Homeland Security Issues Security Alert on Microsoft Office 365 Remote Deployments

hacking Security

The Cybersecurity and Infrastructure Security Agency (CISA) of the US Department of Homeland Security have released safety guidance for companies that may have hurried Office 365 installations in support of remote work during coronavirus.

CISA reports that it continues to see companies not following best security practices for the operation of their Office 365. It is concerned that rushed implementations could trigger big security overviews that attackers might exploit.

“In recent weeks, organizations have been forced to change their collaboration methods to support a full ‘work from home’ workforce,” CISA notes in the new alert.

“O365 provides cloud-based email capabilities, as well as chat and video capabilities using Microsoft Teams. While the abrupt shift to work-from-home may necessitate rapid deployment of cloud collaboration services, such as O365, hasty deployment can lead to oversights in security configurations and undermine a sound O365-specific security strategy.”

New advice from CISA is similar to an alarm issued last year after contractors deployed a low-security O365. This document includes links to related best-practice documents from Microsoft for stable Azure AD and Office 365 validation.

First of all, companies need to lock Azure Active Directory (AD) Multi-Factor Authentication (MFA) Global Administrators in Office 365.

It is the platform used to build additional accounts and has the highest rights in an on-site AD system equal to the domain administrator. MFA is not activated for this account by default, so administrators must actively trigger it.

CISA notices Microsoft’s security defaults launched in January helping companies defend their accounts on the same level as Microsoft defends user accounts against threats like spraying passwords and phishing.

The method allows administrators to use MFA. Earlier this year Microsoft announced that 99.9% of the affected accounts do not use MFA and only 11% of businesses have used MFA.

“If not immediately secured, an attacker can compromise these cloud-based [admin] accounts and maintain persistence as a customer migrates users to O365,” CISA warned.

CISA says the Global Administrator account can only be used if it is “completely necessary” and administrator functions need to be delegated using role-based access control.

“Using Azure AD’s numerous other built-in administrator roles instead of the Global Administrator account can limit assigning of overly permissive privileges to legitimate administrators. Practicing the principle of ‘least privilege’ can greatly reduce the impact if an administrator account is compromised,” CISA notes.

CISA recommends that admins require the Centralized Audit Log to assist incidents investigations at the Security and Enforcement Center. Exchange Online, SharePoint Online, OneDrive, Azure AD, Microsoft Staff, PowerBI, and Office 365 events are included in the Audit Report.

The agency also recommends that MFA be required for all users even if their permissions are not increased. Admins should also disable legacy protocols, particularly if MFA features such as Post Office Protocol (POP3), IMAP, and Simple Mail Transport Protocol (SMTP are not supported).

However, CISA states that if an older email client requires such protocols, they will not be disabled. It advises that organizations store and limit access to these protocols by users who choose to use an older email application.

“Taking this step will greatly reduce an organization’s attack surface,” CISA says.

CISA suggests, ultimately, that the Microsoft Safe Score tool be used to calculate a security status for an enterprise for Office 365 and an integrated SIEM tool with the Centralized Audit Log.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.