Critical Security Settings for Email and Files

𝗢𝗳𝗳𝗶𝗰𝗲 𝗼𝗳 𝘁𝗵𝗲 𝗖𝗼𝗺𝗽𝘁𝗿𝗼𝗹𝗹𝗲𝗿 𝗼𝗳 𝘁𝗵𝗲 𝗖𝘂𝗿𝗿𝗲𝗻𝗰𝘆 (𝗢𝗖𝗖) suffered a recent cloud email breach, that highlighted critical vulnerabilities in email security and access management that have broader implications for all federally regulated institutions. 𝚂̲𝚞̲𝚖̲𝚖̲𝚊̲𝚛̲𝚢̲ ̲𝚘̲𝚏̲ ̲𝚝̲𝚑̲𝚎̲ ̲𝙾̲𝙲̲𝙲̲ ̲𝙱̲𝚛̲𝚎̲𝚊̲𝚌̲𝚑̲ ̲An attacker gained unauthorized access to a privileged administrative email account within the Microsoft environment. The breach went undetected for 8 months, during which sensitive government communications were silently exfiltrated. More than 150K email messages were compromised, affecting around 100 officials. The incident exposed critical shortcomings in access control enforcement, monitoring, and response protocols. 𝙺̲𝚎̲𝚢̲ ̲𝙵̲𝚊̲𝚒̲𝚕̲𝚞̲𝚛̲𝚎̲𝚜̲ ̲𝙸̲𝚍̲𝚎̲𝚗̲𝚝̲𝚒̲𝚏̲𝚒̲𝚎̲𝚍̲ 1. Overprivileged Access – An administrative account with wide mailbox visibility was compromised, facilitating prolonged data exfiltration. 2. Delayed Detection – Anomalous behavior went unnoticed for months, raising concerns about the efficacy of real-time monitoring and alerting. 3. Stale and Unlocked Service Accounts: There were no policies in place for password rotation, inactivity lockout, or login attempt lockout for service accounts, making them vulnerable to brute-force or credential stuffing attacks. 4. Unaddressed Internal Warnings – Known risks flagged in prior audits related to email and access security had not been remediated in time. 5. Insufficient Conditional Access Policy Enforcement – The compromised account, linked to Azure, bypassed MFA and geo restrictions due to a poorly enforced conditional access framework. VPN usage further masked malicious activity.   𝙻̲𝚎̲𝚜̲𝚜̲𝚘̲𝚗̲ ̲𝚕̲𝚎̲𝚊̲𝚛̲𝚗̲𝚎̲𝚍̲:̲ 1. Enforce Microsoft Conditional Access Policies – Ensure all accounts, including service accounts, are subject to robust Conditional Access, MFA, and geo-restrictions. 2. Tighten Access Control – Limit and monitor privileges of administrative and service accounts; apply just-in-time access models. 3. Audit and Harden Service Accounts – Eliminate hardcoded credentials, enforce regular password rotation, enable account lockouts after failed login attempts, and setinactivity thresholds. 4. Strengthen Detection – Invest in behavioral analytics, adaptive authentication, and cloud-native threat detection tools. 5. Review and Limit Privileges – Conduct a review of privileged accounts and implement RBAC and JIT access where possible. 6. Ensure compliance with secure baseline configurations like those in DHS CISA BOD 25-01 - Secure Cloud Baseline [SCuBA] (stated in OCC response) The 𝗢𝗖𝗖 𝗯𝗿𝗲𝗮𝗰𝗵 is a cautionary tale—reactive controls alone are insufficient in today’s environment. Proactive hardening of identity, access, and cloud email infrastructure must be a top priority. https://lnkd.in/ef_4DQ3V

🚨 Cybersecurity Alert: Medusa Ransomware Threatens Critical Sectors 🚨 The FBI and CISA have issued a joint advisory about the Medusa ransomware, a sophisticated Ransomware-as-a-Service (RaaS) variant active since 2021; however just this year (2025) it has compromised over 300 victims across sectors like healthcare, education, and technology. Key Insights: ▪️Double Extortion Tactics: Medusa not only encrypts data but also threatens to publicly release it if ransoms aren’t paid. ▪️Phishing and Exploited Vulnerabilities: The ransomware spreads through phishing campaigns and exploits unpatched software vulnerabilities, emphasizing the need for vigilant cybersecurity practices. Recommended Actions: 1️⃣ Implement Multi-Factor Authentication (MFA): Especially for email services like Gmail and Outlook, MFA adds a critical layer of security. 2️⃣ Regular Software Updates: Ensure all operating systems, software, and firmware are up-to-date to mitigate potential vulnerabilities. 3️⃣ Network Segmentation: Divide networks to restrict lateral movement, limiting the spread of potential ransomware attacks. 4️⃣ Data Backup: Maintain offline backups of critical data to ensure recovery without yielding to ransom demands. 5️⃣ Enhanced Email Security Controls: Implement strong filters, DMARC, DKIM, and SPF to prevent phishing emails from reaching users. Also, there is some amazing AI email tools that are combatting zero days in this space through modeling. 6️⃣Follow best practice, duh, like training! 🤪 Organizations are urged to review the detailed advisory and implement these mitigations to reduce the risk and impact of Medusa ransomware incidents. Stay vigilant and proactive in safeguarding your digital assets. 🛡️ #CyberSecurity #Ransomware #Medusa #FBI #CISA #DataProtection #CyberAwareness https://lnkd.in/d2cCv-38

🚀 New Article: From SPF to DANE: Securing Microsoft 365 Email Communications 🚀 Enhancing the security of your organization's communication channels is more critical than ever. In our latest article, we dive deep into advanced technologies like IPv6, DNSSEC, STARTTLS, DANE, and RPKI to secure Microsoft 365 email environments, specifically focusing on Exchange Online functionality. 📧🔒 🔹 Why Use SPF, DKIM, and DMARC Together? SPF, DKIM, and DMARC form the foundation of email authentication, preventing spoofing and phishing attempts. Learn how these protocols work together to ensure only legitimate messages reach their destination. ✅ 🔹 Advanced Security Protocols Overview IPv6: Vastly larger address space and improved security. DNSSEC: Protects against DNS spoofing with cryptographic signatures. STARTTLS: Encrypts email transmissions to protect sensitive data. DANE: Adds an extra layer of trust by binding SSL/TLS certificates to DNSSEC. RPKI: Secures internet routing to prevent route hijacking. 🔹 Step-by-Step Instructions for Inbound SMTP DANE From verifying prerequisites to testing configurations, we provide a comprehensive guide to enhance your email security. 🛡️ After implementing these measures, we achieved a 100% score on our security tests! 🎉 Read the full article to learn how you can protect your email communications and improve deliverability. 📖🔍 https://lnkd.in/dBiH_6Yb #EmailSecurity #Microsoft365 #ExchangeOnline #CyberSecurity Secure At Work

"Funny to see all DORA emails coming in via email from domains with a DMARC record on p=none." That's what a security professional in my network commented the other day on one of my DORA posts. Totally agree, SPF, DKIM, and DMARC are critical for email security and compliance. Let’s break it down: ↳ Email authentication isn't just nice to have, it’s a must. Without it, you're exposed to three major threats: 1. Phishing: Threat actors spoof your domain to trick your customers. 2. Business Email Compromise (BEC): Fake CEO emails still land without enforcement. 3. Brand impersonation: Attackers hijack your domain’s reputation to deliver malware. ↳ SPF (Sender Policy Framework) Tells receiving servers which IP addresses are authorized to send emails for your domain. Simple DNS TXT record. But it fails when emails get forwarded. ↳ DKIM (DomainKeys Identified Mail) Adds a cryptographic signature to your emails. If the content is altered, even slightly, the signature fails. Bonus: it survives forwarding. ↳ DMARC (Domain-based Message Authentication, Reporting and Conformance) The enforcer. Tells mail servers what to do when SPF and DKIM checks fail and whether they align with the domain in the visible “From” address. ↳ A proper DMARC record looks like this: v=DMARC1; p=reject; rua=mailto:dmarc@example.com; adkim=s; aspf=s; fo=1; sp=reject This record tells the world: – Reject unauthorized emails – Use strict alignment – Send reports so you can monitor and adjust ↳ Together, SPF, DKIM, and DMARC create layered protection: – SPF checks the sender. – DKIM checks the content. – DMARC checks the identity and applies policy. ↳ Recommended DMARC rollout strategy: 1. Start with p=none to monitor. 2. Fix issues based on reports. 3. Move to p=quarantine. 4. Enforce with p=reject. 5. Apply sp=reject to subdomains. 6. Rotate DKIM keys at least annually. 7. Review DMARC reports weekly. ↳ How does this support DORA compliance? DORA requires you to manage ICT risks, prevent phishing attacks, detect unauthorized use of communication channels, and ensure continuity. Email authentication checks all those boxes. It reduces risk exposure and proves to regulators you're actively protecting your digital perimeter. 💡Before buying expensive email security tools, implement SPF, DKIM, and DMARC. They’re open, proven, and free. Yet most domains still don’t enforce them. 👇 Have you already enforced DMARC at p=reject? Or are you still monitoring? ♻️ Repost to protect someone’s inbox. 🔔 Follow Amine El Gzouli for more practical security insights.