Third-Party Vulnerability

Assessment of Microsoft
Office 365 - 2020

Published: September

This document provides details on third-party penetration testing performed against

Microsoft Office 365 by independent testers, NCC Group

© 2019 Microsoft Corporation. All rights reserved. This document is provided "as-is." Information and views expressed in this document, including URL and other Internet Web site
references, may change without notice. You bear the risk of using it. Some examples are for illustration only and are fictitious. No real association is intended or inferred. This document
does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. This document
is confidential and proprietary to Microsoft. It is disclosed and can be used only pursuant to a non-disclosure agreement.
Document Location: https://aka.ms/O365PenTest20 P a g e |1
Document Feedback: cxprad@microsoft.com

Introduction
Microsoft hired NCC Group to conduct a vulnerability and security assessment of Microsoft Office
365. This report provides information and insights into the findings of that assessment, which was
performed between 30/03/2020 and 30/04/2020.

Microsoft requested that NCC Group preform a security assessment of Microsoft Office 365 to identify
security vulnerabilities that could compromise Microsoft cloud services and impact our customers’
data.

The assessment did not identify any security vulnerabilities which should cause concern. No methods
of obtaining data that belong to a different tenant or methods to directly target a Microsoft Office
365 user were found. All findings of the assessment were of medium or low severity, with the low
severity issues being related to information leakage, and minor server misconfigurations.

Scope
The security assessment involved:

 Deploying Active Directory Federation Services (ADFS) per Microsoft’s guidelines

 Deploying multiple trial Microsoft Office 365 subscriptions to assess for:
o Residual data from existing customers; and
o Any ability to access data from other customers.
 Performing security assessments of the sign-up and account management functionality that
supports Microsoft Office 365
 Performing multiple security assessments by Council of Registered Ethical Security Testers
consultants against numerous services to determine the overall security of Microsoft Office
365, including:
o Microsoft Exchange Online
o Microsoft SharePoint Online
o Microsoft OneDrive for Business
o Microsoft Skype for Business
o Microsoft Office Professional Plus
o Microsoft Exchange Online Archiving
o Microsoft Office Web Apps
o Yammer Enterprise
o Microsoft Teams
o Microsoft OneDrive
Document Location: https://aka.ms/O365PenTest20 P a g e |2
Document Feedback: cxprad@microsoft.com

Test Methodologies
The primary areas of concern in web application security are authentication bypass, injection, account
traversal, privilege escalation, and data extraction.

The assessment was conducted to cover all the Open Web Application Security Project (OWASP) Top
10 web application security risks and other relevant targeted vectors. The OWASP tests performed
included:

 A1: Injection
 A2: Broken Authentication and Session Management
 A3: Cross-Site Scripting (XSS)
 A4: Insecure Direct Object References
 A5: Security Misconfiguration
 A6: Sensitive Data Exposed
 A7: Missing Function Level Access Control
 A8: Cross-Site Request Forgery (CSRF)
 A9: Using Known Vulnerable Components
 A10: Unvalidated Redirects and Forwards

Assessment
Overall, Microsoft Office 365 was found to be implementing strong security controls, including the use
of Anti Cross-Site Request Forgery tokens, and robust input validation, protecting against directory
traversal, SQL injection attacks, and malicious file uploads. While no direct, immediate exploitations
were identified, there were some identified issues that could provide methods of gaining
unauthorized access to Microsoft Office 365 user accounts and organizational data.

Severity Ratings
The following severity ratings categorize each vulnerability. This rating represents the worst theoretical
outcome if a vulnerability was exploited, although the severity rating does not indicate the likelihood
of that outcome. The severity ratings are described in the following table.
Severity Rating Definition
Critical A vulnerability in the service where data access is uninhibited, or the service itself can be
impacted. For example, self-propagating malware, and unavoidable common use
scenarios where code execution occurs without warnings or prompts. This could mean
browsing a web page or opening email.
Important A vulnerability whose exploitation could result in a compromise of the confidentiality,
integrity, or availability of user data, or of the integrity or availability of processing
resources.
Moderate Impact of the vulnerability is mitigated to a significant degree by factors such as
authentication requirements or applicability only to non-default configurations.
Low Impact of the vulnerability is comprehensively mitigated by the characteristics of the
affected component.
Table 1 - Severity ratings used in assessment report
Document Location: https://aka.ms/O365PenTest20 P a g e |3
Document Feedback: cxprad@microsoft.com

The following table summarizes the number of issues identified and their severity ratings.

Critical Important Moderate Low Total

0 0 9 14 23

Table 2 - Findings from the 2020 vulnerability assessment of Microsoft Office 365

Microsoft responses to findings

This section responds to the 9 Moderate issues found in the assessment. Low severity issues are
triaged and resolved as appropriate as part of our software development lifecycle.

Of the 9 Moderate issues noted in the assessment, 4 are by design: the use of unencrypted
connections, anonymous organization and employee enumeration, OneDrive & SharePoint Server-
Side Request Forgery, and Uploaded File Types Not Restricted. All are discussed below.

Moderate: Cross Site Content Framing in Exchange (Triage)

Finding: A page within the Exchange application that is accessible to administrators can show an
external website in an HTML frame. As a result, while the URL was trusted, the page contents could be
loaded from a malicious website.

Response: The typical way to exploit a weakness like this is phishing. Microsoft recommends that
organizations use administrative accounts solely to administer the Tenant. Administrative accounts
should never be used for standard user operations such as email.

This issue is being triaged.

Moderate: OneDrive & SharePoint Server-Side Request Forgery (By Design)

Finding: Server-side request forgery (SSRF) allows an attacker to force a vulnerable server to connect
to network services on behalf of the attacker. It was possible to send requests to arbitrary websites.

Response: The token which is sent by the component to the destination is not able to be used to
access content in SPO. This issue doesn’t have significant security impact.

Moderate: Microsoft Office 365 Apps Excluded from SSO Logout (Fixed)
Finding: When the logout function is invoked from within a Microsoft Office 365 application, the
authentication server attempts to log the user out of all other Microsoft Office 365 applications.
However, parts of the OneDrive admin application and Office Web App didn’t fully sign-out.

Response: These issues are of primary concern in a kiosk environment where multiple users share the
same machine. We have deprecated the OneDrive administrator component. General guidance is to
never perform administrative duties from a shared/kiosk device. Office Web App is being signed out
when you sign out of Office.
Document Location: https://aka.ms/O365PenTest20 P a g e |4
Document Feedback: cxprad@microsoft.com

Moderate: Malicious input executed in Excel Export (Client-side mitigation)

Finding: An export function within Microsoft Yammer produced CSV files, the content of which
included user supplied input stored by the application. A malicious file could be constructed targeting
Excel which could lead to operating system commands being run on the machine of anyone who
opened an exported file. Command execution depend on the victim accepting at least two warnings
from Excel.

Response: This issue is dependent on a user ignoring at least two warnings. There is also a warning to
the user upon download of the file. If Excel files in your organization are not dependent upon
Dynamic Data Exchange (DDE), and you consider this attack vector to be a concern, we recommend
that you disable DDE as outlined in ADV170021. With the mitigations in place this is a low risk.

Moderate: Use of unencrypted connections (By Design/Fixed)

Finding: In general, all access to Microsoft Office 365 is conducted over an encrypted (HTTPS)
connection; however, in some instances, Skype for Business and Yammer are passed or directed over
an unencrypted connection. This could allow an attacker who has access to network traffic to sniff or
modify data in motion.

Response: The Skype AutoDiscover HTTP request is per specification https://docs.microsoft.com/en-

us/openspecs/office_protocols/ms-ocdiscws/7361d2a8-f704-4a51-ab36-3a5962bf2bed.

Yammer has deprecated the un-encrypted link.

Moderate: Organization and employee enumeration (By Design)

Finding: It is possible to enumerate an organization’s ADFS endpoints anonymously by making realm
discovery requests to Microsoft’s Security Token Service (STS).

Response: This is by design, as Microsoft’s STS needs to provide clients that sign in with the
organization’s STS to complete the sign-in request. This is the purpose of the Realm discovery
process. To mitigate concerns, customers can deploy an Extranet Lockout Policy and firewall/throttling
policies, where required.

Finding: It is possible to anonymously enumerate e-mail addresses, names, job titles, and current
online status for known SIP addresses in Skype for Business, if an open external communications
policy is configured.

Response: If this is perceived to be a security risk, customers can change their Skype for Business
external communications setting to Only On for Allowed Domains.
Document Location: https://aka.ms/O365PenTest20 P a g e |5
Document Feedback: cxprad@microsoft.com

Moderate: Uploaded File Types Not Restricted (By Design)

Finding: In various locations in the Microsoft Office 365 suite, it was possible to upload (and for other
users to download) any type of file, without any anti-virus scanning or other content checking being
performed on the server side against the uploaded file.

Response: Each service has its own risk tolerance depending on its usage scenarios. Exchange Online,
which receives a lot of content from unknown sources, has a very stringent approach. SharePoint
Online, which doesn’t have the same external exposure, is still scanning the content but won’t block
on upload but on download. Yammer connected groups store information in SharePoint and use the
SharePoint engine for identifying potential malware. Make sure that anti-malware protection is up-to-
date on devices accessing information according to best practices.

Moderate: Yammer Insecure Cookie Configuration (Tracked for resolution)

Finding: Yammer is missing the HttpOnly flag for the OAuth token. The HttpOnly flag dictates that the
cookie may only be supplied via HTTP, within the HTTP request header, and not via the DOM or
otherwise. As such, the cookie will function as normal during typical browsing but will not appear in
the document.cookie DOM variable, thus mitigating most cookie-stealing cross-site scripting attacks.

Response: This is a repeat finding that was also noted in the assessment from 2018,2019. Our plans to
permanently fix this vulnerability are part of a much larger architectural change within the Yammer
service that is still in progress. We have identified issues with support of legacy clients that prevents us
from turning this off completely. Again, the severity of this vulnerability is mitigated by the fact that
sensitive POST requests to Yammer require a suitable Authorization header to be present.

Moderate: Excessive timeouts (Configurable)

Finding: Session timeouts enforced by the Office 365 platform were longer than is typically
recommended for web applications in some instances.

Response: Session timeouts can be configured via conditional access. The default session timeouts for
Microsoft 365 Services can be found here.

Summary
Microsoft hired NCC Group to conduct a security assessment of Microsoft Office 365, which was
performed between 30/03/2020 and 30/04/2020. The assessment did not identify any security issues
which should cause concern. No methods of obtaining data belonging to a different Microsoft Office
365 tenant or directly targeting a Microsoft Office 365 user were found. Most of the Medium severity
Document Location: https://aka.ms/O365PenTest20 P a g e |6
Document Feedback: cxprad@microsoft.com

issues are already fixed or noted as by-design. The remaining Medium and Low severity issues are
being triaged and resolved as part of our software development lifecycle.