Microsoft Viva: Viva Pulse - Pulse users can assign other users as delegates

🚨 The Signal: Viva Pulse now allows users to delegate survey creation and sending. This introduces a new impersonation vector, increasing the risk of unauthorised internal communications and potential social engineering within the organisation.

The Impact

All users are affected, with a security risk of unauthorised communication and potential social engineering.

• End users: Risk of impersonation if their delegation is misused.
• Managers: Risk of unauthorised surveys being sent under their name.
• Security Teams: Increased surface area for internal social engineering attacks.
• Compliance Teams: New challenge in auditing communication origination and authority.

The Action

1. Review Viva Pulse delegation policies within the Microsoft 365 admin center.
2. Communicate best practices for delegation to all Viva Pulse users, emphasising trust and verification.
3. Monitor Viva Pulse activity logs for unusual delegation assignments or survey sends.
4. Implement or reinforce internal policies regarding official communication channels and verification procedures.

Domain: Other · Impact: medium · Workload: Other