Shared Inboxes in Office 365 are a useful tool that allow you to set up a mailbox shared by multiple users without the need for another pricey 365 license – the Shared Inbox is usable as long as an added member has a valid Office 365 license.
Unlike a Distribution list, which is just a forwarding list of other e-mail addresses, a Shared Inbox is it’s own actual mailbox – it has it’s own storage and can be configured to “Send as” mail. They can be extremely handy for, in example, inboxes for individual departments: firstname.lastname@example.org, etc.
However, one vastly overlooked aspect of a Shared Inbox is the it can be logged into within Outlook or Exchange Online. Granted, you’re not supposed to do this per Microsoft’s EULA – no account is supposed to be logged into unless it has a license. But the point is simply this: it can be done.
This means that – like any other user e-mail account – a Shared Inbox is a target for hackers and malicious actors want to view it’s contents for sensitive info, or to try and fool other users into falling for scams. And because Shared Inboxes are typically not under the microscope, it’s a good bet that a breach could go undetected for a while if no alerting is in place.
This is why I strongly recommend that 365 admins block Shared Inbox sign-in by default. Even if you created the inbox from scratch and never set a password – theoretically leaving it inaccessible to login – the last thing we need is for your accounts to be the next zero-day exploitation of Microsoft’s internal accout quirks. Therefore, let’s close the security hole and block sign-in to Shared Inboxes!
Doing this is incredibly simple:
1. Log into the Office 365 portal.
2. On the left-side menu, select Users then Active Users. All Shared Mailboxes are listed among the Active Users.
3. If you have a small number of Shared Inboxes you can simply click them one at a time and select Block Sign-In from the pop-out menu on the right.
4. If you have a large number of Shared Inboxes and want to block sign-in in bulk simply check the boxes next to each of the inboxes, select the “…” symbol next to Manage Product Licenses and click Edit Sign-in Status.
5. Check the box for Block this User from Signing In, then select Save Changes to apply to all selected mailboxes.
Done! Your Shared Mailboxes are now protected. Make sure to audit these going forward on an at least quarterly basis to catch any new inboxes that may be present, and in case any changes were made.