Unmanaged Azure Tenants: A Hidden Security Risk

If your institution uses Exchange Online or Microsoft 365 for email, you have a Microsoft Azure tenant. However, many institutions are unaware that this tenant requires management and continuous monitoring to ensure security and efficiency. Certain settings should be locked down by default, others require adjustments, while some require ongoing monitoring. In serving hundreds of community banks and credit unions across the US, we have identified numerous tenants that are either unmanaged or improperly managed. This exposes vulnerabilities that bad actors can exploit, potentially leading to compromised accounts and data exfiltration.

Outlined below are some common issues we have encountered. The numbers referenced are based on the average annual count of activities per 100 institutions.

Compromised User Accounts

Each year, we observe approximately 1,000 successful logins from outside the United States. While some of these logins occur when employees are traveling, many do not. Often these logins indicate a compromised account.

Institutions should block or limit logins from outside the US based on business requirements and employee work patterns, while also monitoring and alerting for these occurrences.

Unknown Users

While exact numbers are unavailable, we often encounter this issue when conducting reviews with customers. We frequently discover accounts that the institution cannot identify and are not associated with current employees. Some of these may be old accounts that were not deactivated upon an employee’s departure. However, there is a risk that some of these accounts were created by bad actors with malicious intent. In some cases, we discovered that the accounts were created with administrator privileges, allowing cybercriminals full access.

Forwarding of Emails to Outside Accounts

Email forwarding or redirection is added to email accounts approximately 700 times a year. Discussions with multiple institutions revealed that, in many cases, these settings were not configured by authorized personnel. Bad actors are using this method to monitor the emails of specific accounts long after they have lost direct access.

Permissions to Access Someone’s Email Account (e.g., “Send as,” “On behalf of”)

Much like the previous example, email account settings are frequently being altered. However, instead of merely redirecting emails, they allow unauthorized individuals to send emails on behalf of someone else. We observe this occurring approximately 2,600 times annually. These changes are often unknown to the institution, indicating that a bad actor potentially gained control of an email account.

Unauthorized Use of Sharing Tools to Share Files with External Users (e.g., OneDrive)

Many institutions say their employees are prohibited from sharing files outside the organization. However, we encounter numerous instances where this is not actually enforced. Safe Systems, for example, observes approximately 2,000 files shared externally through OneDrive each year. This discrepancy highlights a common issue: having expectations without the technical knowledge to enforce them effectively.

Insecure Protocols Enabled

We do not have specific instances of exploits from insecure protocols as we address these during our initial customer setups. However, it is important to note that establishing the correct protocols is critical to ensuring your Azure tenant remains safe and secure.

Attempts to Log in as a User

While some end users may find multifactor authentication (MFA) burdensome, it is essential in today’s cybersecurity landscape. We observe around 50 instances annually where logins from outside the US had the correct passwords but failed the MFA requirement. These are almost certainly bad actors that were not able fully compromise the account simply because of MFA. We have also observed over 6,000 instances of “a large number” of failed login attempts (as defined by Microsoft) annually. Both statistics underscore the vital role MFA plays in restricting unauthorized access.

Configuring your tenant securely and implementing Conditional Access Policies (CAPs) with appropriate compensating controls are crucial steps in mitigating these types of risks. Regular monitoring and alerting on suspicious activities are equally important. This is why we developed M365 Security Basics to enhance visibility, reporting, and alerting for security settings within Entra ID (formerly Azure Active Directory). This tool is designed to help community banks and credit unions, like yours, identify and mitigate common security risks more effectively.


Be the first to hear about regulatory guidance and industry trends