Email has become a very vulnerable gateway in to our enterprises. It can be used maliciously to get end users to click links that exploit vulnerabilities in your operating system. It can also get users to provide information by tricking a user in to thinking the emails are from someone in their organization. Likewise, it can be used to trick a user in to providing their credentials for banking or other essential systems. Let me explain:
Users are being tricked in to providing their Office 365 credentials via phishing emails that pretend to be from Microsoft. Once a user shares these credentials, the bad guys do several things. First, they log in to your email via the Outlook Web App and put a forward from your account to an email that they control. To continue the exploit, they then use your email account to send emails to your contacts. In a way, they are using your social capital (the trust your contacts have in you) to further their agenda. They can be quite sophisticated in looking at your emails and profiling your relationships with your contacts, so they can craft emails that seem legitimate. Even after changing your password, your contacts will still see emails that are being delivered to your mailbox until you remove the forward from your account.
How to Protect Yourself
In this post, I will describe one of several things users should do to protect themselves from email attacks. This particular solution is excellent for preventing the bad guys from gaining access to the Outlook Web App even if they have your credentials.
This techie term is pretty easy to understand. Basically, the “two factors” are 1.) something you know and 2.) something you have. For example, if you need to log in or authenticate at a website, you are going to provide something you know (ie: password) and you are going to use something you have (ie: cell phone) to provide the second piece for authentication. The premise is that the bad guys are highly unlikely to hold both of these items during their pursuit.
It’s often said that “increased security means decreased convenience.” This can be true, so we decided to implement two-factor authentication internally and see how inconvenient it was. Overall, it has been quite simple and easy to use. When it’s first enabled, users are prompted to provide some details (ie: cell phone or desk phone number) and whether they would like to use the Microsoft Authenticator App for iOS or Android as an option. The next time users log in to Outlook, or any office applications on their Mac or PC, they will be prompted to log in again. At the login screen they will be prompted for a second verification code. That’s it. After authenticating, it appears to save this and you are not prompted again and again to log in. I found the same to be true for Outlook on iOS. I did not notice any prompting from the built-in Mail App on iOS.
You must be using at least the Office 365 Business or Enterprise licenses and Office 2016 or 2013 and the latest version of Office for Mac if you do no want to provide an app password. See my note at the end of this article for my explanation of the app passwords.
Begin by explaining to your end users why this is essential in this day and age and assure them that minor inconvenience are well worth it. The first step in any IT project is to make sure the users are aware of what the benefit will be to them and why the project is happening. Don’t just flip the switch.
Next, the Office 365 admin will need to log in to the Admin Portal and enable two-factor authentication. This can be done for individual users, so you can roll it out slowly if necessary or do some testing on yourself first.
Under the Active Users section, select a user and on the right side properties you will see an option under More Settings to Manage multi-factor authentication.
Following this link will take you to a page where you can enable multi-factor authentication for one or more users. Before editing the users, I recommend reviewing the settings under the Service Settings section. This is where you can define exactly what a user can use for authentication.
After making your selections, return to the Users section and select one of your users. Click Enable.
You’ll notice a link at the bottom that says, “If your users do not regularly sign in through the browser, you can send them to this link to register for multi-factor auth: https://aka.ms/MFASetup.” What I found that streamlines the process is to send the user this URL so they can set up the options that they’ll use for authentication. So, send this first before proceeding. They will then be prompted with a page that looks something like this.
They will follow the Set it up now link and begin the process of authenticating.
There may be an easier way, but I haven’t discovered it. What we did was send this link once and the user authenticated and then we had them follow the link a second time and they were able to add all the options they wanted to use for authentication. Another thing we noticed, you will want to update their Office 365 user account with the correct office phone number if you’d like to make that an option.
This is also the location where the user can configure the Authenticator App.
After they complete this information, you can return and click enable multi-factor auth.
You will receive confirmation that it has been enabled. That concludes the enabling multi-factor authentication. At this point the user needs to authenticate the applications they are using. The simplest for us was to close all Office applications and reopen them. The user was prompted to provide credentials and they then provided the second factor. We found that it has not requested re-authentication.
As I researched this process, I found numerous mentions of App Passwords but not much of a non-techie explanation of how they work and why one would need them. So, I thought I would try to explain it here. The most recent releases of Office are built to understand two-factor authentication automatically. They are capable of showing a dialog box and prompting for that second authentication factor older applications and other apps like Mac Mail don’t have this capability. This is where app passwords come into use. You generate an app password and use this rather than a password when logging in. I will cover this in more detail in another blog post.