside the organization. Today, data is arguably the most valuable possession of businesses and must be closely protected.

The consequences can be disastrous if an organization’s precious digital assets fall into the wrong hands. Malicious threat actors continually seek ways to compromise organizational data through ransomware, data leaks, and other malicious activities.

As a result, business leaders and other key stakeholders must ensure any solution, including Microsoft Teams, is properly secured and has the necessary policies to protect their data from any number of threats. What top security threats are important to consider with Microsoft Teams?

1. Guest users
2. Access from unmanaged devices or untrusted locations
3. Malware
4. Data leak
5. No backups

Take note of these other Microsoft 365 security questions answered: Your Office/Microsoft 365 Security Questions Answered (altaro.com)

1. Guest users

Following the standard capabilities of the cloud SaaS operating model, Microsoft Teams allows end-users to easily collaborate with others, even users who are external to the organization, guest users. For example, users may find it helpful to add external users such as vendors, customers, contractors, or others who may request access to documents, file resources, chat threads, or Teams channels to communicate directly with those needed in various conversations.

While adding external users to the environment may benefit effective communication, data security must take precedence. As part of the business’s governance policies, administrators can either enable or disable guest access, preventing guests outside the organization from accessing.

2. Access from unmanaged devices or untrusted locations

One aspect of cloud SaaS applications that provide flexibility and ease of access is using any device to access the sanctioned business environment. Some organizations may even allow employees to use “bring your own” (BYO) devices to access Microsoft Teams.

Again, this is a decision that the business must make. However, allowing access from unmanaged devices or untrusted locations can lead to elevated security risks and increased threats resulting from potentially suspect devices with existing security vulnerabilities, malware, or other concerns.

3. Malware

The recent attacks on Colonial Pipeline and JBS, a meat processing supplier, help to illustrate just how damaging a ransomware attack can be to an organization. In addition, ransomware attacks that target critical services lead to real-world fallout with disrupted services and other consequences. In the case of the Colonial Pipeline attack, it led to weeks of fuel shortages in the Eastern seaboard of the United States.

Modern ransomware is becoming more “cloud-aware,” targeting cloud OAuth permissions with malicious applications integrated into cloud SaaS services, including Microsoft Teams. Ransomware today also uses the threat of data leak and data encryption to extort money from organizations.

Administrators must ensure proper security in their cloud SaaS environments, including Microsoft Teams, to help minimize the risk of a ransomware attack. Additionally, controlling third-party applications and other integrations is necessary.

4. Data leak

Data leaks can be extremely devastating to businesses. A data leak event can cost companies millions of dollars and lead to many intangible costs and damages such as lost customer confidence and damaged business reputation. In addition, a data leak can quickly happen if end-users can share data easily with those outside the organization, such as guest users.

As noted above, data leak threats are commonly used as threat tactics to force organizations to pay the ransom demanded when they fall victim to a ransomware attack. Disabling external sharing and introducing protections against ransomware and OAuth abuse can help to minimize this threat.

5. No backups

Data protection, consisting of backups, is considered one of the most basic forms of security. Unfortunately, many businesses assume their data is automatically backed up when located in the cloud. While cloud service providers do have basic mechanisms to provide limited rollbacks, these do not cover all forms of data loss.

Ransomware and accidental data deletion are two of the most common risks to data loss in the enterprise today. Therefore, using a third-party backup solution to back up your Microsoft Teams data is extremely important. Using a third-party solution allows for meeting the best practices outlined in the 3-2-1 backup best practice rule, with multiple data copies, offsite storage, and other features.

What is Teams sprawl and why does it happen?

One of the advantages of using Microsoft Teams to empower users is they have the freedom to collaborate and communicate with fellow teammates and others, which nurtures a natural workflow of creativity and productivity. However, when users are given the freedom to use Teams without any policies or other guardrails, users can create many different Teams on-demand and without supervision.

It reminds us of the explosion of virtualized environments where new virtual machines could be provisioned with reckless abandon. For example, in the early stages of virtualized environments, organizations might have hundreds of VMs provisioned, with little or no purpose, management, or security protections in place.

The same basic challenge exists with Microsoft Teams without the proper protections in place. Teams sprawl can happen due to the following reasons:

• Multiple teams are created in the POC and testing phase – All too often, deployments of solutions such as Microsoft Teams transition from POC and testing into production without any real organization or forethought. This leads to disjointed, confusing, and unnecessary Teams and channels.

• Multiple teams can be created on the same subject, topic, or project – A common culprit behind Teams sprawl is multiple teams created on the same topics and themes. It causes many issues and blurs consistent, clear communication within Teams.

• Lack of end-user training – When users are not properly trained on how to use Teams, sprawl can certainly begin to occur as users create many unnecessary Teams and channels.

• Rushed deployment of Microsoft Teams – A rushed deployment of Teams leads to a lack of forethought, organization, governance, and training to help provide the boundaries needed to ensure Teams is deployed effectively and aligns with governance decisions agreed upon by the business.

How can Organizations Manage the Naming of Teams

Microsoft has introduced Microsoft 365 groups naming policies (requires AAD Premium P1/M365 E3) to help organizations control the naming conventions used in Microsoft Teams. It allows enforcing a consistent naming strategy for groups created by users in your organization for services like Microsoft Teams, SharePoint, Planner, Yammer, etc.

Microsoft 365 groups naming policy allows enforcing the following features:

• Prefix-Suffix naming – You can define prefixes or suffixes based on fixed strings or user attributes for the user creating the groups

• Custom Blocked Words – Define a set of blocked words that are blocked in the group names. For example, blocking redundant words like “team” in a Microsoft Teams group can be beneficial.

Read more about Microsoft 365 groups naming policies here: Microsoft 365 groups naming policy | Microsoft Docs

Controlling File Storage Locations for Microsoft Teams

Microsoft Teams data resides in the region associated with your Microsoft 365 or Office 365 organization. Administrators can see which region stores Teams data in the Microsoft 365 admin center > Settings > Organization profile > Data location.

Viewing Microsoft Teams data locations

Organizations can also leverage retention policies (requires Office 365E3+) and labels from Microsoft 365 to effectively manage how information is retained to meet the organization’s internal policies, regulations, or legal requirements. Teams support retention policies for chat and channel messages. Administrators can proactively decide whether to retain data, delete it, or retain it for a specific period. Learn more about Microsoft Teams retention policies here: Manage retention policies for Microsoft Teams – Microsoft Teams | Microsoft Docs

Secure Internal Microsoft Teams Collaboration

One of the benefits of using Microsoft Teams is the ability to communicate and collaborate with team members. This includes sharing sensitive information with only those who should have access to it. When it comes to internal sharing with Microsoft Teams, organizations must define the right level of protection for each project.

Microsoft recommends three levels of protection for sharing:

• Baseline – Includes public and private teams and restricts sharing to “Site Owners.”

• Sensitive – This team is “private.” Only members can find the team, and only owners can add new members. Sensitivity labels are used to set policies around guest sharing and unmanaged device access.

• Highly sensitive – This is recommended for organizations that need to comply with government regulations or protect trade secrets or highly sensitive data. It blocks access from unmanaged devices and uses sensitivity labels to encrypt files.

Learn how to limit sharing within Microsoft 365 Teams here: Limit sharing in Microsoft 365 | Microsoft Docs

Secure External Microsoft Teams Collaboration

The external Microsoft Teams collaboration capabilities allow collaborating with partners, vendors, customers, and others without an account in your directory. You can share entire teams, sites, or just individual files and folders. Sharing in Microsoft 365 is governed at its highest level by the B2B external collaboration settings in Azure Active Directory.

Guest sharing must be enabled in Azure AD before guests can be added to shared content existing in your organization.

Setting external collaboration settings in Azure AD

Teams also has a master on/off setting for guest access and other settings to control what guests can do in a team.

Controlling guest access in Microsoft Teams

Since Microsoft Teams is built on top of SharePoint Online, you can control and secure external collaboration using the SharePoint organization sharing settings. These settings determine what settings are available for individual sites. For instance, you can allow file and folder sharing with unauthenticated users. You can also specify if guests need to authenticate.

Controlling external sharing in SharePoint Online

Administrators can also limit or prevent sharing SharePoint or OneDrive files or folders with people outside the organization. This is accomplished by turning off guest sharing for the entire organization or an individual site.

Controlling external sharing in Microsoft Teams sites

You can learn more about how to collaborate with guests in a team here: Collaborate with guests in a team | Microsoft Docs.

How to Govern Communications in Microsoft Teams

Microsoft Teams contains several controls that help to govern communications. These include messaging and meeting settings. Note the following:

• Messaging – Control which chats and channel messaging features are available to users using messaging policies. Different policies can be created and assigned to different users and groups. Administrators can also control who can start new posts and reply to posts in a Microsoft Teams channel. View the manage messaging policies in Teams link here: Manage messaging policies in Teams – Microsoft Teams | Microsoft Docs

• Meetings – Administrators can control the features available to Teams meeting participants. These features include scheduling, content sharing, participants, and audio/video policies. Anonymous joins can also be controlled by policy. Teams: Manage meeting policies – Microsoft Teams | Microsoft Docs

• Communication compliance – Organizations can scrutinize communications for sensitive information, offensive language, and any information related to compliance concerns. Using communication compliance requires M365 E5, E3+Compliance/Insider Risk add-ons or Office365 E5 licensing. Administrators can monitor chat, email, and Yammer messages and generate alerts. These can be used to respond to messages with policy matches quickly.

How to Manage Microsoft Teams Lifecycles

It is essential to understand the teams, channels, and other related resources in Microsoft Teams are created to serve a purpose. Once a project or purpose has finished its lifecycle, the associated Microsoft Team will also reach the end of its lifecycle. The following lifecycle stages are associated with the teams created.

• Beginning – The team is created, and the goals associated with the team are defined. In this phase, the channels that relate to the collaboration project are configured.

• Middle – The channel hierarchy continues to evolve along with the team members.

• End – In this phase, the team’s work has run its course, and the team, channels, and potentially various other resources are no longer needed. As part of the housekeeping of Microsoft Teams, it is good to initially archive and then delete Teams that are no longer needed.

How to Manage Private Channels in Microsoft Teams

Private channels are used to limit collaboration to only certain team members or if you want to provide the means to communicate between a group of people assigned to a project without creating an entirely new team. By default, only a team owner or team member can create a private channel. Guests do not have this ability.

Like other aspects of Microsoft Teams, private channels need to be managed. As an admin, you can control whether members can create private channels in specific teams. You can also create a private channel on behalf of a team member.

Administrators may require getting all messages and replies posted in a private channel for auditing purposes. In addition, it may be necessary to perform eDiscovery or legal hold on files in a private channel. You may also need to list and update the roles of owners and members in a private channel.

In these and more scenarios, the Graph API is a robust tool that allows administrators to query and find information regarding private channels that help to manage these.

Set whether team members can create private channels:

PATCH /teams/<team_id>

{“memberSettings”:

{

“allowCreatePrivateChannels”: false

}

}

Get private channel messages:

GET /teams/{id}/channels/{id}/messages

GET /teams/{id}/channels/{id}/messages/{id}/replies/{id}

Get a list of private channel IDs:

GET https://graph.microsoft.com/beta/teams/<group_id>/channels?$filter=membershipType eq ‘private’

Review of Microsoft Teams Governance and Security FAQs

• How can I govern Teams sprawl in my organization? – By putting governance policies in place, training end-users, and using technical, policy-based controls in Microsoft Teams to control how teams are created.
• How can I manage the naming of Teams? – Use Microsoft 365 groups naming policies to control prefix, suffix, and blocked words.
• How can I control file storage locations for Teams? Monitor and audit data region localities and leverage retention policies to control data for legal, regulatory, and other means.
• How can I secure internal collaboration in Teams? – Use the three levels of protection in Microsoft Teams, including Baseline, Sensitive, and Highly sensitive protection. It includes using security labels, file encryption, and controlling guest access.
• How can I secure external collaboration in Teams? Control guest access from Azure Active Directory, Teams, and SharePoint Online. Admins can also enable or prevent sharing of files and folders with guests outside the organization.
• How can I govern communications in Teams? – Use messaging and meeting policies and monitor communications for specific types of flagged content.
• How do I manage the lifecycle of Teams? The lifecycle of teams follows the lifecycle of the project or collaboration. Once this is over, administrators can end the associated team, channels, and other resources.
• How do I manage private channels in Teams? Administrators can easily manage private channels using the Graph API.

Final Thoughts

Microsoft Teams is a robust communication and collaboration platform that allows organizations to communicate and empower remote workers effectively. However, for the security and safety of their data, businesses must give due attention to governance and security considerations.

Governance is a vital aspect of operating Microsoft Teams as it helps to ensure the user activities, processes, and workflows align with what has been decided upon by the business. It can also help prevent Teams “sprawl” as users have guardrails that help ensure they are using Teams in a way that aligns with the business.

Cybersecurity concerns have never been more paramount than today. With large-scale ransomware attacks affecting businesses worldwide, companies must develop effective security strategies to protect their data. Microsoft Teams has been engineered with security built into the core of the product. However, customers must also take responsibility for their data as part of the shared responsibility model. It requires more than the default settings enabled in the Microsoft Teams environment.

Businesses must decide on how data can be shared, both internally and externally. In addition, how governance is applied, how do they manage lifecycle operations, channels, and many other aspects of their Teams environment.

The post How to Secure Teams | Teams Governance & Security Explained appeared first on Altaro DOJO | Microsoft 365.