← Back to all briefings

Cybersecurity · Credibility 40/100 · · 4 min read

Cybersecurity Briefing — CISA dissects Microsoft 365 tenant compromises

CISA’s AA20-120A alert warns that rushed Microsoft 365 migrations are leaving global admin accounts, audit logs, and alerting disabled, giving adversaries easy footholds during the COVID-19 telework surge.

Executive briefing: CISA’s refreshed Microsoft Office 365 Security Recommendations documents how rushed telework migrations left entire tenants exposed—Global Administrator accounts still use single-factor logins, directory roles were never scoped, and logging was never turned on. The alert gives operators a prioritized checklist to lock down their collaboration stack before threat actors weaponize the same misconfigurations CISA keeps seeing in incident response engagements.

Immediate containment priorities

  • Force MFA on every privileged identity. Treat Azure AD Global Administrator credentials like legacy domain admins: enforce hardware-backed MFA, remove the accounts from daily administration, and expire any shared credentials CISA observed being reused across tenants.
  • Rebuild directory roles with least privilege. Follow CISA’s reminder to replace “all powerful” Global Administrator assignments with more targeted roles (Exchange Administrator, SharePoint Administrator, Teams Administrator) so a compromised help-desk credential cannot reconfigure the whole tenant.
  • Kill legacy and anonymous protocols. Turn off IMAP/POP, legacy authentication protocols, and anonymous sharing defaults inherited from on-prem deployments so credentials stolen through password-spraying cannot be replayed through basic auth endpoints.

Telemetry and detection coverage

  • Enable mailbox and Unified Audit logs. CISA continues to see tenants with disabled logging, so confirm Unified Audit Logging is on, purge retention gaps, and stream the data to your SIEM.
  • Automate anomaly alerts. Use the Microsoft 365 Security & Compliance Center to trigger notifications for suspicious source IPs, excessive sent mail, or inbox-rule changes and route them to security operations rather than shared admin mailboxes.
  • Segment admin workstations. Require conditional access and compliant devices for every privileged session so that cloud-based admin tokens cannot be harvested from unmanaged laptops.

Source excerpts

Primary — persistent misconfigurations: “CISA continues to see instances where entities are not implementing best security practices in regard to their O365 implementation, resulting in increased vulnerability to adversary attacks.”

CISA — AA20-120A

Primary — protect Global Administrators: “Multi-factor authentication (MFA) is not enabled by default for these accounts… If not immediately secured, an attacker can compromise these cloud-based accounts and maintain persistence as a customer migrates users to O365.”

CISA — AA20-120A
  • AA20-120A
  • Microsoft 365
  • MFA
Back to curated briefings