Office 365 third-party risks and configuration guidance

Office 365 third-party risks

A new security report highlights some of the risks organizations face when moving to the cloud and potential configuration vulnerabilities.

More organizations are relying on third-party companies to help them move to the cloud, such as Microsoft’s popular Office 365 (O365) email services.

The Cybersecurity and Infrastructure Security Agency (CISA) published an Analysis Report that highlights the third-party risks that could lead to configuration vulnerabilities.

In addition, the report was based on multiple engagements since October 2018 with customers who had used third party partners to migrate email services to O365.

CISA also provided solid guidelines and recommendations to mitigate or prevent misconfigurations of O365.

According to CISA, organizations using third parties “had a mix of configurations that lowered their overall security posture.” Most of these same organizations lacked a dedicated IT cloud security team, that contributed to lack of oversight and likely resulted in “mailbox compromises and vulnerabilities.”

O365 Vulnerability highlights

The four O365 vulnerability examples highlighted in the report include:

  • Multi-factor authentication (MFA) for administrator accounts not enabled by default
  • Mailbox auditing disabled
  • Password sync enabled
  • Authentication unsupported by legacy protocols.

CISA recommends organizations enable MFA on admin and user accounts to help protect against credential theft. Organizations should also enable audit logging in Security and Compliance Center, as well as mailbox auditing for each user.

Also, organizations should make sure Azure AD password sync (i.e., the on-premises account password overwrites the password in Azure AD) is properly planned out and configured before migrating your users to O365. Otherwise, a compromise of on-premise AD account could allow an attacker to move laterally to the cloud after the sync occurs.

CISA also recommends organizations disable if not required legacy email protocols, such as Post Office Protocol (POP3), Internet Message Access Protocol (IMAP) and Simple Mail Transport Protocol (SMTP).

Legacy protocols only use username and password for authentication, which could leave email accounts exposed to attackers for credential theft. Organizations can also use Azure AD Conditional Access policies to limit and reduce the number of users who still have to use such legacy protocols.

In summary, these guidelines can greatly help organizations reduce the attack service of their O365 services and better protect sensitive data stored in the cloud.