13 May 2019 Report from Department of Homeland Security Regarding Microsoft Office 365 Vulnerabilities
On May 13, 2019, a report on “Microsoft Office 365 Security Observations” was released by the Department of Homeland Security’s Cyber Security and Infrastructure Security Agency (CISA). (See https://www.us-cert.gov/ncas/analysis-reports/AR19-133A.) The report found several configuration issues that lowered the security posture of organizations who recently moved to Office 365. It also provides recommendations to reduce the additional attack surfaces exposed by moving to the M365 Cloud. Customers who have deployed CoreView have largely avoided these issues.
CISA Says O365 Customers Should Beware of these Common Configuration Issues
Working with U.S. organizations who have recently deployed M365 since October 2018, CISA found the following common issues:
- Multi-factor authentication for administrator accounts not enabled
- Mailbox auditing not enabled
- Password synch enabled between non-identical on-premises Active Directory and Azure Active Directory accounts
- Legacy email protocols enabled (primarily POP3 and IMAP)
CoreView Addresses All These Issues With its CoreSuite for Microsoft Office 365 platform
CoreView works by collecting all available information from the Microsoft M365 platform, including audit logs, application-specific APIs such as Exchange Web Services, and all Azure Active Directory information. This data is stored in an Azure subscription in MongoDB; and action-enabled, which gives our customers very specific advantages for the configuration issues, above:
Item 1 – The data collection and administrative actions are proxied via our customer’s service account, which is securely stored in Azure Key Vault Service. CoreView Operators sign in with their Azure AD credentials, including MFA, and need no administrative access to the O365 Admin Center at all. We also have action-enabled reports which show the exact administrative access and whether the admin has MFA – alert on this configuration as well!
Item 2 – CoreView enables not just mailbox auditing in Exchange Online, but auditing for all the major M365 workloads, including Azure AD, PowerBI, SharePoint, OneDrive, etc. And CoreView data retention is for one year by default for all workloads. You might not want to go through the process yourself; the Microsoft configuration is complex.
Item 3 – The scenario is complex, but in general, enterprise customers who have on-premises AD should leverage Azure AD Sync and SAML token services such as ADFS or OKTA for single sign-on. Password sync was able to be spoofed until just recently. But, a critical hole still exists in most organization’s auditing, when a user creates documents, then leaves the organization, and their Azure AD account is eventually deleted. This changes the Access Control List on documents to the Azure AD Immutable ID – basically a SID, or serial number. There is no way to trace this information back to an actual user, unless you recorded the UPN + the ObjectGUID from AD + the SourceAnchor in Azure AD Synch over a long-enough period…..whew! Don’t worry – CoreView took care of that too. Remember, we have *everything* for a year or more. See a great article by Joe Palarchio here.
Item 4 – Disable legacy protocols like POP3 and IMAP4 for Exchange, if not in use. These are additional attack vectors that hackers against your Office 365 tenant. Many legacy clients that use POP3 and IMAP4 supported “plain” authentication, for example – and even anonymous logins. That is a much longer topic, but CoreView reports on how users are connecting to Exchange, and allows you to make administrative changes in bulk. Hint – You can also use this report for license optimization – more on that soon, too 🙂
CoreView is a MUST-HAVE for enterprises to secure the Microsoft Office 365 platform. CoreView’s ability to create action-enabled reports that span the retention requirements for compliance and security response is unique in the industry. Request a trial, go beyond SIEM tools, and see why Gartner created a new category for CoreView’s capabilities: “SaaS Management Platform“, or SMP.
Other resources referenced by CISA:
-  Azure AD baseline protection
-  Mailbox auditing enabled by default
-  Unified audit log
-  Soft matching administrator accounts
-  Block Office 365 Legacy Email Authentication Protocols
-  Microsoft security best practices for Office 365