DHS Issues Security Best Practices to Mitigate Risks Associated with Office 365 Migrations


The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has issued a new analysis report highlighting some of the common risks and vulnerabilities associated with transitioning from on-premise mail services to cloud-based services such as Microsoft Office 365. The report details best practices to adopt to manage risks and prevent user and mailbox compromises.

Many healthcare organizations have realized the benefits of transitioning to cloud-based email services yet lack the in-house expertise to manage their migrations. Many have used third-party service providers to migrate their email services to Office 365. CISA notes that use of third parties to manage Office 365 migrations has led to an increase in security incidents.

Over the past 6 months, CISA has had several engagements with customers who have used third-party service providers to manage their migrations and discovered a range of different Office 365 configurations that lowered organization’s security posture and left them vulnerable to phishing and other cyberattacks.

CISA notes that the majority of those organizations didn’t have a dedicated IT security team that was focused on cloud security and, as a result, vulnerabilities went unnoticed. In some cases, the organization experienced mailbox compromises as a result of the risks and vulnerabilities introduced during Office 365 migrations.

According to the AR19-133A analysis report, some of the most common vulnerabilities that were identified which could easily lead to data breaches are:

The failure to implement multifactor authentication for Global Active Directory (AD) Global Administrators. Despite these accounts having the highest level of privileges at the tenant level, MFA is not enabled by default.

Disabled mailbox auditing – The failure to implement mailbox auditing means actions taken by mailbox owners, delegates, and administrators will not be logged. This will hamper investigations into mailbox activity and potential data breaches. Customers who implemented Office 365 prior to 2019 are required to explicitly enable mailbox auditing.

Enabled password syncing – With this setting enabled, the password from on-premises AD overwrites the password in Azure AD, which means that if a mailbox was compromised prior to migration to Office 365, when the sync occurs, an attacker would be able to move laterally to the cloud.

Authentication not supported by legacy protocols – Office 365 uses Azure AD for authentication with Exchange Online; however, several protocols (e.g. POP3, IMAP, and SMTP) used for authentication with Exchange Online do not support modern authentication mechanisms such as MFA. Without MFA, accounts will only be secured by a password, which will greatly increase the attack surface.

CISA suggests several best practices to adopt to ensure that migrating to Office 365 does not result in the lowering of an organization’s security posture:

  • Implement multi-factor authentication – It is the best mitigation technique to protect against credential theft via phishing attacks
  • Ensure audit logging is configured in the Security and Compliance Center
  • Ensure mailbox auditing is activated for each user
  • Ensure Azure AD is correctly configured prior to migrating users to Office 365
  • Ensure legacy email protocols are disabled or are limited to specific users

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.