Aggregator

A vulnerability, which was classified as problematic, has been found in Fortinet FortiOS 5.0.5. Affected by this issue is some unknown functionality of the file firewall/schedule/recurrdlg. The manipulation of the argument mkey leads to cross site scripting (Reflected). This vulnerability is handled as CVE-2013-7182. The attack may be launched remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in NVIDIA Graphics Drivers 307.00 and classified as critical. Affected by this issue is some unknown functionality of the component Display Driver Service. The manipulation leads to memory corruption. This vulnerability is handled as CVE-2013-0109. Attacking locally is a requirement. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic has been found in IBM WebSphere Application Server up to 8.5.0.1. This affects an unknown part of the component RPC Handler. The manipulation leads to cross site scripting. This vulnerability is uniquely identified as CVE-2013-0565. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic was found in IBM Notes up to 9.0. This vulnerability affects unknown code of the component Password Manager. The manipulation leads to credentials management. This vulnerability was named CVE-2013-0534. It is possible to launch the attack on the local host. Furthermore, there is an exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability classified as problematic was found in Fortinet FortiWeb 5.0.3. Affected by this vulnerability is an unknown functionality of the file /user/ldap_user/add. The manipulation leads to cross site scripting (Reflected). This vulnerability is known as CVE-2013-7181. The attack can be launched remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in HP LaserJet Pro up to Firmware 20130703. It has been classified as critical. This affects an unknown part of the component Access Control Handler. The manipulation leads to improper privilege management. This vulnerability is uniquely identified as CVE-2013-4807. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, has been found in Mozilla Firefox and Thunderbird 16.0.1/16.0.2. This issue affects some unknown processing of the component HZ-GB-2312 Charset Handler. The manipulation leads to cross site scripting. The identification of this vulnerability is CVE-2012-4207. The attack may be initiated remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in IBM WebSphere Application Server 8.5. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting. This vulnerability is known as CVE-2012-4851. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Eliteladders Elite Gaming Ladders 3.5. It has been rated as critical. This issue affects some unknown processing of the file standings.php. The manipulation of the argument ladder[id] leads to sql injection. The identification of this vulnerability is CVE-2010-5014. The attack may be initiated remotely. Furthermore, there is an exploit available.

开源AI工具SWE-agent可自主修复GitHub漏洞，网络安全模式EnIGMA表现抢眼！

The tech giant is boosting Entra ID and MSA security as part of the wide-ranging Secure Future Initiative (SFI) that the company launched following a Chinese APT's breach of its Exchange Online environment in 2023.

A vulnerability, which was classified as critical, was found in Mozilla Firefox and Thunderbird 15. Affected is the function prototype properties of the component Chrome Object Wrapper (COW). The manipulation leads to improper access controls. This vulnerability is traded as CVE-2012-4184. It is possible to launch the attack remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in IBM AIX 6.1/7.1. It has been classified as problematic. Affected is the function fuser. The manipulation of the argument -k leads to improper access controls. This vulnerability is traded as CVE-2012-4833. An attack has to be approached locally. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability classified as critical was found in Jamie Cameron Webmin. Affected by this vulnerability is an unknown functionality of the file file/edit_html.cgi. The manipulation of the argument File leads to improper authentication. This vulnerability is known as CVE-2012-2983. The attack can be launched remotely. Furthermore, there is an exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability, which was classified as critical, has been found in Jamie Cameron Webmin. Affected by this issue is the function Open of the file file/show.cgi. The manipulation leads to improper privilege management. This vulnerability is handled as CVE-2012-2982. The attack may be launched remotely. Furthermore, there is an exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability was found in Red Hat JBoss Enterprise 5.1.1. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to cross-site request forgery. This vulnerability is handled as CVE-2011-2908. The attack may be launched remotely. Furthermore, there is an exploit available. It is recommended to apply a patch to fix this issue.

U.S. government agencies are required to bring their Microsoft 365 cloud services into compliance with a recent Binding Operational Directive. Here’s how Tenable can help.

Overview

Malicious threat actors are constantly targeting cloud environments. The risk of compromise can be reduced by enforcing secure configurations of security controls. With this goal in mind, the Cybersecurity and Infrastructure Security Agency (CISA) created the Secure Cloud Business Applications (SCuBA) project. The SCuBA project currently provides secure configuration baselines for Microsoft 365 and Google Workspace.

In December 2024, as part of the SCuBA project, CISA released a Binding Operational Directive (BOD) 25-01: Implementation Guidance for Implementing Secure Practices for Cloud Services. This directive requires U.S. government agencies and departments in the federal civilian executive branch to implement secure configuration baselines for certain software as a service (SaaS) products.

Scope

The scope of the BOD 25-01 includes all production or operational cloud tenants (operating in or as a federal information system) utilizing Microsoft 365. CISA may release additional SCuBA Secure Configuration Baselines for other cloud products which would fall under the scope of this directive. The complete list of required configurations is available here.

While the CISA BOD 25-01 applies to government agencies, any organization using Microsoft 365 would reduce the risk of compromise by adhering to these baselines.

Required actions

According to BOD 25-01, there are several required actions for in-scope cloud tenant agencies that shall be completed by the following dates:

• February 21, 2025 - following CISA reporting instructions:
  • submit tenant name and system owning agency/component for each tenant
  • submit an updated the inventory annually in the first quarter
• April 25, 2025 - deploy SCuBA assessment tools and begin continuous reporting
• June 20, 2025 - implement all mandatory SCuBA policies identified at BOD 25-01 Required Configurations.

In-scope cloud tenants are also required to:

• Implement all future updates to mandatory SCuBA policies
• Implement all mandatory SCuBA Secure Configuration Baselines and begin continuous monitoring prior to granting an Authorization to Operate for new cloud tenants.

Required configurations

As of March 2025, the following configurations are required for BOD 25-01:

Microsoft 365 (M365) Microsoft Entra ID MS.AAD.1.1v1 Legacy authentication SHALL be blocked. MS.AAD.2.1v1 Users detected as high risk SHALL be blocked. MS.AAD.2.3v1 Sign-ins detected as high risk SHALL be blocked. MS.AAD.3.1v1 Phishing-resistant MFA SHALL be enforced for all users. MS.AAD.3.2v1 If Phishing-resistant MFA has not been enforced yet, then an alternative MFA method SHALL be enforced for all users. MS.AAD.3.3v1 If Phishing-resistant MFA has not been enforced yet and Microsoft Authenticator is enabled, it SHALL be configured to show login context information. MS.AAD.3.4v1 The Authentication Methods Manage Migration feature SHALL be set to Migration Complete. MS.AAD.3.6v1 Phishing-resistant MFA SHALL be required for Highly Privileged Roles. MS.AAD.5.1v1 Only administrators SHALL be allowed to register applications. MS.AAD.5.2v1 Only administrators SHALL be allowed to consent to applications. MS.AAD.5.3v1 An admin consent workflow SHALL be configured for applications. MS.AAD.5.4v1 Group owners SHALL NOT be allowed to consent to applications. MS.AAD.6.1v1 User passwords SHALL NOT expire. MS.AAD.7.1v1 A minimum of two users and a maximum of eight users SHALL be provisioned with the Global Administrator role. MS.AAD.7.2v1 Privileged users SHALL be provisioned with finer-grained roles instead [of] Global Administrator. MS.AAD.7.3v1 Privileged users SHALL be provisioned cloud-only accounts that are separate from an on-premises directory or other federated identity providers. MS.AAD.7.4v1 Permanent active role assignments SHALL NOT be allowed for highly privileged roles except for emergency and service accounts. MS.AAD.7.5v1 Provisioning users to highly privileged roles SHALL NOT occur outside of a PAM system, because this bypasses critical controls the PAM system provides. MS.AAD.7.6v1 Activation of the Global Administrator role SHALL require approval. MS.AAD.7.7v1 Eligible and Active highly privileged role assignments SHALL trigger an alert. MS.AAD.7.8v1 User activation of the Global Administrator role SHALL trigger an alert. Microsoft Defender MS.DEFENDER.1.1v1 The standard and strict preset security policies SHALL be enabled. MS.DEFENDER.1.2v1 All users SHALL be added to Exchange Online Protection in either the standard or strict preset security policy. MS.DEFENDER.1.3v1 All users SHALL be added to Defender for Office 365 Protection in either the standard or strict preset security policy. MS.DEFENDER.1.4v1 Sensitive accounts SHALL be added to Exchange Online Protection in the strict preset security policy. MS.DEFENDER.1.5v1 Sensitive accounts SHALL be added to Defender for Office 365 Protection in the strict preset security policy. MS.DEFENDER.4.1v2 A custom policy SHALL be configured to protect PII and sensitive information, as defined by the agency, blocking at a minimum: credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITINs), and U.S. Social Security numbers (SSNs). MS.DEFENDER.5.1v1 At a minimum, the alerts required by the CISA M365 Secure Configuration Baseline for Exchange Online SHALL be enabled. MS.DEFENDER.6.1v1 Microsoft Purview Audit (Standard) logging SHALL be enabled. MS.DEFENDER.6.2v1 Microsoft Purview Audit (Premium) logging SHALL be enabled for ALL users. Exchange Online MS.EXO.1.1v1 Automatic forwarding to external domains SHALL be disabled. MS.EXO.2.2v2 An SPF policy SHALL be published for each domain that fails all non-approved senders. MS.EXO.4.1v1 A DMARC policy SHALL be published for every second-level domain. MS.EXO.4.2v1 The DMARC message rejection option SHALL be p=reject. MS.EXO.4.3v1 The DMARC point of contact for aggregate reports SHALL include [email protected]. MS.EXO.5.1v1 SMTP AUTH SHALL be disabled. MS.EXO.6.1v1 Contact folders SHALL NOT be shared with all domains. MS.EXO.6.2v1 Calendar details SHALL NOT be shared with all domains. MS.EXO.7.1v1 External sender warnings SHALL be implemented. MS.EXO.13.1v1 Mailbox auditing SHALL be enabled. Power Platform MS.POWERPLATFORM.1.1v1 The ability to create production and sandbox environments SHALL be restricted to admins. MS.POWERPLATFORM.1.2v1 The ability to create trial environments SHALL be restricted to admins. MS.POWERPLATFORM.2.1v1 A DLP policy SHALL be created to restrict connector access in the default Power Platform environment. MS.POWERPLATFORM.3.1v1 Power Platform tenant isolation SHALL be enabled. SharePoint Online and OneDrive MS.SHAREPOINT.1.1v1 External sharing for SharePoint SHALL be limited to Existing Guests or Only People in your Organization. MS.SHAREPOINT.1.2v1 External sharing for OneDrive SHALL be limited to Existing Guests or Only People in your Organization. MS.SHAREPOINT.2.1v1 File and folder default sharing scope SHALL be set to Specific People (only the people the user specifies). MS.SHAREPOINT.2.2v1 File and folder default sharing permissions SHALL be set to View only. Microsoft Teams MS.TEAMS.1.2v1 Anonymous users SHALL NOT be enabled to start meetings. MS.TEAMS.2.1v1 External access for users SHALL only be enabled on a per-domain basis. MS.TEAMS.2.2v1 Unmanaged users SHALL NOT be enabled to initiate contact with internal users. MS.TEAMS.3.1v1 Contact with Skype users SHALL be blocked. MS.TEAMS.4.1v1 Teams email integration SHALL be disabled. Additional configurations

In addition to the required configurations, the following configurations can also be evaluated:

Microsoft 365 (M365) Microsoft Entra ID MS.AAD.2.2v1 A notification SHOULD be sent to the administrator when high-risk users are detected. MS.AAD.3.7v1 Managed devices SHOULD be required for authentication. MS.AAD.3.8v1 Managed Devices SHOULD be required to register MFA. MS.AAD.7.9v1 User activation of other highly privileged roles SHOULD trigger an alert. MS.AAD.8.1v1 Guest users SHOULD have limited or restricted access to Microsoft Entra ID directory objects. MS.AAD.8.2v1 Only users with the Guest Inviter role SHOULD be able to invite guest users. Microsoft Defender MS.DEFENDER.2.1v1 User impersonation protection SHOULD be enabled for sensitive accounts in both the standard and strict preset policies. MS.DEFENDER.2.2v1 Domain impersonation protection SHOULD be enabled for domains owned by the agency in both the standard and strict preset policies. MS.DEFENDER.2.3v1 Domain impersonation protection SHOULD be added for important partners in both the standard and strict preset policies. MS.DEFENDER.3.1v1 Safe attachments SHOULD be enabled for SharePoint, OneDrive, and Microsoft Teams. MS.DEFENDER.4.2v1 The custom policy SHOULD be applied to Exchange, OneDrive, SharePoint, Teams chat, and Devices. MS.DEFENDER.4.3v1 The action for the custom policy SHOULD be set to block sharing sensitive information with everyone. MS.DEFENDER.4.4v1 Notifications to inform users and help educate them on the proper use of sensitive information SHOULD be enabled in the custom policy. Exchange Online MS.EXO.3.1v1 DKIM SHOULD be enabled for all domains. MS.EXO.4.4v1 An agency point of contact SHOULD be included for aggregate and failure reports. MS.EXO.12.1v1 IP allow lists SHOULD NOT be created. MS.EXO.12.2v1 Safe lists SHOULD NOT be enabled. Power Platform MS.POWERPLATFORM.2.2v1 Non-default environments SHOULD have at least one DLP policy affecting them. MS.POWERPLATFORM.5.1v1 The ability to create Power Pages sites SHOULD be restricted to admins. SharePoint Online and OneDrive MS.SHAREPOINT.1.3v1 External sharing SHALL be restricted to approved external domains and/or users in approved security groups per interagency collaboration needs. MS.SHAREPOINT.3.1v1 Expiration days for Anyone links SHALL be set to 30 days or less. MS.SHAREPOINT.3.2v1 The allowable file and folder permissions for links SHALL be set to View only. MS.SHAREPOINT.3.3v1 Reauthentication days for people who use a verification code SHALL be set to 30 days or less. Microsoft Teams MS.TEAMS.1.1v1 External meeting participants SHOULD NOT be enabled to request control of shared desktops or windows. MS.TEAMS.1.3v1 Anonymous users and dial-in callers SHOULD NOT be admitted automatically. MS.TEAMS.1.4v1 Internal users SHOULD be admitted automatically. MS.TEAMS.1.5v1 Dial-in users SHOULD NOT be enabled to bypass the lobby. MS.TEAMS.1.6v1 Meeting recording SHOULD be disabled. MS.TEAMS.1.7v1 Record an event SHOULD be set to Organizer can record. MS.TEAMS.2.3v1 Internal users SHOULD NOT be enabled to initiate contact with unmanaged users. MS.TEAMS.5.1v1 Agencies SHOULD only allow installation of Microsoft apps approved by the agency. MS.TEAMS.5.2v1 Agencies SHOULD only allow installation of third-party apps approved by the agency. MS.TEAMS.5.3v1 Agencies SHOULD only allow installation of custom apps approved by the agency. How Tenable can help

Tenable Vulnerability Management and Nessus customers can audit the posture of their Microsoft 365 environment with the CISA SCuBA for Microsoft 365 audit files:

• CISA SCuBA Microsoft 365 Entra ID
• CISA SCuBA Microsoft 365 Defender
• CISA SCuBA Microsoft 365 Exchange Online
• CISA SCuBA Microsoft 365 Power Platform
• CISA SCuBA Microsoft 365 SharePoint Online OneDrive
• CISA SCuBA Microsoft 365 Teams

More details for configuring your SCuBA Microsoft 365 environment for Compliance Auditing are available at Configure Azure for a Compliance Audit.

The post CISA BOD 25-01 Compliance: What U.S. Government Agencies Need to Know appeared first on Security Boulevard.

U.S. government agencies are required to bring their Microsoft 365 cloud services into compliance with a recent Binding Operational Directive. Here’s how Tenable can help.

Overview

Malicious threat actors are constantly targeting cloud environments. The risk of compromise can be reduced by enforcing secure configurations of security controls. With this goal in mind, the Cybersecurity and Infrastructure Security Agency (CISA) created the Secure Cloud Business Applications (SCuBA) project. The SCuBA project currently provides secure configuration baselines for Microsoft 365 and Google Workspace.

In December 2024, as part of the SCuBA project, CISA released a Binding Operational Directive (BOD) 25-01: Implementation Guidance for Implementing Secure Practices for Cloud Services. This directive requires U.S. government agencies and departments in the federal civilian executive branch to implement secure configuration baselines for certain software as a service (SaaS) products.

Scope

The scope of the BOD 25-01 includes all production or operational cloud tenants (operating in or as a federal information system) utilizing Microsoft 365. CISA may release additional SCuBA Secure Configuration Baselines for other cloud products which would fall under the scope of this directive. The complete list of required configurations is available here.

While the CISA BOD 25-01 applies to government agencies, any organization using Microsoft 365 would reduce the risk of compromise by adhering to these baselines.

Required actions

According to BOD 25-01, there are several required actions for in-scope cloud tenant agencies that shall be completed by the following dates:

• February 21, 2025 - following CISA reporting instructions:
  • submit tenant name and system owning agency/component for each tenant
  • submit an updated the inventory annually in the first quarter
• April 25, 2025 - deploy SCuBA assessment tools and begin continuous reporting
• June 20, 2025 - implement all mandatory SCuBA policies identified at BOD 25-01 Required Configurations.

In-scope cloud tenants are also required to:

• Implement all future updates to mandatory SCuBA policies
• Implement all mandatory SCuBA Secure Configuration Baselines and begin continuous monitoring prior to granting an Authorization to Operate for new cloud tenants.

Required configurations

As of March 2025, the following configurations are required for BOD 25-01:

Microsoft 365 (M365)Microsoft Entra IDMS.AAD.1.1v1Legacy authentication SHALL be blocked.MS.AAD.2.1v1Users detected as high risk SHALL be blocked.MS.AAD.2.3v1Sign-ins detected as high risk SHALL be blocked.MS.AAD.3.1v1Phishing-resistant MFA SHALL be enforced for all users.MS.AAD.3.2v1If Phishing-resistant MFA has not been enforced yet, then an alternative MFA method SHALL be enforced for all users.MS.AAD.3.3v1If Phishing-resistant MFA has not been enforced yet and Microsoft Authenticator is enabled, it SHALL be configured to show login context information.MS.AAD.3.4v1The Authentication Methods Manage Migration feature SHALL be set to Migration Complete.MS.AAD.3.6v1Phishing-resistant MFA SHALL be required for Highly Privileged Roles.MS.AAD.5.1v1Only administrators SHALL be allowed to register applications.MS.AAD.5.2v1Only administrators SHALL be allowed to consent to applications.MS.AAD.5.3v1An admin consent workflow SHALL be configured for applications.MS.AAD.5.4v1Group owners SHALL NOT be allowed to consent to applications.MS.AAD.6.1v1User passwords SHALL NOT expire.MS.AAD.7.1v1A minimum of two users and a maximum of eight users SHALL be provisioned with the Global Administrator role.MS.AAD.7.2v1Privileged users SHALL be provisioned with finer-grained roles instead [of] Global Administrator.MS.AAD.7.3v1Privileged users SHALL be provisioned cloud-only accounts that are separate from an on-premises directory or other federated identity providers.MS.AAD.7.4v1Permanent active role assignments SHALL NOT be allowed for highly privileged roles except for emergency and service accounts.MS.AAD.7.5v1Provisioning users to highly privileged roles SHALL NOT occur outside of a PAM system, because this bypasses critical controls the PAM system provides.MS.AAD.7.6v1Activation of the Global Administrator role SHALL require approval.MS.AAD.7.7v1Eligible and Active highly privileged role assignments SHALL trigger an alert.MS.AAD.7.8v1User activation of the Global Administrator role SHALL trigger an alert.Microsoft DefenderMS.DEFENDER.1.1v1The standard and strict preset security policies SHALL be enabled.MS.DEFENDER.1.2v1All users SHALL be added to Exchange Online Protection in either the standard or strict preset security policy.MS.DEFENDER.1.3v1All users SHALL be added to Defender for Office 365 Protection in either the standard or strict preset security policy.MS.DEFENDER.1.4v1Sensitive accounts SHALL be added to Exchange Online Protection in the strict preset security policy.MS.DEFENDER.1.5v1Sensitive accounts SHALL be added to Defender for Office 365 Protection in the strict preset security policy.MS.DEFENDER.4.1v2A custom policy SHALL be configured to protect PII and sensitive information, as defined by the agency, blocking at a minimum: credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITINs), and U.S. Social Security numbers (SSNs).MS.DEFENDER.5.1v1At a minimum, the alerts required by the CISA M365 Secure Configuration Baseline for Exchange Online SHALL be enabled.MS.DEFENDER.6.1v1Microsoft Purview Audit (Standard) logging SHALL be enabled.MS.DEFENDER.6.2v1Microsoft Purview Audit (Premium) logging SHALL be enabled for ALL users.Exchange OnlineMS.EXO.1.1v1Automatic forwarding to external domains SHALL be disabled.MS.EXO.2.2v2An SPF policy SHALL be published for each domain that fails all non-approved senders.MS.EXO.4.1v1A DMARC policy SHALL be published for every second-level domain.MS.EXO.4.2v1The DMARC message rejection option SHALL be p=reject.MS.EXO.4.3v1The DMARC point of contact for aggregate reports SHALL include [email protected] AUTH SHALL be disabled.MS.EXO.6.1v1Contact folders SHALL NOT be shared with all domains.MS.EXO.6.2v1Calendar details SHALL NOT be shared with all domains.MS.EXO.7.1v1External sender warnings SHALL be implemented.MS.EXO.13.1v1Mailbox auditing SHALL be enabled.Power PlatformMS.POWERPLATFORM.1.1v1The ability to create production and sandbox environments SHALL be restricted to admins.MS.POWERPLATFORM.1.2v1The ability to create trial environments SHALL be restricted to admins.MS.POWERPLATFORM.2.1v1A DLP policy SHALL be created to restrict connector access in the default Power Platform environment.MS.POWERPLATFORM.3.1v1Power Platform tenant isolation SHALL be enabled.SharePoint Online and OneDriveMS.SHAREPOINT.1.1v1External sharing for SharePoint SHALL be limited to Existing Guests or Only People in your Organization.MS.SHAREPOINT.1.2v1External sharing for OneDrive SHALL be limited to Existing Guests or Only People in your Organization.MS.SHAREPOINT.2.1v1File and folder default sharing scope SHALL be set to Specific People (only the people the user specifies).MS.SHAREPOINT.2.2v1File and folder default sharing permissions SHALL be set to View only.Microsoft TeamsMS.TEAMS.1.2v1Anonymous users SHALL NOT be enabled to start meetings.MS.TEAMS.2.1v1External access for users SHALL only be enabled on a per-domain basis.MS.TEAMS.2.2v1Unmanaged users SHALL NOT be enabled to initiate contact with internal users.MS.TEAMS.3.1v1Contact with Skype users SHALL be blocked.MS.TEAMS.4.1v1Teams email integration SHALL be disabled.Additional configurations

In addition to the required configurations, the following configurations can also be evaluated:

Microsoft 365 (M365)Microsoft Entra IDMS.AAD.2.2v1A notification SHOULD be sent to the administrator when high-risk users are detected.MS.AAD.3.7v1Managed devices SHOULD be required for authentication.MS.AAD.3.8v1Managed Devices SHOULD be required to register MFA.MS.AAD.7.9v1User activation of other highly privileged roles SHOULD trigger an alert.MS.AAD.8.1v1Guest users SHOULD have limited or restricted access to Microsoft Entra ID directory objects.MS.AAD.8.2v1Only users with the Guest Inviter role SHOULD be able to invite guest users.Microsoft DefenderMS.DEFENDER.2.1v1User impersonation protection SHOULD be enabled for sensitive accounts in both the standard and strict preset policies.MS.DEFENDER.2.2v1Domain impersonation protection SHOULD be enabled for domains owned by the agency in both the standard and strict preset policies.MS.DEFENDER.2.3v1Domain impersonation protection SHOULD be added for important partners in both the standard and strict preset policies.MS.DEFENDER.3.1v1Safe attachments SHOULD be enabled for SharePoint, OneDrive, and Microsoft Teams.MS.DEFENDER.4.2v1The custom policy SHOULD be applied to Exchange, OneDrive, SharePoint, Teams chat, and Devices.MS.DEFENDER.4.3v1The action for the custom policy SHOULD be set to block sharing sensitive information with everyone.MS.DEFENDER.4.4v1Notifications to inform users and help educate them on the proper use of sensitive information SHOULD be enabled in the custom policy.Exchange OnlineMS.EXO.3.1v1DKIM SHOULD be enabled for all domains.MS.EXO.4.4v1An agency point of contact SHOULD be included for aggregate and failure reports.MS.EXO.12.1v1IP allow lists SHOULD NOT be created.MS.EXO.12.2v1Safe lists SHOULD NOT be enabled.Power PlatformMS.POWERPLATFORM.2.2v1Non-default environments SHOULD have at least one DLP policy affecting them.MS.POWERPLATFORM.5.1v1The ability to create Power Pages sites SHOULD be restricted to admins.SharePoint Online and OneDriveMS.SHAREPOINT.1.3v1External sharing SHALL be restricted to approved external domains and/or users in approved security groups per interagency collaboration needs.MS.SHAREPOINT.3.1v1Expiration days for Anyone links SHALL be set to 30 days or less.MS.SHAREPOINT.3.2v1The allowable file and folder permissions for links SHALL be set to View only.MS.SHAREPOINT.3.3v1Reauthentication days for people who use a verification code SHALL be set to 30 days or less.Microsoft TeamsMS.TEAMS.1.1v1External meeting participants SHOULD NOT be enabled to request control of shared desktops or windows.MS.TEAMS.1.3v1Anonymous users and dial-in callers SHOULD NOT be admitted automatically.MS.TEAMS.1.4v1Internal users SHOULD be admitted automatically.MS.TEAMS.1.5v1Dial-in users SHOULD NOT be enabled to bypass the lobby.MS.TEAMS.1.6v1Meeting recording SHOULD be disabled.MS.TEAMS.1.7v1Record an event SHOULD be set to Organizer can record.MS.TEAMS.2.3v1Internal users SHOULD NOT be enabled to initiate contact with unmanaged users.MS.TEAMS.5.1v1Agencies SHOULD only allow installation of Microsoft apps approved by the agency.MS.TEAMS.5.2v1Agencies SHOULD only allow installation of third-party apps approved by the agency.MS.TEAMS.5.3v1Agencies SHOULD only allow installation of custom apps approved by the agency.How Tenable can help

Tenable Vulnerability Management and Nessus customers can audit the posture of their Microsoft 365 environment with the CISA SCuBA for Microsoft 365 audit files:

• CISA SCuBA Microsoft 365 Entra ID
• CISA SCuBA Microsoft 365 Defender
• CISA SCuBA Microsoft 365 Exchange Online
• CISA SCuBA Microsoft 365 Power Platform
• CISA SCuBA Microsoft 365 SharePoint Online OneDrive
• CISA SCuBA Microsoft 365 Teams

More details for configuring your SCuBA Microsoft 365 environment for Compliance Auditing are available at Configure Azure for a Compliance Audit.

"Cookie-Bite攻击窃取会话令牌，绕过多重验证长期潜伏云环境！"

An Active! Mail zero-day remote code execution vulnerability is actively exploited in attacks on large organizations in Japan. [...]