Man
Professional
- Messages
- 3,079
- Reaction score
- 615
- Points
- 113
A harmless appointment scheduling feature has paved the way for digital scammers.
Microsoft Bookings, one of the popular features in Microsoft 365, can pose a security risk to companies because it allows users to create accounts in Entra without the need for administrative privileges. According to Cyberis, this opens up opportunities for attackers to create a fake account disguised as a real employee and use it for internal phishing attacks or manipulation of external partners.
If an attacker gains access to an employee's Microsoft 365 account, they can use the ability to create shared booking pages to mimic influencers within the company, such as the CEO or financial manager. Thus, the attacker can mislead employees and organize the transfer of funds.
One of the features of Bookings is the ability to create "special" email addresses within the domain, such as "admin@" or "hostmaster@". This allows attackers to carry out advanced social attacks, for example, to seize control of infrastructure. Such techniques make detection much more difficult and can bypass Microsoft's built-in identity spoofing systems.
In addition, when creating a booking page, an attacker can create an account that matches the email of a former employee. This makes it possible to intercept incoming messages to this address and even reset passwords to external services.
It is worth noting that such mailboxes do not require Microsoft 365 licenses and can be active without the company's costs for their maintenance. These hidden accounts can only be detected through PowerShell and remain invisible in the Exchange admin center.
To minimize the risks, security experts recommend disabling the ability to create shared booking pages for ordinary users, as well as auditing existing hidden mailboxes. It is important to regularly check access rights and monitor activity when creating new accounts in Entra.
These actions will help reduce the vulnerability of companies to such attacks and strengthen the protection of confidential information, especially against phishing attacks and fraud.
Source
Microsoft Bookings, one of the popular features in Microsoft 365, can pose a security risk to companies because it allows users to create accounts in Entra without the need for administrative privileges. According to Cyberis, this opens up opportunities for attackers to create a fake account disguised as a real employee and use it for internal phishing attacks or manipulation of external partners.
If an attacker gains access to an employee's Microsoft 365 account, they can use the ability to create shared booking pages to mimic influencers within the company, such as the CEO or financial manager. Thus, the attacker can mislead employees and organize the transfer of funds.
One of the features of Bookings is the ability to create "special" email addresses within the domain, such as "admin@" or "hostmaster@". This allows attackers to carry out advanced social attacks, for example, to seize control of infrastructure. Such techniques make detection much more difficult and can bypass Microsoft's built-in identity spoofing systems.
In addition, when creating a booking page, an attacker can create an account that matches the email of a former employee. This makes it possible to intercept incoming messages to this address and even reset passwords to external services.
It is worth noting that such mailboxes do not require Microsoft 365 licenses and can be active without the company's costs for their maintenance. These hidden accounts can only be detected through PowerShell and remain invisible in the Exchange admin center.
To minimize the risks, security experts recommend disabling the ability to create shared booking pages for ordinary users, as well as auditing existing hidden mailboxes. It is important to regularly check access rights and monitor activity when creating new accounts in Entra.
These actions will help reduce the vulnerability of companies to such attacks and strengthen the protection of confidential information, especially against phishing attacks and fraud.
Source
