Have you recently migrated to Microsoft Office 365 for your company email services? US-CERT and CISA recently released Analysis Report (AR19-133A) Microsoft Office 365 Security Observations that described several security flaws or weaknesses inherent in the default deployment of O365.
Here are the findings of that report. The good news is that these are shortcomings with the default, out-of-box experience. These issues can be corrected through configuration. For more detail, please refer to the original report.
- Administrator accounts do not have multi-factor authentication enabled by default. If the admin account password is compromised, the entire email operation is open to attack or exploit.
- Mailbox auditing is disabled by default.
- Azure Active Directory password sync is enabled by default.
- Azure AD does not support multi-factor authentication.
One of the common exploits being waged against Office365 accounts are account hijacking, also known as business email compromise attacks. Under this scenario, and attacker uses email addresses and passwords purchased from a Dark Web list broker, or acquired through the use of phishing emails and other credential stealing exploits.
Once the email account is under the control of a cyber-criminal, it can be used as a reconnaissance tool. Not just your incoming and outgoing emails are crutinized, but your contact list, calendar, and other corporate tools such as your Sharepoint site can be accessed. From there it is a short trip to compromising other email accounts, or accessing shared resources on a server.
The solutions recommended by US-CERT are:
- Use multi-factor authentication. This is the best mitigation technique to use to protect against credential theft for O365 users.
- Enable unified audit logging in the Security and Compliance Center.
- Enable mailbox auditing for each user.
- Ensure Azure AD password sync is planned for and configured correctly, prior to migrating users.
- Disable legacy email protocols, if not required, or limit their use to specific users.
Other cybersecurity practices that can help include:
- Monitor inbox rules and look for suspicious logins. Logins from distant or unfamiliar IP addresses is one way to know that an email account has been compromised. This can lead to unusual forwarding rules designed to sent mail to the attacker, even after the password is changed.
- Train employees to recognize phishing attacks and other unusual inbox activity and report it to IT or management.
MAY
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com