Outlook: Shared Mailboxes as Accounts

🚨 The Signal: New Outlook for Windows now allows shared mailboxes to be added as separate accounts. This changes how users access shared mailboxes, potentially impacting credential management and access control policies.

The Impact

Admins and Security Teams are affected by a change in shared mailbox access, increasing the risk of credential misuse if not properly managed.

• Security Teams: Risk of credential compromise if shared mailbox access isn't secured with MFA.
• Admins: Need to review and potentially update shared mailbox access policies and documentation.
• End Users: May be prompted for credentials more frequently, increasing phishing risk if not educated.
• Compliance Teams: Requires re-assessment of access controls for shared mailboxes against ISM and PSPF.

The Action

1. Review all shared mailbox permissions to ensure least privilege is applied.
2. Enforce Conditional Access policies requiring MFA for all shared mailbox access.
3. Educate users on the new access method and the importance of strong authentication.
4. Audit shared mailbox access logs regularly for unusual activity.
5. Update internal documentation and security policies regarding shared mailbox access.

Domain: Exchange · Impact: high · Workload: Exchange Online · Essential Eight: Multi-Factor Authentication, Restrict Administrative Privileges · ISM: ISM-0109, ISM-0123, ISM-0140, ISM-0445, ISM-0974, ISM-1173, ISM-1175, ISM-1228, ISM-1380, ISM-1401, ISM-1504, ISM-1505, ISM-1507, ISM-1508, ISM-1509, ISM-1647, ISM-1648, ISM-1650, ISM-1679, ISM-1680, ISM-1681, ISM-1682, ISM-1683, ISM-1686, ISM-1688, ISM-1689, ISM-1815, ISM-1819, ISM-1872, ISM-1873, ISM-1874, ISM-1883, ISM-1892, ISM-1893, ISM-1894, ISM-1897, ISM-1898, ISM-1906, ISM-1907