James Thew - Fotolia

CrowdStrike finds 'logging inaccuracies' in Microsoft 365

CrowdStrike says Microsoft's cloud offering may not be accurately taking logs of user sign-ins, and that could pose a threat to protecting networks and investigating attacks.

The Microsoft 365 platform is not properly maintaining its user sign-in logs and is providing false-positive reports for user logins.

In a blog post published Thursday, security vendor CrowdStrike said it has conducted "multiple investigations" of the way Microsoft 365 Azure Active Directory (Azure AD) logs information on user sign-in attempts. Specifically, the team found that under certain configurations, a successful log-in will be recorded when the attempt has in fact been blocked.

"In recent investigations, CrowdStrike has found a pattern of inaccurate logging in the Azure AD sign-in logs that seems to falsely indicate a mailbox sync via legacy authentication protocols (IMAP or POP)," CrowdStrike researchers Christopher Romano and Vaishnav Murthy wrote in the blog post.

"This pattern appears to manifest in M365 tenants that: do not have legacy authentication configured to be blocked via a conditional access policy (CAP); have POP and IMAP blocked at an individual mailbox level; and have the SMTP authentication protocol allowed at the mailbox level."

Having an inaccurate set of logs could always pose a threat to network security, as it gives administrators a distorted view of how well their network security protections are performing. But in some instances, it can be devastating.

The CrowdStrike researchers explained that the mishandling of the legacy protocol logins is particularly bad for data breach investigators.

"These protocols result in downloading a mailbox's contents locally to the client from where the authentication request was initiated," Romano and Murthy explained.

"Hence, whenever these protocols are seen to be used in an investigation involving email compromise, an assumption is made that the entirety of the mailbox contents, which often include sensitive information, has been exfiltrated by the threat actor."

In theory, a data breach investigator could end up wasting valuable time pursuing a supposedly successful breach attempt that was actually blocked by access controls.

CrowdStrike noted that Microsoft had previously announced that it will disable POP and IMAP authentication to Exchange Online on Oct. 1.

Microsoft did not respond to a request for comment on the report.

To protect their networks from the logging errors, CrowdStrike recommended that administrators take basic steps to block out the legacy authentication protocols, including disallowing connections via IMAP, POP or SMTP.

Dig Deeper on Cloud security

Enterprise Desktop
Cloud Computing