Pentesting Microsoft Office 365

IT security is a game of cat and mouse. Bad actors are continuously developing new methods for disrupting systems and CTOs, CIOs, and their teams are working just as fast to protect their infrastructure from these attacks. One of the most effective methods of protection is pentesting.

What is Pentesting?

Pentesting is the colloquial term for penetration tests. The singular goal of these tests is to assess a computer system’s security. The CIO or CTO authorizes the IT team to simulate an attack on the organization’s computer system. The results of the tests allow leadership to pinpoint the system’s vulnerabilities and strengths. This then contributes to a much more comprehensive risk assessment that helps the IT department to make the necessary investments that prevent future attacks.

Why is Pentesting Important?

The most obvious benefit of penetration testing was already mentioned—it identifies the strengths and weaknesses of a system. But the advantages of using pentesting as an IT tool go deeper and further than this. The following takes a look at a few of the reasons that CISOs and other IT leaders need to prioritize it.

1. Maintaining Brand Reputation

There is no substitute for a strong reputation. When consumers trust a business, sales will continue to grow, workforce loyalty will increase, and a strong industry partnership will be born. It often takes years and significant resources to build up this type of reputation and, unfortunately, it can be destroyed in a fraction of that time. When a customer, vendor, and employee data is put into jeopardy, it can take years to right the wrong. Pentesting can help companies avoid this.

2. Reducing IT Expenses

IT is consuming a larger and larger portion of every company’s budget. And while there is no way to avoid many of these expenses, there are a few that can be prevented. Application performance disruption and security faults are known to cause financial losses. Pentesting helps companies to evade IT infrastructure invasions and the costs that come with them.

3. Complying With Regulations

Every company in every sector of the economy must answer to regulators. While the difficulty of compliance varies depending on the industry, complete data security is standard. However, complete data security is also challenging. Pentesting helps to address the challenge and avoid regulatory fines and penalties.

4. Assessing IT Investments

It can be tough to accurately review security investments—to identify whether they are delivering or there are still gaps that need to be addressed. Pentesting provides a bird’s-eye view of the current state of security, allowing CTOs and CIOs to find all possible breach points. It will also test out every existing security process and system, helping leadership see if those investments are working, how they can be bolstered, and by exactly how much IT investment needs to be increased.

5. Minimizing Downtime

There are few business issues that can cause more detriment than downtime. When systems are down it prevents the workforce from executing task, as well as preventing consumers from engaging with the business. Both of these can cause financial losses in a number of ways. Pentesting can detect issues that would cause downtime proactively, giving the company the ability to address the vulnerability before an attack can take advantage of it.

6. Addressing Vulnerabilities

Most CIOs and CTOs will choose to run a vulnerability scan alongside a penetration test. This can add significant value and insight by prioritizing the biggest risks and helping to guide security strategy—resources are put where they are most needed and all of the necessary patches can be applied.

7. Stakeholder Protection

Companies have a responsibility to their employees, customers, and business partners. If they want the trust of all of these individuals and entities they must protect their private information. Pentesting empowers organizations to take the necessary actions that secure this data, boosting trust across the board.

8. Security Threat Oversight

Just as with every other business process and system, IT executives need to have comprehensive oversight. This allows them to detect security threats and defend their applications, endpoints, and networks from any internal or external attempts to circumvent security controls. Pentesting provides this by confirming potential threats and enabling the IT team to arrange remediation.

What to Know Before Pentesting Office 365

Woman studying the results of pentesting

Before attempting a penetration test, the IT team needs to understand how this process will interact with Office 365. With Microsoft Cloud, there are rules of engagement for penetration testing.

The biggest requirement is that organizations must notify Microsoft before they do any pentesting on most Microsoft Cloud Services. The only exception to this rule is Microsoft Azure resources. If Microsoft does not receive proper notification, they may interpret the activity as abuse and suspend the tenant. Additionally, if any damage is done to the Microsoft Cloud or to other tenants’ data, the business will be held responsible.

The main reason for this is that multiple tenants often share the same Microsoft infrastructure. Therefore, before a penetration test can take place, Microsoft and the tenant need to work together to ensure that only the tenant’s assets are being tested and other customers will not be disrupted.

Customers are also required to:

  • Report any security flaws in the Microsoft Cloud that they identify during their testing within 24 hours.
  • Refrain from disclosing any discovered Microsoft Cloud vulnerabilities to anyone other than Microsoft until Microsoft has addressed the issue.
  • Avoid prohibited activities that put other Microsoft Cloud tenants and the Microsoft Cloud at risk.

It is important to note that, as previously mentioned, tenants are not required to notify Microsoft about planned penetration testing on Microsoft Azure assets. However, there is an optional notification form that provides documentation for IT teams’ records and allows Microsoft to collect metrics that improve the Azure platform’s performance.

Internal Pentesting Tools

Microsoft understands the value of pentesting, which can be seen by the fact that they offer their own tools for the procedure. Most of these tools are contained in Microsoft’s Attack Simulator—a function of the Office 365 Threat Intelligence feature. The function allows organizations to put their system through various attack scenarios, including:

1. Display Name Spear-Phishing Attack Simulator

A spear-phishing attach is a socially engineered attack that has a specific target, whether an individual or an organization. The idea behind it is to develop trust by using a display name and source address that are nearly identical to an employee’s. The email or message then looks authentic, as if it originated internally. When trust is established and the individual or group of individuals open the message, the attacker gains access to their credentials, putting company systems at risk of being accessed by malicious actors.

Microsoft allows Office 365 global administrators, who also meet a handful of other requirements, to simulate this type of spear-phishing attack. The tools enable the IT department to craft their own rich HTML editor, work with the HTML source, or use a pre-designed template for the email itself. The tool then takes users through the process of everything from specifying the target recipients to configuring the phishing email’s details to sending the message.

Here is a demo of the simulator in action.

2. Password Spray Attack Simulator

This common attack is used by bad actors who have gained access to a list of system users. They can test a single, commonly used password on the list of user IDs. If the password works with any of the IDs, they gain access to the system. This attack is easy to run and difficult to detect.

The Attack Simulator has a tool that global administrators can use to identify how successful this type of attack would be. This simulated attack is one of the easiest to run. Administrators simply need to choose the group of target users and specify the commonly used password (i.e. Password01 or Summer2019). They can then run the simulation and see which users need to increase their password security.

3. Brute-Force Password Attack

The brute-force password attack is similar to the password spray attack. The main difference is that the attack is focused on a single user—multiple passwords are attempted on a single account until the correct one is found.

To simulate this attack, global administrators must simply choose the target recipient and upload a text file full of potential passwords. All of the passwords are then attempted and the IT team can see if any single user is at risk of this type of attack.

Kali Linux for Azure

This tool is not part of the Threat Intelligence feature, but it is easy to use within Azure. For IT teams that are willing to move one step beyond the built-in tools, Kali Linux is a strong option. It is a Debian-based Linux distribution that offers security auditing and penetration testing. If provides hundreds of tools for IT security testing, research, forensics, and more. It is customizable, free, open-source, fully supported, and much more. In short, it is a one-stop shop for pentesting. Check out our blog and demo video on how to use Kali Linux in Azure,

Learn More About Pentesting Office 365

Comprehensive IT security is growing tougher by the day. For this reason, businesses need to form strong partnerships that help them bolster their security. Agile IT wrote the book on Zero Trust Architecture in Microsoft 365. If you are serious about securing your cloud, Request a quote**:**

Published on: .

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

How can we help?


Let's start a conversation

location Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

telephone-icon + 1 (619) 292-0800 mail-icon

Don’t want to wait for us to get back to you?