DHS Highlights Common Security Oversights by Office 365 Customers

As organizations migrate to Microsoft Office 365 and other cloud services, many fail to use proper configurations that ensure good security practices, the U.S. Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) warns. 


Improperly configured cloud services create risks and vulnerabilities and the root cause of this issue is often the use of third-party firms to migrate to cloud, which resulted in a mix of configurations that lowered the organizations’ security posture. 


In addition, CISA says, most of the organizations that used a third-party did not have a dedicated IT security team to focus on their security in the cloud. Combined, these oversights have led to user and mailbox compromises and vulnerabilities.


According to CISA, customers who used third-parties to migrate email services to Office 365 did not have multi-factor authentication enabled by default for administrator accounts, had mailbox auditing disabled and password sync enabled, and allowed for the use of legacy protocols that did not support authentication. 


Although Azure Active Directory (AD) Global Administrators have the highest level of administrator privileges at the tenant level in an Office 365 environment, multi-factor authentication (MFA) is not enabled by default for these accounts, CISA points out.


There is a policy available, but it needs to be explicitly enabled to turn on MFA for these accounts, which are exposed to the Internet because they are based in the cloud. Failing to secure them could allow an attacker to maintain persistence as a customer migrates users to O365.


Mailbox auditing, which logs the actions of mailbox owners, delegates, and administrators, was not enabled by default in Office 365 prior to January 2019 and customers had to explicitly enabl ..