Western Australia Audit Reveals Critical Microsoft 365 Security Gaps in State Entities
A recent report by the Western Australian Office of the Auditor General (OAG) uncovered significant vulnerabilities in how state government entities manage their Microsoft 365 (M365) environments, exposing them to heightened risks of cyber incidents, data breaches, and operational disruptions.
The audit identified weaknesses across multiple security domains, including governance, identity and access management, information protection, logging and monitoring, and threat protection controls. Two major incidents highlighted the consequences of these gaps:
-
Data Breach Involving Sensitive Information
An audited entity inadvertently exposed the personal and sensitive data of 32 individuals, including children, by emailing it to an unvetted third-party service provider, which stored the information in Dropbox. The breach stemmed from the absence of data loss prevention (DLP) controls and a failure to assess the third party’s security posture. While some entities had DLP policies in place, they were not consistently applied across OneDrive, SharePoint, Power Platform, Exchange, and Teams, leaving sensitive data unprotected. -
$71,000 Theft via Phishing and Weak MFA
A threat actor compromised a senior officer’s M365 account through a phishing email, exploiting weak multifactor authentication (MFA). The attack went undetected for a month, during which the attacker:- Registered their own MFA device
- Created email forwarding rules to conceal communications
- Studied the victim’s email history to craft convincing social engineering tactics
- Submitted a fraudulent invoice, resulting in the theft of $71,000
The OAG attributed the incident to ineffective security configurations, including:
- Failure to block high-risk users and sign-ins
- Lack of email spoofing protections to prevent impersonation
- Insufficient controls to detect and report fake emails from third-party servers
Western Australia’s Auditor-General, Caroline Spencer, emphasized that proper M365 security management is critical for safeguarding government data and ensuring uninterrupted public services amid evolving cyber threats. The findings underscore systemic gaps in third-party risk assessment, DLP enforcement, and phishing defenses across state entities.
Office of the Auditor General for Western Australia cybersecurity rating report: https://www.rankiteo.com/company/office-of-the-auditor-general-for-western-australia
Dropbox cybersecurity rating report: https://www.rankiteo.com/company/Dropbox
"id": "OFFDRO1773174394",
"linkid": "office-of-the-auditor-general-for-western-australia, Dropbox",
"type": "Breach",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '32 individuals (including '
'children)',
'industry': 'Public Sector',
'location': 'Western Australia',
'name': 'Western Australian State Government Entities',
'type': 'Government'}],
'attack_vector': ['Phishing Email',
'Weak Multifactor Authentication (MFA)',
'Email Spoofing'],
'data_breach': {'data_exfiltration': 'Stored in Dropbox by an unvetted '
'third-party service provider',
'number_of_records_exposed': '32',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': "High (including children's data)",
'type_of_data_compromised': ['Personal Data',
'Sensitive Data']},
'description': 'A recent report by the Western Australian Office of the '
'Auditor General (OAG) uncovered significant vulnerabilities '
'in how state government entities manage their Microsoft 365 '
'(M365) environments, exposing them to heightened risks of '
'cyber incidents, data breaches, and operational disruptions. '
'The audit identified weaknesses in governance, identity and '
'access management, information protection, logging and '
'monitoring, and threat protection controls. Two major '
'incidents highlighted the consequences of these gaps: a data '
'breach involving sensitive information and a $71,000 theft '
'via phishing and weak MFA.',
'impact': {'brand_reputation_impact': 'Negative impact on government '
"entities' reputation",
'data_compromised': 'Personal and sensitive data of 32 '
'individuals, including children',
'financial_loss': '$71,000',
'identity_theft_risk': 'High risk due to exposure of personal and '
'sensitive data',
'operational_impact': 'Operational disruptions due to cyber '
'incidents',
'systems_affected': ['Microsoft 365 (M365)',
'OneDrive',
'SharePoint',
'Power Platform',
'Exchange',
'Teams',
'Email Systems']},
'initial_access_broker': {'backdoors_established': 'Email forwarding rules, '
'MFA device registration',
'entry_point': 'Phishing Email',
'high_value_targets': "Senior officer's M365 "
'account',
'reconnaissance_period': 'One month'},
'investigation_status': 'Completed (Audit Report)',
'lessons_learned': 'Proper M365 security management is critical for '
'safeguarding government data and ensuring uninterrupted '
'public services. Systemic gaps exist in third-party risk '
'assessment, DLP enforcement, and phishing defenses.',
'motivation': ['Financial Gain', 'Data Exfiltration'],
'post_incident_analysis': {'corrective_actions': ['Enforce consistent DLP '
'policies across all M365 '
'services',
'Strengthen MFA policies',
'Implement email spoofing '
'protections',
'Enhance monitoring for '
'high-risk activities'],
'root_causes': ['Lack of Data Loss Prevention '
'(DLP) controls',
'Inconsistent application of DLP '
'policies',
'Weak multifactor authentication '
'(MFA)',
'Ineffective security '
'configurations',
'Lack of email spoofing '
'protections',
'Failure to block high-risk users '
'and sign-ins']},
'recommendations': ['Implement consistent Data Loss Prevention (DLP) controls '
'across all M365 services',
'Strengthen multifactor authentication (MFA) policies',
'Block high-risk users and sign-ins',
'Enhance email spoofing protections',
'Improve detection and reporting of fake emails from '
'third-party servers',
'Conduct regular third-party security assessments'],
'references': [{'source': 'Western Australian Office of the Auditor General '
'(OAG)'}],
'response': {'enhanced_monitoring': 'Recommended for future implementation'},
'stakeholder_advisories': 'Auditor-General Caroline Spencer emphasized the '
'critical need for proper M365 security management.',
'threat_actor': 'Unknown Threat Actor',
'title': 'Western Australia Audit Reveals Critical Microsoft 365 Security '
'Gaps in State Entities',
'type': ['Data Breach', 'Phishing Attack', 'Financial Fraud'],
'vulnerability_exploited': ['Lack of Data Loss Prevention (DLP) Controls',
'Inconsistent DLP Policy Application',
'Weak MFA',
'Ineffective Security Configurations',
'Lack of Email Spoofing Protections']}