Organizations have been rapidly adopting cloud technologies and implementing organizational cloud strategies. Increasingly, these organizations are using third-party services to migrate their email services to Office 365 and other cloud services. Unfortunately, many companies that utilized a third-party for their cloud migration find themselves with configurations that reduced their security posture.
If you’ve moved to Office 365, make sure these settings are configured for security:
The Cybersecurity and Infrastructure Security Agency (CISA) has identified the configurations that leave O365 users vulnerable. Don’t let these easily fixable security oversights result in mailbox compromise for your users.
Enable mailbox auditing
O365 mailbox auditing logs activities performed by mailbox owners, delegates, and administrators. Before January 2019, Microsoft had not enabled auditing by default . If you purchased O365 before this date, you have to explicitly enable mailbox auditing.
Enable unified audit logs
At present, Office 365 does not enable unified audit logs by default. A unified audit log maintains activities from Exchange Online, SharePoint Online, OneDrive, Azure Active Directory, Microsoft Teams, and more. To allow queries to run, your administrator must enable unified audit logs in the Security and Compliance Center.
Enable Multi-factor Authentication (a must for administrators)
Azure Active Directory (AD) Global Administrators have the highest level of privileges in your O365 environment. These are the first accounts that get created so that administrators can start configuring their tenant and migrate users. By default, multi-factor authentication is disabled on these accounts. It is critical to secure these accounts with MFA. These accounts are exposed to the internet — because they are based in the cloud — and if not immediately secured, could allow an attacker to maintain presence during the migration
In some scenarios, it’s possible for an attacker who has gained on-premise admin access to move laterally to the O365 admin portal by creating an on-premise account that matches the O365 admin account name and performing a password sync. This would overwrite the password that exists in O365 with the one from the on-premise account, thus allowing the attacker to take control of the O365 tenant.
With end of life (EOL)/O365, modern authentication methods allow logins with MFA to complete as they should, however, legacy login methods will not support MFA and allow the user to bypass it altogether. The issue is that these protocols are still widely used, so business need to mitigate the use with Conditional Access policies, which limits who has use of those protocols. This should ideally be restricted to specific users or service accounts requiring those protocols.
You’ve invested time and money in your O365 migration, invest a few minutes to make sure your Office 365 configuration is secure. If you would like more information on vulnerability management, reach out to us and one of experts will get back to you.