
Security Risks in Microsoft Entra Account Creation Process
/ 3 min read
Quick take - The article outlines potential security risks associated with end users creating accounts in Microsoft Entra through Shared Booking pages, including unauthorized account creation, mailbox access exploitation, and email address hijacking, while recommending measures to mitigate these vulnerabilities.
Fast Facts
- End users creating accounts in Microsoft Entra via Booking pages poses significant security risks, including unauthorized account creation and impersonation of legitimate users.
- Attackers can exploit operational mailboxes linked to Booking pages to impersonate high-ranking individuals, potentially leading to financial losses for organizations.
- Email address hijacking is a concern, as attackers can create Booking pages using former employees’ email addresses, facilitating unauthorized access and activities.
- Shared Booking Pages create hidden, functional mailboxes that do not consume Microsoft 365 licenses, complicating security measures and detection.
- Experts recommend disabling Shared Bookings if not in use, auditing for hidden mailboxes, monitoring account creation activity, and securing high-value email addresses to mitigate risks.
Security Risks Identified in Microsoft Entra Account Creation for End Users
Allowing end users to create accounts in Entra, akin to Microsoft Bookings, has been identified as a potential security risk. This feature presents several vulnerabilities that could be exploited by malicious actors.
Unauthorized Account Creation and Mailbox Access
One significant risk is unauthorized account creation. When a shared Booking page is created, it automatically generates a fully functional account in Entra without requiring administrative permissions. The display name of this account matches the Booking page name, and the email address is generated by removing spaces. This process makes it easier for attackers to impersonate legitimate users.
Another concern is mailbox access and delegation. The mailbox associated with a Booking page is operational, allowing it to send and receive emails. Attackers could exploit this capability to impersonate high-ranking individuals and redirect payments, potentially resulting in financial loss for organizations.
Email Address Hijacking and Hidden Mailboxes
Email address hijacking is also a potential threat. Attackers can create Booking pages using the email addresses of former employees, enabling them to receive inbound mail and facilitating activities such as password resets for external services or domain ownership verification. Additionally, the creation of shared Booking pages results in the establishment of hidden, fully functional mailboxes. These mailboxes do not consume a Microsoft 365 license and operate like standard Exchange Online mailboxes but remain undetected in the Exchange Admin Center, complicating security measures further.
Recommendations for Mitigation
Microsoft Bookings includes a feature for creating “Shared Booking Pages,” which is enabled by default for users with the appropriate Microsoft 365 license. Adversaries who have compromised a Microsoft 365 account can exploit this feature. In business email compromise scenarios, attackers use the identity of a compromised user to communicate for financial gain. If Shared Booking Pages are active, attackers could create convincing impersonations, such as mimicking a CEO’s email address, potentially evading impersonation filters.
To mitigate these risks, experts recommend several steps:
- Disabling Shared Bookings if the feature is not in use to minimize security risks.
- Auditing Shared Bookings Pages using ExchangeOnline PowerShell to identify any hidden mailboxes.
- Regularly monitoring Entra accounts for unusual account creation activity.
- Restricting access to Shared Bookings and disabling end-user creation unless absolutely necessary.
- Regularly reviewing and revoking unnecessary mailbox permissions to tighten security.
- Securing high-value email addresses by associating them with administrator-controlled accounts to prevent unauthorized access.
The article highlights the critical need for rigorous security configurations and ongoing monitoring within Microsoft 365 environments to protect against these vulnerabilities.
Original Source: Read the Full Article Here