Microsoft Office 365: Change these settings or risk getting hacked, warns US govt

Don't forget these configurations when moving to Office 365 in the cloud, says Department of Homeland Security's CISA.
Written by Liam Tung, Contributing Writer on

Cyberattackers aren't showing any sign of letting up on malware and phishing attacks, but fortunately there are some steps even thinly resourced organizations can take to minimize the chances of a security breach.  

Last week, Microsoft's security team recommended that employees with administrative access should use an always-up-to-date device that's dedicated to administrative tasks. It also urged organizations to move away from passwords and enforce multi-factor authentication (MFA) for users. 

This week, the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has posted its advice for organizations using Microsoft Office 365 – particularly if they've relied on a third-party contractor to implement it for them when migrating from on-premise to the cloud. 

SEE: 10 tips for new cybersecurity pros (free PDF)

CISA's advice is based on findings that many organizations it's engaged with since October 2018 have their "overall security posture" lowered by how third-party providers configure security settings when deploying Office 365 in the cloud. 

Moreover, many of these organizations lack a dedicated IT security team that focuses on security in the cloud. 

"These security oversights have led to user and mailbox compromises and vulnerabilities," CISA cautioned. 

The first vulnerability is that administrator accounts have not had multi-factor authentication (MFA) enabled by default from the get-go. This security feature is the best defense against phishing, but in Azure AD a global administrator needs to explicitly enable a 'Conditional Access' policy to enable MFA.         

The danger here of not enabling MFA by default at the outset is that the administrator account could be used to compromise user accounts during the migration to Office 365 in the cloud. 

"These accounts are exposed to internet access because they are based in the cloud. If not immediately secured, these cloud-based accounts could allow an attacker to maintain persistence as a customer migrates users to Office 365," CISA explains. 

Third-party implementers seem to have a tendency not to enable mailbox auditing for their customers. As CISA notes, until very recently O365 mailbox auditing was not enabled by default. 

The feature logs actions taken by mailbox owners, delegates, and administrators and provides information that could be valuable during a post-incident forensics investigation. Customers who bought Office 365 before 2019 had to explicitly enable mailbox auditing. 

Microsoft announced in December that Exchange mailbox auditing for Office 365 commercial users would be enabled by default due to customer demand. It was officially enabled in March this year. 

Microsoft has enabled it by default for Microsoft 365 organizations since January 2019. Before that, admins needed to manually enable auditing for every user mailbox in an organization, whereas now this happens when a new mailbox is created. 

However, CISA notes that Office 365 doesn't currently enable a unified audit log by default, which would provide logs or events from Exchange Online, SharePoint Online, OneDrive, Azure AD, Microsoft Teams, PowerBI, and other Office 365 services. Admins must enable this in the Security and Compliance Center before queries can be run, CISA notes. 

The third vulnerability is having password sync enabled, which again is a potential problem when migrating from on-premise environments to Office 365 using Azure Active Directory (AD) in the cloud to match with on-premise Active Directory identities.   

"One of the authentication options for Azure AD is 'Password Sync'. If this option is enabled, the password from on-premises overwrites the password in Azure AD. In this particular situation, if the on-premises AD identity is compromised, then an attacker could move laterally to the cloud when the sync occurs," CISA explains. 

Microsoft disabled on-premise to cloud AD matching for administrator accounts in October 2018. However, CISA notes that some organizations could have performed administrator account matching before that, allowing organizations to sync identities that were compromised prior to the migration. 

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Finally, CISA has a warning about some protocols used by Exchange Online authentication that don't support MFA, which include Post Office Protocol (POP3), Internet Message Access Protocol (IMAP), and Simple Mail Transport Protocol (SMTP).

CISA accepts that organizations may, out of business necessity, need to use older email clients that keep these protocols enabled. However, accounts that do support these legacy protocols are left exposed on the internet without the additional protection of MFA. 

"Legacy protocols are used with older email clients, which do not support modern authentication. Legacy protocols can be disabled at the tenant level or at the user level," CISA says. 

"However, should an organization require older email clients as a business necessity, these protocols will not be disabled. This leaves email accounts exposed to the internet with only the username and password as the primary authentication method." 

CISA's final words on the matter of migrating from on-premise to a cloud world are to use MFA as it is the best option to protect against Office 365 credential theft; to enable unified audit logging; to enable mailbox auditing for all users; for correctly configuring Azure AD password sync before migrating users; and for disabling legacy email protocols or limiting their use to specific users as required.

More on Microsoft security

Editorial standards