Outlook: New third-party enriched properties available for customizing profile cards

🚨 The Signal: Microsoft 365 profile cards can now display sensitive HR data like Employee ID and Cost Center from external sources. This increases the attack surface for data exfiltration and social engineering.

The Impact

All users are affected by increased exposure of sensitive HR data, raising risks of social engineering and data exfiltration.

• End users: Increased risk of social engineering due to more exposed personal and organizational data.
• Security teams: New data sources require validation and monitoring to prevent unauthorized data exposure.
• HR teams: Sensitive employee data is now more broadly visible, requiring review of data classification and access policies.
• Privacy officers: Expanded data visibility necessitates updated privacy impact assessments and consent considerations.

The Action

1. Review existing data classification policies for HR data, specifically 'Cost Center', 'Role', 'Employee Type', 'Employee ID', and 'Division'.
2. Assess the necessity of exposing each new property on profile cards for all users; restrict visibility where not essential.
3. Configure profile card properties in the Microsoft 365 admin center or via PowerShell to control which fields are displayed and from which sources.
4. Update user awareness training to include risks associated with increased data visibility on profile cards and social engineering tactics.
5. Conduct a privacy impact assessment (PIA) for the ingestion and display of these new sensitive properties.

Domain: Other · Impact: high · Workload: M365 Apps