Conditional Access: The key to cyber success

For cyber attackers today, it’s more lucrative than ever to gain access to your email.  The unfortunate news for your dealership is that access to cloud based email, such as Microsoft 365, is far easier to gain access to versus access to dealership computers.  Employee inboxes are often rife with sensitive information or financial fraud opportunities pertaining to themselves, the company, your customers, and even trusted partners and vendors, all of which can be exploited.  This sort of attack is called a Business Email Compromise (BEC).  Once an attacker has access to an inbox, it is very hard to eradicate them before the damage is done.  A far better action plan is to block them before they can get in.  A key component used to block them in Microsoft 365 is called Conditional Access (CA). In short, CA allows Microsoft email users to add conditions to user access with your security systems to safeguard against potential hackers. When those conditions are not met, logins will be denied.

Preventing attackers from gaining initial access

To evade tracking, hackers typically operate on a complex infrastructure of servers based in different countries.  This makes it tougher for the FBI, other law enforcement agencies, and security vendors to trace the attack and take down individual operations.  When an employee engages with a phishing email, like a lookalike Office 365 sign-in page, they end up interacting with this attack infrastructure.  While the hacker already had access to the sign-in name of their target (i.e. the e-mail address), interacting with these pages can give them the password as well, and if Multi-Factor Authentication (MFA) is enabled and approved by the user, they can capture the authentication approval that is provided by Microsoft for a successful sign-in.  This approval, called a “session token”, can then be used to freely access mailboxes and cloud apps.

To block these from being successful, Proton can create a CA policy that blocks all sign-ins from outside of the U.S. When the attacker uses their overseas infrastructure to attempt a login, Microsoft sees the user’s sign-in attempt coming from outside of the U.S.

Safeguarding against back doors from compromised accounts

Another way attackers try to pry their way in is through registering new MFA devices for the account they have compromised.  If successful, it becomes far harder to cut off their access, because they can now directly answer any new MFA challenges during sign-in.  Fixing this situation is rather labor and time intensive because it can be difficult for the IT/security team to determine which MFA method is the legitimate one.  The solution often lies in working with each compromised user to manually determine the correct device.

To prevent attackers from finding their way into the network via their own MFA authentication methods, Proton can create a policy that only allows registration of new MFA methods from a group of trusted IP address ranges that match what would be used in your dealership.  This means that if you want to set up a new way to answer an MFA challenge, for example, from a new phone or for a new employee, that device would have to be on the dealership’s network for the initial registration (after that, it can be remote). Attackers typically are not on the network; they are often in foreign countries. Such a policy would make it much harder for attackers to retain access to a mailbox.

CA policies provide several control points that include permission levels, groups of users, locations, and applications being accessed, etc.  If there is a concern about needing even stricter access rules for your company, these policies allow us to align different types of sign-ins with different rules.  For an employee in the office signing into Outlook, an MFA token could be set up to last 30 days. With riskier situations like accessing email via a cell phone, we could ensure that any successful MFA challenge results in a token that is limited to one day, or perhaps even just for one session.

How do you enable the use of Conditional Access policies?

Conditional Access is bundled into Microsoft’s Entra Premium licensing, both at the P1 and P2 license level.  There are various licensing plans that include Premium licensing.  Proton can help you identify the plan that is right for you based on your use cases and the number of employees in your organization.