Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

DHS Highlights Common Security Oversights by Office 365 Customers

As organizations migrate to Microsoft Office 365 and other cloud services, many fail to use proper configurations that ensure good security practices, the U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) warns. 

As organizations migrate to Microsoft Office 365 and other cloud services, many fail to use proper configurations that ensure good security practices, the U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) warns. 

Improperly configured cloud services create risks and vulnerabilities and the root cause of this issue is often the use of third-party firms to migrate to cloud, which resulted in a mix of configurations that lowered the organizations’ security posture. 

In addition, CISA says, most of the organizations that used a third-party did not have a dedicated IT security team to focus on their security in the cloud. Combined, these oversights have led to user and mailbox compromises and vulnerabilities.

According to CISA, customers who used third-parties to migrate email services to Office 365 did not have multi-factor authentication enabled by default for administrator accounts, had mailbox auditing disabled and password sync enabled, and allowed for the use of legacy protocols that did not support authentication. 

Although Azure Active Directory (AD) Global Administrators have the highest level of administrator privileges at the tenant level in an Office 365 environment, multi-factor authentication (MFA) is not enabled by default for these accounts, CISA points out.

There is a policy available, but it needs to be explicitly enabled to turn on MFA for these accounts, which are exposed to the Internet because they are based in the cloud. Failing to secure them could allow an attacker to maintain persistence as a customer migrates users to O365.

Mailbox auditing, which logs the actions of mailbox owners, delegates, and administrators, was not enabled by default in Office 365 prior to January 2019 and customers had to explicitly enable it.

Unified audit log, which contains events from Exchange Online, SharePoint Online, OneDrive, Azure AD, Microsoft Teams, PowerBI, and other O365 services is not enabled by default in Office 365 environments. Admins must enable the unified audit log in the Security and Compliance Center. 

Another issue is the syncing of passwords between Azure AD identities and on-premises AD identities, which could result in the Azure AD password for an admin account being overwritten with that for an on-premises account with the same username. Thus, an attacker could move laterally to the cloud. 

While Microsoft disabled the option to match certain administrator accounts as of October 2018, organizations might still have administrator account on which they performed matching prior to the change, and synced identities that may be have been compromised prior to migration, CISA says. 

Another issue is the existence of Exchange Online authentication protocols that lack support for modern authentication methods with MFA features, including Post Office Protocol (POP3), Internet Message Access Protocol (IMAP), and Simple Mail Transport Protocol (SMTP). 

Older email clients that use such protocols do not support modern authentication, but are a business necessity for some organizations. Thus, with legacy protocols not disabled, email accounts remain exposed to the Internet with only the username and password as the primary authentication method. 

To mitigate the issue, an organization should inventory users who still require legacy email clients and legacy email protocols and use Azure AD Conditional Access policies to reduce the number of such users, thus effectively reducing the attack surface.  

Organizations recommend that admins implement multi-factor authentication, enable unified audit logging in the Security and Compliance Center and mailbox auditing for each user, ensure Azure AD password sync is planned for and configured correctly, and disable legacy email protocols, if not required.

Related: Office 365, Outlook Credentials Most Targeted by Phishing Kits

Related: Phishers Use Zero-Width Spaces to Bypass Office 365 Protections

Related: Hackers Bypass MFA on Cloud Accounts via IMAP Protocol

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Computer maker Lenovo has started pushing security patches to address three vulnerabilities impacting the UEFI firmware of more than 110 laptop models.

Application Security

Google’s Threat Analysis Group (TAG) has shared technical details on an Internet Explorer zero-day vulnerability exploited in attacks by North Korean hacking group APT37.

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...

Application Security

Virtualization technology giant Citrix on Tuesday scrambled out an emergency patch to cover a zero-day flaw in its networking product line and warned that...

Endpoint Security

Red Hat announced on Tuesday the general availability of a malware detection service for Red Hat Enterprise Linux (RHEL) systems.