A new analysis report by the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) highlights a number of the prevalent risks and vulnerabilities related to switching from on-premise to cloud-based mail services like Microsoft Office 365. The report gives best practices for managing risks and avoid user and mailbox problems.
A lot of healthcare companies now understand the advantages of using cloud-based email services however they do not have in-house expertise to deal with the migrations. Many used third-party service providers to move their email services to Office 365. CISA remarks that because of using third parties to handle Office 365 migrations security incidents increased.
In the last 6 months, CISA talked with customers who used third-party service providers for their migrations and uncovered different Office 365 configurations that diminished the organization’s security settings making them more prone to phishing and cyberattacks.
CISA says that the most of those companies have no dedicated IT security team focused on cloud security. Consequently, vulnerabilities were undetected. In certain instances, the organization encountered mailbox compromises due to the risks and vulnerabilities created during Office 365 migrations.
Based on the AR19-133A analysis report, the most common vulnerabilities identified could easily cause data breaches. These include:
- Not implementing multifactor authentication for Global Active Directory (AD) Global Administrators – Although these accounts have the maximum level of privileges at the tenant level, they do not enable MFA by default.
- No mailbox auditing – No mailbox auditing means there is no log of actions done by mailbox owners, administrators and delegates. This will impede investigations of mailbox activity and probable data breaches. Clients who used Office 365 before 2019 must enable mailbox auditing.
- Permitted password syncing – This setting allows the overwriting of the password in Azure AD by the password from on-premises AD. This means that in case a mailbox was compromised before migration to Office 365 and a sync occurs, an attacker can go laterally to the cloud.
- Authentication not reinforced by legacy protocols – Office 365 employs Azure AD for authentication with Exchange Online; but, a number of protocols (e.g. POP3, SMTP and IMAP) employed for authentication with Exchange Online are not compatible with modern authentication mechanisms like MFA. Accounts will just be protected by a password, if without MFA, which greatly increase vulnerability to attacks.
CISA recommends a number of best practices that would make sure migrating to Office 365 doesn’t reduce an organization’s security.
- Employ multi-factor authentication to protect against theft of credential through phishing attacks
- Configure audit logging in the Security and Compliance Center
- Activate mailbox auditing for each user
- Configure Azure AD correctly configured before migrating to Office 365
- Disable legacy email protocols or limit to specified users