Security Concerns Raised Over Microsoft Entra Feature
/ 3 min read
Quick take - The introduction of Entra, a feature for creating shared booking pages in Microsoft 365, has raised security concerns due to potential risks such as account compromise, impersonation, and unauthorized account creation, prompting experts to recommend proactive measures to mitigate these vulnerabilities.
Fast Facts
- The introduction of Entra’s “Shared Booking Pages” feature raises security concerns, particularly regarding account compromise and impersonation risks.
- Attackers can exploit this feature to impersonate high-profile individuals and create fake email addresses, facilitating phishing attacks and financial fraud.
- Dormant accounts linked to former employees can be hijacked to create Booking pages, allowing attackers to intercept communications and reset passwords for other services.
- Unauthorized account creation is a vulnerability, as it allows attackers to forge identities without administrative permissions, increasing the risk of social engineering attacks.
- Experts recommend proactive measures such as auditing Shared Bookings, restricting end-user creation, monitoring account activity, reviewing mailbox permissions, and securing high-value email addresses to mitigate these risks.
Security Concerns Arising from Entra’s New Feature
The introduction of Entra, a feature allowing end users to create accounts similar to Microsoft Bookings, has raised significant security concerns. Experts have identified several potential risks associated with this feature, which could be exploited by malicious actors.
Account Compromise and Impersonation
One of the primary concerns is account compromise and impersonation. The feature enables users to create “Shared Booking Pages,” which are automatically enabled for those with the appropriate Microsoft 365 licenses. This capability can lead to serious security threats. Attackers who gain access to a Microsoft 365 account may use these pages to impersonate high-profile individuals, such as CEOs. They can create internal email addresses that closely mimic legitimate ones, facilitating phishing attacks aimed at redirecting funds or extracting sensitive information.
Exploitation of Dormant Accounts
Another risk involves the exploitation of dormant accounts. Attackers may hijack dormant accounts linked to former employees and create Booking pages using these individuals’ email addresses. Such actions could enable attackers to receive inbound communications, potentially allowing them to reset passwords for external services, thereby compromising additional accounts. Unauthorized account creation is another identified vulnerability. The creation of a shared Booking page generates a fully functional account within Entra without requiring administrative permissions. The account adopts the display name of the Booking page, and its email address is formed by removing spaces. This loophole allows attackers to forge identities that correspond to legitimate users, increasing the risk of social engineering attacks.
Mitigation Strategies
Mailbox access and delegation present further security challenges. The mailbox linked to a Booking page is operational, capable of sending and receiving emails, and can automatically forward emails to the page creator. Attackers could exploit this to impersonate senior executives and reroute payments. Additionally, the creation of shared Booking pages results in hidden, fully functional mailboxes that do not consume a Microsoft 365 license and remain invisible in the Exchange Admin Center, making them difficult to detect and manage.
To mitigate these risks, experts recommend several proactive measures:
- Audit Shared Bookings Pages: This can be done using ExchangeOnline PowerShell to identify and manage hidden mailboxes created without proper oversight.
- Restrict End-User Creation: Disabling the ability for end users to create Shared Bookings can limit exposure to potential exploits.
- Monitor Account Activity: Regular monitoring of Entra accounts can help detect unusual account creation activities that might indicate a security breach.
- Review Mailbox Permissions: Conducting regular reviews can help revoke unnecessary permissions on mailboxes, tightening security.
- Secure High-Value Email Addresses: Associating critical email addresses with administrator-controlled accounts can enhance their protection against unauthorized access.
The discussion emphasizes the need for rigorous security configurations and continuous monitoring within Microsoft 365 environments to safeguard against the identified vulnerabilities.
Original Source: Read the Full Article Here
