Professional Documents
Culture Documents
Office 365 - Third-Party Vulnerability Assessment of Microsoft 365 - 2020 PDF
Office 365 - Third-Party Vulnerability Assessment of Microsoft 365 - 2020 PDF
Assessment of Microsoft
Office 365 - 2020
Published: September
© 2019 Microsoft Corporation. All rights reserved. This document is provided "as-is." Information and views expressed in this document, including URL and other Internet Web site
references, may change without notice. You bear the risk of using it. Some examples are for illustration only and are fictitious. No real association is intended or inferred. This document
does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. This document
is confidential and proprietary to Microsoft. It is disclosed and can be used only pursuant to a non-disclosure agreement.
Document Location: https://aka.ms/O365PenTest20 P a g e |1
Document Feedback: cxprad@microsoft.com
Introduction
Microsoft hired NCC Group to conduct a vulnerability and security assessment of Microsoft Office
365. This report provides information and insights into the findings of that assessment, which was
performed between 30/03/2020 and 30/04/2020.
Microsoft requested that NCC Group preform a security assessment of Microsoft Office 365 to identify
security vulnerabilities that could compromise Microsoft cloud services and impact our customers’
data.
The assessment did not identify any security vulnerabilities which should cause concern. No methods
of obtaining data that belong to a different tenant or methods to directly target a Microsoft Office
365 user were found. All findings of the assessment were of medium or low severity, with the low
severity issues being related to information leakage, and minor server misconfigurations.
Scope
The security assessment involved:
Test Methodologies
The primary areas of concern in web application security are authentication bypass, injection, account
traversal, privilege escalation, and data extraction.
The assessment was conducted to cover all the Open Web Application Security Project (OWASP) Top
10 web application security risks and other relevant targeted vectors. The OWASP tests performed
included:
A1: Injection
A2: Broken Authentication and Session Management
A3: Cross-Site Scripting (XSS)
A4: Insecure Direct Object References
A5: Security Misconfiguration
A6: Sensitive Data Exposed
A7: Missing Function Level Access Control
A8: Cross-Site Request Forgery (CSRF)
A9: Using Known Vulnerable Components
A10: Unvalidated Redirects and Forwards
Assessment
Overall, Microsoft Office 365 was found to be implementing strong security controls, including the use
of Anti Cross-Site Request Forgery tokens, and robust input validation, protecting against directory
traversal, SQL injection attacks, and malicious file uploads. While no direct, immediate exploitations
were identified, there were some identified issues that could provide methods of gaining
unauthorized access to Microsoft Office 365 user accounts and organizational data.
Severity Ratings
The following severity ratings categorize each vulnerability. This rating represents the worst theoretical
outcome if a vulnerability was exploited, although the severity rating does not indicate the likelihood
of that outcome. The severity ratings are described in the following table.
Severity Rating Definition
Critical A vulnerability in the service where data access is uninhibited, or the service itself can be
impacted. For example, self-propagating malware, and unavoidable common use
scenarios where code execution occurs without warnings or prompts. This could mean
browsing a web page or opening email.
Important A vulnerability whose exploitation could result in a compromise of the confidentiality,
integrity, or availability of user data, or of the integrity or availability of processing
resources.
Moderate Impact of the vulnerability is mitigated to a significant degree by factors such as
authentication requirements or applicability only to non-default configurations.
Low Impact of the vulnerability is comprehensively mitigated by the characteristics of the
affected component.
Table 1 - Severity ratings used in assessment report
Document Location: https://aka.ms/O365PenTest20 P a g e |3
Document Feedback: cxprad@microsoft.com
The following table summarizes the number of issues identified and their severity ratings.
Table 2 - Findings from the 2020 vulnerability assessment of Microsoft Office 365
Of the 9 Moderate issues noted in the assessment, 4 are by design: the use of unencrypted
connections, anonymous organization and employee enumeration, OneDrive & SharePoint Server-
Side Request Forgery, and Uploaded File Types Not Restricted. All are discussed below.
Response: The typical way to exploit a weakness like this is phishing. Microsoft recommends that
organizations use administrative accounts solely to administer the Tenant. Administrative accounts
should never be used for standard user operations such as email.
Response: The token which is sent by the component to the destination is not able to be used to
access content in SPO. This issue doesn’t have significant security impact.
Moderate: Microsoft Office 365 Apps Excluded from SSO Logout (Fixed)
Finding: When the logout function is invoked from within a Microsoft Office 365 application, the
authentication server attempts to log the user out of all other Microsoft Office 365 applications.
However, parts of the OneDrive admin application and Office Web App didn’t fully sign-out.
Response: These issues are of primary concern in a kiosk environment where multiple users share the
same machine. We have deprecated the OneDrive administrator component. General guidance is to
never perform administrative duties from a shared/kiosk device. Office Web App is being signed out
when you sign out of Office.
Document Location: https://aka.ms/O365PenTest20 P a g e |4
Document Feedback: cxprad@microsoft.com
Response: This issue is dependent on a user ignoring at least two warnings. There is also a warning to
the user upon download of the file. If Excel files in your organization are not dependent upon
Dynamic Data Exchange (DDE), and you consider this attack vector to be a concern, we recommend
that you disable DDE as outlined in ADV170021. With the mitigations in place this is a low risk.
Response: This is by design, as Microsoft’s STS needs to provide clients that sign in with the
organization’s STS to complete the sign-in request. This is the purpose of the Realm discovery
process. To mitigate concerns, customers can deploy an Extranet Lockout Policy and firewall/throttling
policies, where required.
Finding: It is possible to anonymously enumerate e-mail addresses, names, job titles, and current
online status for known SIP addresses in Skype for Business, if an open external communications
policy is configured.
Response: If this is perceived to be a security risk, customers can change their Skype for Business
external communications setting to Only On for Allowed Domains.
Document Location: https://aka.ms/O365PenTest20 P a g e |5
Document Feedback: cxprad@microsoft.com
Response: Each service has its own risk tolerance depending on its usage scenarios. Exchange Online,
which receives a lot of content from unknown sources, has a very stringent approach. SharePoint
Online, which doesn’t have the same external exposure, is still scanning the content but won’t block
on upload but on download. Yammer connected groups store information in SharePoint and use the
SharePoint engine for identifying potential malware. Make sure that anti-malware protection is up-to-
date on devices accessing information according to best practices.
Response: This is a repeat finding that was also noted in the assessment from 2018,2019. Our plans to
permanently fix this vulnerability are part of a much larger architectural change within the Yammer
service that is still in progress. We have identified issues with support of legacy clients that prevents us
from turning this off completely. Again, the severity of this vulnerability is mitigated by the fact that
sensitive POST requests to Yammer require a suitable Authorization header to be present.
Response: Session timeouts can be configured via conditional access. The default session timeouts for
Microsoft 365 Services can be found here.
Summary
Microsoft hired NCC Group to conduct a security assessment of Microsoft Office 365, which was
performed between 30/03/2020 and 30/04/2020. The assessment did not identify any security issues
which should cause concern. No methods of obtaining data belonging to a different Microsoft Office
365 tenant or directly targeting a Microsoft Office 365 user were found. Most of the Medium severity
Document Location: https://aka.ms/O365PenTest20 P a g e |6
Document Feedback: cxprad@microsoft.com
issues are already fixed or noted as by-design. The remaining Medium and Low severity issues are
being triaged and resolved as part of our software development lifecycle.