One of challenges with security is that there are lots of places to check and secure but only one vulnerability required for compromise. Most compromises happen at the user level but there are also other places that you may want to keep an eye. One of the is the journaling rules in Exchange Online.
Now, journaling rules can only generally be configured by an administrator. According to:
https://docs.microsoft.com/en-us/exchange/security-and-compliance/journaling/journaling
“Journaling can help your organization respond to legal, regulatory, and organizational compliance requirements by recording inbound and outbound email communications.”
That means it maybe possible to record email traffic and forward it to another location. That may mean for example, a rogue administrator setting up a journaling rule to send the CEO’s emails to their own private external email box.
Defending against rogue admin is tough and requires some planning. The least that you could do is check any existing journaling rules and ensure that only required ones appear.
You can do this by visiting the Exchange Online Admin Center. From here select Compliance Management then journal rules as shown above.
As you can see there are no journal rules in this tenant and it is my experience that most tenants don’t use journaling at all. That doesn’t mean there isn’t legitimate reasons for having journaling rules. All I’m saying is that you should check what you have and ensure it is right.
As always, I find that using PowerShell is a much quicker way to report on this using the command:
get-journalrule
The reason which checking journaling is important, is because as I understand it, journaling won’t show up in the audit logs for the tenant. This means that once it was surreptitiously enabled, it could run unreported in the background, collecting information unknown to everyone? That is a bad thing.
The best solution against rogue administrators in general is Privileged Access Management (PAM) in Office 365:
Configuring Privileged Access Management
which is typically only included in advanced Microsoft 365 licensing like E5. This, unfortunately, puts it beyond the reach of many. So, for the time being, keep an eye on your journaling rules and check to see where they maybe sending your information.
CIAOPS 
There are so many things you can do in O365. Stuff like this is fantastic. Do you have any sort of steps you should do to secure your O365 tenant when you roll a new one out in your Patreon/CIAOPS Community?
Erik Sheldon
Owner
Sheldon IT Solutions, LLC
281-858-3498
[cid:image001.png@01D568D2.54C44F30]
LikeLike
Yes I have checklist and best practices scripts that do everything for you. These are also updated regularly that you have access to during the course of your subscription. Sign up at http://www.ciaopspatron.com
LikeLike