Have you recently migrated to Microsoft Office 365 for your company email services? US-CERT and CISA recently released Analysis Report (AR19-133A) Microsoft Office 365 Security Observations that described several security flaws or weaknesses inherent in the default deployment of O365.
Here are the findings of that report. The good news is that these are shortcomings with the default, out-of-box experience. These issues can be corrected through configuration. For more detail, please refer to the original report.
- Administrator accounts do not have multi-factor authentication enabled by default. If the admin account password is compromised, the entire email operation is open to attack or exploit.
- Mailbox auditing is disabled by default.
- Azure Active Directory password sync is enabled by default.
- Azure AD does not support multi-factor authentication.
One of the common exploits being waged against Office365 accounts are account hijacking, also known as business email compromise attacks. Under this scenario, and attacker uses email addresses and passwords purchased from a Dark Web list broker, or acquired through the use of phishing emails and other credential stealing exploits.
Once the email account is under the control of a cyber-criminal, it can be used as a reconnaissance tool. Not just your incoming and outgoing emails are crutinized, but your contact list, calendar, and other corporate tools such as your Sharepoint site can be accessed. From there it is a short trip to compromising other email accounts, or accessing shared resources on a server.
The solutions recommended by US-CERT are:
- Use multi-factor authentication. This is the best mitigation technique to use to protect against credential theft for O365 users.
- Enable unified audit logging in the Security and Compliance Center.
- Enable mailbox auditing for each user.
- Ensure Azure AD password sync is planned for and configured correctly, prior to migrating users.
- Disable legacy email protocols, if not required, or limit their use to specific users.
Other cybersecurity practices that can help include:
- Monitor inbox rules and look for suspicious logins. Logins from distant or unfamiliar IP addresses is one way to know that an email account has been compromised. This can lead to unusual forwarding rules designed to sent mail to the attacker, even after the password is changed.
- Train employees to recognize phishing attacks and other unusual inbox activity and report it to IT or management.