The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued a set of guidelines and best practices to help organizations migrate to Microsoft Office 365 and avoid introducing vulnerabilities that could make it easier for cybercriminals to conduct attacks and gain access to Office 365 accounts.
There has been a major increase in the number of organizations that have transitioned to cloud-based infrastructure for their email services in recent years, with Office 365 the number one choice. Many companies choose to use third-party service providers to manage those migrations.
CISA has warned organizations and third-party service providers that they need to be aware of the risks that can accompany the migration of email services to the cloud and advised them to perform checks to make sure that the cloud services have not been misconfigured. CISA analyzed many Office 365 installations and found a range of misconfigurations that reduced the organization’s security posture.
In many cases, organizations did not have a dedicated IT security team that was focused on cloud security and these misconfigurations have not been identified. As a result of the misconfigurations, there have been user and mailbox compromises and vulnerabilities have been introduced which could easily be exploited by threat actors.
The most common vulnerabilities that were introduced related to the failure to implement MFA, enable mailbox auditing and log creation, password sync enabling, and the use of legacy protocols that do not support MFA.
One of the biggest vulnerabilities is the failure to implement multi-factor authentication on administrator accounts, which are not enabled by default. CISA notes that Azure Active Directory (AD) Global Administrators have the highest level of privileges at the tenant level, yet MFA was is often not enabled on those accounts. Since these accounts are based in the cloud, they are exposed to Internet access. The failure to secure these accounts could give an attacker persistence as users are migrated to Office 365.
Prior to January 2019, Microsoft did not enable mailbox auditing by default. Without mailbox auditing enabled, logs are not created detailing the actions that mailbox owners, delegates, and admins perform. Customers who implemented O365 prior to January 2019 need to explicitly enable mailbox auditing for each user and enable unified audit logging in the Security and Compliance Center. Email archiving is recommended.
Prior to migrating users to Office 365, organizations should ensure that Azure AD password sync is configured correctly. Misconfiguration could allow an attacker who has compromised an on-premises Azure AD identity prior to migration to move laterally to the cloud.
Azure AD is used by O365 to authenticate with Exchange Online, which provides email services. Several legacy protocols do not support modern authentication methods with MFA features, such as POP3, IMAP, and SMTP. If older email clients are required for business purposes, they will only be secured with a username and password which can leave them vulnerable to phishing attacks. Legacy email protocols should be disabled if they are not required and their use should be limited, where possible, to specific users.
In addition to ensuring that the above vulnerabilities have been corrected, Office 365 users should follow the best practices provided by Microsoft for implementing security capabilities to protect Office 365 environments and reduce the potential for account compromises.