A critical security flaw in Microsoft Bookings has been uncovered. This flaw, inherent in the default configuration of Microsoft Bookings, potentially allows attackers to create unauthorized Entra (formerly Azure AD) accounts and obtain fraudulent certificates. This vulnerability poses significant risks to organizations using Microsoft 365 services.
According to Cyberis findings, the issue stems from the “Shared Booking Pages” feature in Microsoft Bookings, which is enabled by default for users with appropriate Microsoft 365 licenses. When a user creates a shared Booking page, it automatically generates a fully functional account in Entra without requiring administrative permissions.
Managed Detection and Response Buyer’s Guide – Free Download (PDF)
This flaw could be exploited by attackers who have compromised a Microsoft 365 user account. By creating a Shared Booking page, they can:
- Create unauthorized Entra accounts that mimic legitimate users, potentially bypassing impersonation filters.
- Obtain email addresses matching those of former employees, enabling them to reset passwords for external services and verify domain ownership for SSL certificates.
- Establish hidden, fully functional mailboxes that don’t consume Microsoft 365 licenses.
The report states that this vulnerability has a far-reaching impact. Attackers could impersonate high-profile individuals within an organization, conduct sophisticated phishing attacks, and potentially gain control over critical infrastructure.
Moreover, the created accounts can send and receive emails regardless of sharing settings. This allows attackers to intercept sensitive communications and potentially reset online services registered with compromised email addresses.
To mitigate these risks, security experts recommend several steps:
- Audit existing Shared Bookings Pages using ExchangeOnline PowerShell.
- Disable the ability for end users to create shared Booking pages unless absolutely necessary.
- Monitor Entra accounts for unusual creation activity.
- Regularly review and revoke unnecessary mailbox permissions.
Organizations are advised to disable the Bookings feature if not in use. Administrators can do this by using PowerShell to set the BookingsEnabled parameter to false.
This vulnerability underscores the importance of carefully managing user permissions and regularly auditing account creation processes in Microsoft 365 environments. It also highlights the need for organizations to stay vigilant about potential security risks in widely used productivity tools.
As the cybersecurity landscape continues to evolve, it’s crucial for organizations to regularly assess their security configurations and implement robust monitoring systems to detect and respond to potential threats promptly.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!