Introduction to M365 Security Risks
Poorly configured Microsoft 365 (M365) security controls have led to significant data breaches and financial losses for Western Australian government entities. A recent report by the WA Office of the Auditor General (OAG) highlighted these incidents, emphasizing the need for robust M365 security measures.
M365 Security Incidents
A data breach exposed personal information of 32 individuals, including minors, due to the lack of data loss prevention (DLP) controls. Additionally, a targeted phishing email incident compromised a senior officer’s M365 account, resulting in $71,000 in fraudulent invoices.
Missing Security Controls
The OAG identified M365 security control weaknesses across all seven audited entities. None had implemented DLP controls broadly, and all allowed external data storage on unmanaged third-party services. Weak multifactor authentication (MFA) methods, such as SMS text messages and voice one-time passwords, were also used.
Furthermore, entities allowed personal devices to register for MFA without enrolling them in device management systems, and staff could install unapproved Microsoft Teams applications. Most entities did not enforce content security policies for Microsoft’s Power Platform, increasing susceptibility to web-based code attacks.
Conclusion and Recommendations
Effective management of M365 security is critical for protecting sensitive government data. The OAG recommends implementing robust security controls, including DLP, strong MFA methods, and content security policies. By addressing these weaknesses, WA government entities can reduce the risk of cyber threats and protect sensitive information.








