In our blog last week, we highlighted the growing popularity of the Office 365 platform and then outlined the top five attack vectors against the service. Hopefully that’s made you aware of the main ways in which attackers look to exploit Office 365 accounts.
Today, we go a step further to explore in depth another key reason Office 365 accounts get hacked. Recently, the United States Cybersecurity and Infrastructure Security Agency (CISA) highlighted several misconfigurations in Office 365 implementations that directly impact the security posture of organisations who adopted O365 as their default email provider. The misconfigurations they identified impact the security posture of organisations because they result in the disabling of mailbox auditing, unified audit logs, multi-factor authentication on admin accounts, and enabling of password syncing.
So, let’s now take a look at some examples of configuration vulnerabilities:
Multi-factor authentication for administrator accounts not enabled by default
Azure Active Directory (AD) Global Administrators in an O365 environment have the highest level of administrator privileges at the tenant level. Multi-factor authentication (MFA) is not enabled by default for these accounts. This can lead to a scenario wherein a persistent attacker, who has gained access to a user account on the cloud environment, can successfully executive phishing, password spraying, ransomware or other attacks.
Mailbox auditing disabled
O365 mailbox auditing logs actions that mailbox owners, delegates, and administrators perform. This service had not been enabled by Microsoft Office 365 prior to January 2019. This means that customers who procured 0365 prior to this date have to explicitly enable auditing of the mailbox. Additionally, the unified audit log – which contains events from 0365 services such as Exchange Online, One Drive, Azure AD, Share Point Online – is disabled by default. The result is that unless this setting is changed, organisation have no logs available to investigate should a security incident occur.
Password sync enabled: Azure Active Directory
Microsoft Azure Active Directory (AD) has an option for “Password Sync”. If this is enabled, it means the existing on-premise password overwrites that of the Azure AD. So, if the on-premises password is compromised, it will allow the attacker to move laterally on the environment when sync occurs.
As of October 2018, Microsoft disabled the capability to match administrative accounts. However, admin accounts created prior to this are still vulnerable. Also, regular accounts are not protected by this feature which means they are also vulnerable once syncing takes place.
Authentication unsupported by legacy protocols
Azure AD is the authentication method that is used by Office 365 to authenticate with Exchange Online (EO) for email services. A number of authentication protocols used by EO do not support modern authentication methods such as MFA. The protocols include POP3, IMAO and SMTP as legacy protocols are used with older email clients that do not support modern authentication.
Luckily, there are a number of actions you can take to keep your organization protected when migrating to O365. These include:
- Use multi-factor authentication as this is the best mitigation technique to use to protect against credential theft for O365 users.
- Enable unified audit logging in the Security and Compliance Centre.
- Enable mailbox auditing for each user.
- Ensure Azure AD password sync is planned for and configured correctly, prior to migrating users.
- Disable legacy email protocols, if not required, or limit their use to specific users.
In addition to these steps, we would recommend implementing the following measures as expertly advised by Microsoft’s John Lambert:
- Implement a process for detection and approval of new Azure apps.
- Regularly review Forwarding Rules enabled across all mailboxes, and implement company-wide policy addressing Auto-Forwarding of emails.
- Identify and disable ‘Open’ mailboxes (Default: Allow Anyone), and implement “No Access by Default” on new mailboxes.
- Monitor access to Azure/Exchange/O365 Administrative Users/Interfaces.
By taking note of the common Microsoft Office 365 misconfigurations, and following the ways to remedy them outlined above, you’ll be able to ensure that your organization stands to gain all the benefits this leading cloud-based email platform has to offer – without the security risks!
 “Office 365 Attacks”, prepared by @JohnLaTw (John Lambert), PPTX dated 5th May 2019