WA auditor general flags weak Microsoft 365 security controls across state entities

Government agencies in Western Australia are putting sensitive data and critical public services at risk due to inadequate Microsoft 365 (M365) security configurations, a new report by the state’s auditor general warns.

In its audit, the WA Office of the Auditor General (OAG) evaluated seven government agencies and found widespread vulnerabilities in governance, identity and access management, information protection, logging and monitoring, and threat prevention.

WA auditor general Caroline Spencer said these vulnerabilities increase the likelihood of cyber incidents, data breaches, and operational disruptions. She added that, with evolving cyber threats, effective management of M365 security is essential to safeguarding sensitive government data and ensuring key public services continue to be provided.

The OAG decided not to identify the agencies involved to prevent threat actors from immediately targeting them, thereby reducing the risk of further security breaches. However, the report included case studies that showed how poor M365 security controls can have real-world consequences.

In one instance, a state entity emailed the personal and sensitive information of 32 individuals, including minors, to a third-party service provider. A threat actor was able to access the data because the provider kept it in an unmanaged Dropbox account that was later compromised in a cyber security incident.

The OAG found that the entity lacked data loss prevention (DLP) controls to safeguard the data or verify the full extent of the exposure. It also failed to conduct a security assessment of the third-party during vendor onboarding.

In another incident, a senior officer’s M365 account at a state entity was compromised by a threat actor using a targeted phishing email. The threat actor bypassed current security measures, registering their own multi-factor authentication (MFA) techniques on an unmanaged foreign device.

The breach went undetected for a month, during which multiple suspicious activity warnings were ignored. The attacker created email forwarding rules to conceal communications, studied the officer’s email history to craft a believable scenario, eventually sending fraudulent invoices that were approved for payment and stealing A$71,000 from the entity.

The OAG’s technical assessment found that while the audited agencies had DLP controls, they were not applied to OneDrive, SharePoint, Power Platform, Exchange, and Teams, leaving these platforms vulnerable to data leaks and unauthorised access. And where policies were implemented, they did not protect all kinds of sensitive data.

In addition, instead of deploying phishing-resistant authentication for privileged users, some agencies had relied on MFA methods, such as SMS messages, voice calls and email one-time passwords that are highly susceptible to phishing attacks. The OAG noted that compromised accounts were responsible for 39% of reported cyber incidents targeting the Australian government in 2024-25.

The audit also revealed poor data logging practices, with some entities only retaining audit logs for six months, far short of the Australian Signals Directorate’s (ASD) recommended 18-month retention period, reducing their ability to trace the origin and full impact of security incidents.

“Effective management of M365 security is critical for protecting sensitive government data and maintaining uninterrupted delivery of essential public services amid evolving cyber security threats,” Spencer said. 

“I recognise that the rapid and complex evolution of technology consistently presents new challenges for entities. To effectively counter emerging threats, entities must remain alert and continue strengthening their security posture,” she added.