According to a new report by the West Australian Office of the Auditor General (OAG), a number of vulnerabilities were found in how some state entities manage their Microsoft 365 environments.
“The audit found weaknesses in governance, identity and access management, information protection, logging and monitoring, and threat protection controls. These weaknesses heighten the risk of cyber incidents, data breaches and operational disruptions,” the OAG said.
While a number of vulnerabilities were uncovered, the OAG highlighted vulnerabilities that led to the two cases above.
In the case of the data breach, which resulted from an audited entity emailing the personal and sensitive data of roughly 32 people, children included, to a third-party service provider that stored it in a Dropbox, the OAG said the entity did not have data loss prevention (DLP) controls implemented and did not assess the security of the third-party entity.
The lack of DLP controls is a trend highlighted by the OAG, which said that while entities did have DLP policies, they were not widely implemented enough across different Microsoft 365 applications.
“Entities had DLP policies but they were not applied to OneDrive, SharePoint, Power Platform, Exchange and Teams. Additionally, where policies were implemented, they did not protect all sensitive data types,” the OAG said.
In the case of the $71,000 theft, a threat actor sent a phishing email to a senior officer of an entity, allowing them to gain access to their Microsoft 365 account thanks to weak multifactor authentication (MFA).
The incident remained undetected for a month, during which the entity ignored indicators of suspicious activity.
During that time, the threat actor registered their own MFA, created email forwarding rules to hide account email communication from the officer and studied the officer’s email history to create convincing social engineering before launching the fraudulent invoice for the funds.
The OAG said the vulnerabilities lie in using ineffective customised security settings, not blocking high-risk users and sign-ins, and not having effective email protections.
“Entities did not apply appropriate controls to prevent the impersonation of sensitive users and partner domains, for example through email spoofing,” the OAG said.
“They also did not implement effective controls that would allow third-party email servers to identify and report fake or suspicious emails claiming to be from the entities. This increases the likelihood of successful impersonation, data breaches and financial loss.”
Additionally, Western Australia’s Auditor-General, Caroline Spencer, emphasised that managing Microsoft 365 properly is critical to protecting government assets and data.
“Effective management of M365 security is critical for protecting sensitive government data and maintaining uninterrupted delivery of essential public services amid evolving cyber security threats,” Spencer said.
