The Cybersecurity and Infrastructure Security Agency (CISA) issued a set of best practices designed to help organizations to mitigate risks and vulnerabilities associated with migrating their email services to Microsoft Office 365.

CISA's AR19-133A analysis report was published after it was discovered that a number of misconfigurations lowered the overall security of organizations which adopted Microsoft Office 365 as their default email provider.

CISA built up the list of Office 365 best practices after conducting "several engagements with customers who have used third-party partners to migrate their email services to O365" since October 2018.

The organizations that used a third party have had a mix of configurations that lowered their overall security posture (e.g., mailbox auditing disabled, unified audit log disabled, multi-factor authentication disabled on admin accounts). In addition, the majority of these organizations did not have a dedicated IT security team to focus on their security in the cloud. These security oversights have led to user and mailbox compromises and vulnerabilities.

The U.S. Department of Homeland Security's agency decided to publish this advisory after observing that the number of organizations which have decided to migrate their email services to Microsoft's cloud-based Office 365 solution has increased drastically during the last few years.

Following this mass exodus to cloud-based email management, CISA also saw a boost in the "use of third-party companies that move organizations to the cloud" which, in turn, also led to a growing number of security incidents stemming from risks and vulnerabilities deriving from Office 365 migrations.

CISA provides the following examples of Microsoft Office 365 configuration vulnerabilities in its AR19-133A analysis report:

• Multi-factor authentication for administrator accounts not enabled by default: Azure Active Directory (AD) Global Administrators in an O365 environment have the highest level of administrator privileges at the tenant level. Multi-factor authentication (MFA) is not enabled by default for these accounts.

• Mailbox auditing disabled: O365 mailbox auditing logs actions that mailbox owners, delegates, and administrators perform. Microsoft did not enable auditing by default in O365 prior to January 2019. Customers who procured their O365 environment before 2019 had to explicitly enable mailbox auditing.

• Password sync enabled: Azure AD Connect integrates on-premises environments with Azure AD when customers migrate to O365. If this option is enabled, the password from on-premises overwrites the password in Azure AD. In this particular situation, if the on-premises AD identity is compromised, then an attacker could move laterally to the cloud when the sync occurs.

• Authentication unsupported by legacy protocols: Azure AD is the authentication method that O365 uses to authenticate with Exchange Online, which provides email services. There are a number of protocols associated with Exchange Online authentication that do not support modern authentication methods with MFA features. Taking this step will greatly reduce the attack surface for organizations.

As a conclusion to the report, CISA advises all organizations to make sure that the infrastructure assets are protected against attackers who could take advantage of misconfigured Office 365 installations during service migrations and afterward.

CISA lists the following best practices and mitigations that should be implemented by all Office 365 administrators:

• Use multi-factor authentication. This is the best mitigation technique to use to protect against credential theft for O365 users.

• Enable unified audit logging in the Security and Compliance Center.

• Enable mailbox auditing for each user.

• Ensure Azure AD password sync is planned for and configured correctly, prior to migrating users.

• Disable legacy email protocols, if not required, or limit their use to specific users.

On top of the mitigations listed by CISA, MinervaLabs' malware researcher Omri Segev Moyal also shared with BleepingComputer an easy way to stay protected against phishing attacks which target Microsoft Office 365 users with the help of phishing landing pages hosted on Microsoft's Azure Blob Storage.

Moyal provided the following procedure for creating Office 365 rules designed to block phishing attacks which abuse Azure Blob Storage to look legitimate:‏

Browse to Office365 Exchange Admin Center.

Go to Mail Flow —> Rules then click on the ‘+’ sign and create a new rule.

At the New Rule section do as described in the image below.

Administrators can create rules designed to alert Office 365 users when received e-mails contain links to Azure Blob Storage windows.net domains seeing that, in a lot of cases, this might be a sign of a potential phishing e-mail.

To do that, Office 365 admins have to go through the steps described above for creating Office 365 rules and, as part of the last step, to customize the rule as shown in the screenshot below:

A report from Barracuda Networks' research team showed during early-May that Office 365 accounts are targeted by and compromised in account takeover (ATO) attacks, with cybercriminals later using them for a wide variety of nefarious purposes ranging from spear-phishing and malvertising campaigns to BEC attacks.

To compromise their targets' accounts via ATO attacks, the crooks use a combination of "brand impersonation, social engineering, and phishing," as well as "leveraged usernames and passwords acquired in previous data breaches."

If Office 365 administrators would have followed the best practices described above, most if not all of the accounts compromised as part of the ATO attack campaign discovered by Barracuda Networks would have resisted infiltration attempts from cybercriminals.

Microsoft is also periodically adding to the security capabilities of Office 365 as shown by the addition of more control over encrypted emails shared outside an organization, as well as protection against malicious macros by extending Antimalware Scan Interface (AMSI) to Office 365 client applications.

An extensive list of security best practices for Office 365 is also provided on Microsoft documentation website which should "minimize the potential of a data breach or a compromised account."