02 September 2020

Microsoft 365 email auto-forwarding data breach

By Christian Bolton

Don't let Microsoft 365 email auto-forwarding cause a data breach

Don’t let the 365 email default configuration bite you in the arse

We’ve been working with a customer recently to manage the GDPR reporting requirements for some significant personal data breaches from an end user’s Microsoft 365 account – their account had been compromised and all their emails auto-forwarded to an external domain. What makes it worse is that they can’t tell when it was compromised so the scope of the breach is really difficult to define.

As you can imagine, a whole bunch of recommendations have come out of the investigation but there are a couple of technical ones on the Microsoft 365 configuration that are really quite simple and I think other people may benefit from.

1. Disable email auto-forwarding for the organization in Microsoft 365

By default, Microsoft 365 users can setup an auto-forward rule on their own mailbox to copy emails to another email address using Outlook webmail.

By default, users can setup email auto-forwarding on their own Microsoft 365 account

On a compromised account, this enables a threat actor to get a copy of every email without having to login to the user’s account. Once it’s been setup password resets don’t change anything.

As an administrator you can check to see if any emails have been auto-forwarded to external addresses by checking the Office 365 Security & Compliance Dashboard: protection.office.com/mailflow/dashboard

How do I check to see if emails have been auto-forwarded in Microsoft 365.

If they have, you can drill-through to see details of the domains forwarded to and the forwarding email addresses.

Thankfully, it’s pretty straight forward to disable auto-forwarding to outside your organization and the simplest method is to disable it in the Exchange admin center.

Disable the automatic forwarding email reply type in the Exchange admin center

You can be more granular with what you disable using email flow rules but a blanket disable will be easier to manage if your business requirements can support it. Exchange admin center: admin.exchange.microsoft.com/#/remotedomains

How can I disable email auto-forwarding on Microsoft 365.

2. Turn on audit log search

The unified audit log in Microsoft 365 is awesome but isn’t enabled by default. Do yourself a favour and enable auditing before you need to go back and find out exactly when something happened. For E5 license holders audit logs are retained for 12 months, for all other licenses it’s 90 days. You can hand-craft specific audits if you need to but start with the default and just click the button.
Microsoft 365 unified audit log: protection.office.com/unifiedauditlog

How do I turn on Audit log search in Microsoft 365.

Turn off audit log search on or off in Microsoft 365

How to turn audit log search on or off: docs.microsoft.com/en-us/microsoft-365/compliance/turn-audit-log-search-on-or-off?view=o365-worldwide

3. Set-up multi-factor authentication for Azure Active Directory

This won’t be news for most of you but if you’ve never gotten around to it don’t wait any longer. Better still, if your tenant was created before 22nd October 2019 enable ‘Security Defaults’ in the Azure portal to enforce MFA and block legacy authentication protocols.

How to set up multi-factor authentication

Set up multi-factor authentication: docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide

‘Security Defaults’ in Azure Active Directory

What are ‘Security Defaults’?: docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults

I hope that helps someone avoid having to manage a difficult and costly personal data breach but if you ever find yourself in need of help with your legal obligations as a result, we provide an outsourced Data Protection Officer service that can support you.

Leave a Comment

Your email address will not be published. Required fields are marked *