Western Australia’s Government Agencies Face Critical M365 Security Gaps, Audit Reveals
A recent audit by the Western Australian (WA) Office of the Auditor General (OAG) has exposed significant security vulnerabilities in Microsoft 365 (M365) configurations across seven state government agencies, heightening risks of cyber incidents, data breaches, and operational disruptions.
The report, led by WA Auditor General Caroline Spencer, identified widespread weaknesses in governance, identity and access management, information protection, logging, and threat prevention. These gaps leave sensitive government data and public services exposed to evolving cyber threats.
While the OAG withheld the identities of the audited agencies to prevent targeted attacks, it highlighted real-world consequences of poor M365 security through case studies. In one incident, a state entity inadvertently exposed the personal data of 32 individuals including minors by emailing it to a third-party provider. The data was stored in an unsecured Dropbox account, which was later compromised. The agency lacked data loss prevention (DLP) controls and failed to assess the vendor’s security during onboarding.
In another case, a senior officer’s M365 account was hijacked via a phishing email, with the attacker bypassing security measures by registering their own multi-factor authentication (MFA) on an unmanaged device. The breach went undetected for a month, during which the attacker created email forwarding rules, studied the victim’s communications, and sent fraudulent invoices resulting in a A$71,000 theft.
The audit found that while some agencies had DLP controls, they were inconsistently applied, leaving platforms like OneDrive, SharePoint, Power Platform, Exchange, and Teams vulnerable. Additionally, agencies relied on phishing-susceptible MFA methods (e.g., SMS, voice calls, email OTPs) instead of phishing-resistant authentication for privileged users. Compromised accounts accounted for 39% of reported cyber incidents targeting the Australian government in 2024–25.
Poor logging practices further exacerbated risks, with some agencies retaining audit logs for only six months far below the Australian Signals Directorate’s (ASD) recommended 18-month retention period limiting their ability to investigate security incidents.
Spencer emphasized that robust M365 security is essential to protecting sensitive data and maintaining public service continuity amid rising cyber threats. The report underscores the need for agencies to strengthen their security posture to counter emerging risks.
Office of the Auditor General for Western Australia cybersecurity rating report: https://www.rankiteo.com/company/office-of-the-auditor-general-for-western-australia
"id": "OFF1773124460",
"linkid": "office-of-the-auditor-general-for-western-australia",
"type": "Vulnerability",
"date": "7/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '32 individuals (including '
'minors)',
'industry': 'Public Sector',
'location': 'Western Australia',
'type': 'Government Agency'},
{'industry': 'Public Sector',
'location': 'Western Australia',
'type': 'Government Agency'}],
'attack_vector': ['Phishing', 'Unsecured Third-Party Storage', 'MFA Bypass'],
'data_breach': {'data_exfiltration': 'Yes (via unsecured Dropbox account)',
'number_of_records_exposed': '32',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': "High (includes minors' data)",
'type_of_data_compromised': ['Personal Data',
'Personally Identifiable '
'Information (PII)']},
'description': 'A recent audit by the Western Australian (WA) Office of the '
'Auditor General (OAG) exposed significant security '
'vulnerabilities in Microsoft 365 (M365) configurations across '
'seven state government agencies, heightening risks of cyber '
'incidents, data breaches, and operational disruptions. The '
'report identified widespread weaknesses in governance, '
'identity and access management, information protection, '
'logging, and threat prevention.',
'impact': {'brand_reputation_impact': 'Negative impact on public trust in '
'government agencies',
'data_compromised': 'Personal data of 32 individuals including '
'minors',
'financial_loss': 'A$71,000',
'identity_theft_risk': 'High',
'operational_impact': 'Operational disruptions, fraudulent '
'invoicing',
'systems_affected': ['Microsoft 365 (M365)',
'OneDrive',
'SharePoint',
'Power Platform',
'Exchange',
'Teams']},
'initial_access_broker': {'reconnaissance_period': '1 month (undetected '
'account hijacking)'},
'investigation_status': 'Completed (Audit Report)',
'lessons_learned': 'Robust M365 security is essential to protecting sensitive '
'data and maintaining public service continuity. Agencies '
'must strengthen governance, identity and access '
'management, information protection, logging, and threat '
'prevention.',
'motivation': ['Financial Gain', 'Data Exfiltration'],
'post_incident_analysis': {'root_causes': ['Poor M365 configurations',
'Inconsistent DLP controls',
'Phishing-susceptible MFA methods',
'Inadequate logging',
'Lack of third-party vendor '
'security assessment']},
'recommendations': ['Implement consistent DLP controls across all M365 '
'platforms',
'Adopt phishing-resistant MFA for privileged users',
'Extend audit log retention to at least 18 months',
'Assess third-party vendor security during onboarding',
'Enhance monitoring for compromised accounts'],
'references': [{'source': 'Western Australian Office of the Auditor General '
'(OAG)'}],
'regulatory_compliance': {'regulations_violated': ['Australian Signals '
'Directorate (ASD) logging '
'recommendations']},
'title': 'Western Australia’s Government Agencies Face Critical M365 Security '
'Gaps, Audit Reveals',
'type': ['Data Breach', 'Account Hijacking', 'Phishing'],
'vulnerability_exploited': ['Poor M365 configurations',
'Inconsistent DLP controls',
'Phishing-susceptible MFA methods',
'Inadequate logging']}