Advisory Overview
The United States Cybersecurity and Infrastructure Security Agency (CISA) released an alert detailing possible security risks in Office 365 and ways to mitigate them. CISA mentions that security risks may be amplified due to the rapid movement to work-from-home. Recommendations from CISA include MFA, access control, alerting, security monitoring, and disabling legacy protocols. A link to their full Alert is included in the recommendations section below.
Technical detail and additional information
What is the threat?
With the rapid and often messy transition for companies attempting to move their workforce into a teleworking environment, there are bound to be many gaps in security configurations that are overlooked. To combat at least part of this, the United States Cybersecurity and Infrastructure Security Agency (CISA) has released an alert detailing many possible security configurations in Microsoft’s Office 365 that can improve organizational security. This alert was mostly a retread of a previous similar alert from May of 2019; however, the circumstances have made the recommendations more relevant than ever. CISA has also added several new mitigation suggestions to help prevent vulnerabilities due to misconfiguration.
Why is this noteworthy?
While this alert was originally released in May of 2019, it is significantly more relevant now than it ever was at that time. Vulnerabilities in your environment caused by misconfiguration or lack of best security practices are a very real issue brought on by the typically hasty deployment of teleworking applications. While many organizations have very valid concerns about different operations related issues stemming from this crisis, best practices for security are in danger of being overlooked due to time constraints or lack of knowledge by the person(s) configuring the systems. Office 365 in particular has many setting that can be configured to improve your security posture, and many of them are relatively easy to configure. The CISA alert covers many such mitigations, namely the enabling of multi-factor authentication (MFA) for both administrators and users, proper role-based access control, the enabling of alerts for suspicious activity, and more.
What is the exposure or risk?
The risk of an Office 365 instance being compromised is relatively high. There are many different paths an attacker can take after they have compromised an account, and many of them will start with the attacker attempting to laterally move and compromise other users that may have higher privilege. If an attacker can impersonate the compromised user and send what appears to be trusted communication to a different user within the organization, they may begin to spread and escalate their privilege. They can also simply view privileged information in previous messages that the account has sent or received, or impersonate that user to gain further information. In addition to any internal threat a compromised user might pose, they could also be a threat to any organization or individual that the compromised account is regularly in contact with. The attacker may impersonate the user to handle fraudulent transactions, update payment information, or request information that should normally be confidential. The impact of your organization being compromised could cause damage far beyond your own walls.
What are the recommendations?
The many mitigation practices that CISA recommends are detailed in the alert that they have released, which can be found below:
SKOUT also offers Office 365 Security Monitoring and Email Protection to help further mitigate these risks.
References:
For more in-depth information about the recommendations, please visit the following link:
If you have any questions, please contact our Security Operations Center.