Skip to content

Emerging Threats

Security considerations — Cloud E-mail

· frtg · 4 min read
Email Cloud Security

An increasing number of organisations are migrating to cloud-based email systems (Office 365 and Gmail), a decision driven by a range of technical and operational advantages. These solutions offer a significant level of security and protection; however, certain risks remain that should be mitigated through the implementation of specific technical countermeasures.

In this post we address several aspects we consider particularly important for hardening these systems, with countermeasures that would prevent cyber attacks, reduce the adversary’s attack surface, and detail the activities performed by threat actors during a compromise.

Technical Countermeasures

The use of default configurations on these systems can negatively impact an organisation’s defensive posture against cyber attacks.
Specifically, the following countermeasures should be applied:

  • Enable multi-factor authentication (mandatory for administrators)
  • Disable legacy protocols (POP3, IMAP and SMTP)
  • Customise anti-malware and anti-phishing settings
  • Enable mailbox auditing (disabled by default on Office 365)
  • Security assessments of password sync (O365)

We consider all the listed aspects strategic, as they represent vulnerabilities actively exploited by multiple threat actors.

Technical Details

Below is a detailed description of the vulnerabilities and countermeasures that can be adopted:

  • Multi-factor authentication: multi-factor authentication is a capability that adds an additional step to the authentication process. The recommended approach is to implement this functionality for all users.
    Where this is not feasible, we recommend enabling multi-factor authentication for platform administrators, who hold the highest level of privileges at the tenant level.
    Multi-factor authentication (MFA) is not enabled by default for these accounts. The global administrator must explicitly enable this policy to activate MFA.

  • Use of legacy protocols: numerous protocols, active by default, for email authentication are now considered obsolete. These protocols include POP3 (Post Office Protocol), IMAP (Internet Message Access Protocol) and SMTP (Simple Mail Transport Protocol) and are used by older email clients that do not support modern authentication. This leaves email accounts exposed to the Internet with only username and password as the primary authentication method, exposing the organisation to brute-force attacks that are not easily monitored. Disabling legacy protocols is an operation that significantly reduces the attack surface. Our Cybersecurity Advisory practice has observed multiple credential-stuffing campaigns (T1110.004) targeting organisations with legacy authentication enabled.
    Legacy protocols can be disabled at the tenant level or at the user level.

     
  • In both O365 and GSuite environments it is possible to customise security settings related to the management, identification and treatment of potentially malicious email. Use appropriate policies to prevent the delivery of such messages to the end user, enabling appropriate notifications to report false-positive cases.

  • Mailbox Auditing (O365): O365 mailbox auditing records the operations performed by mailbox owners, delegates and administrators. Prior to January 2019, Microsoft did not enable this control by default.
    Customers who purchased their O365 environment before 2019 must explicitly enable mailbox auditing.
    For more recent environments, the unified audit log may not be enabled. The unified audit log contains events from Exchange Online, SharePoint Online, OneDrive, Azure AD, Microsoft Teams, PowerBI and other O365 services.
    Enable the unified audit log in the Security and Compliance Centre.

  • Password Sync Assessments (O365 pre-2018): Azure AD Connect integrates on-premises environments with Azure AD when customers migrate to O365. This technology offers the capability to create Azure AD identities from on-premises identities or to match Azure AD identities with on-premises AD identities. On-premises identities become the authoritative identities in the cloud. To match identities, the on-premises AD identity must match certain attributes. If it matches, the Azure AD identity is marked as managed on-premises. Therefore, it is possible to create an AD identity that matches an administrator in Azure AD and create an on-premises account with the same username.
    One of the authentication options for Azure AD is “password synchronisation”. If this option is enabled, the on-premises password overwrites the password in Azure AD. In this particular situation, if the on-premises AD identity is compromised, a malicious actor could move laterally into the cloud from the moment of synchronisation.
    Note: Microsoft disabled the ability to match certain administrator accounts starting in October 2018. However, organisations may have performed administrator account matching before Microsoft disabled this feature, thus synchronising identities that may have been compromised prior to migration. Additionally, normal user accounts are not protected by the disabling of this feature.

Cloud email platforms require deliberate hardening beyond vendor defaults to resist credential-based intrusion and lateral movement techniques.

Speak with our analysts Blog home