“The organizations that used a third party have had a mix of configurations that lowered their overall security posture (e.g., mailbox auditing disabled, unified audit log disabled, multi-factor authentication disabled on admin accounts),” said CISA. “In addition, the majority of these organizations did not have a dedicated IT security team to focus on their security in the cloud. These security oversights have led to user and mailbox compromises and vulnerabilities.” According to CISA, one of the largest configuration vulnerabilities is lack of multi-factor authentication for admin accounts. In some cases, attackers manage to access an Azure AD Global Admin account, which is used as the first step in cloud migration. MFA isn’t enabled on these by default, so an attacker with access could maintain persistence even after the solution is deployed.
Mail Auditing and Legacy Protocols
Some third-party vendors also fail to set up mail auditing. As this wasn’t’ enabled by default until this year, older customers would have had to enable it manually. As you’d expect, this could cause major issues down the line, and is compacted by the lack of a unified audit log, which also isn’t on by default. CISA says it’s also found instances where password sync is enabled. Due to conflicts with Azure AD and legacy accounts, this can become an attack vector. Finally, some organizations do not realize that authentication is not supported by legacy email protocols like IMAP and SMTP. A setting in Azure overrides this and greatly increases the attack surface. The findings are based on findings from a number of organizations since October 2018. Generally, it’s recommended that companies have a dedicated cloud security team where possible. “CISA encourages organizations to implement an organizational cloud strategy to protect their infrastructure assets through defending against attacks related to their O365 transition, and securing their O365 service,” said the agency.