Blog Post

Microsoft 365 Blog
3 MIN READ

Achieve more through people with LinkedIn and Microsoft 365

Rebecca Schmierer's avatar
Rebecca Schmierer
Icon for Microsoft rankMicrosoft
Sep 25, 2018
An organization's most important assets are its people. We’re announcing two new ways to use the power of the LinkedIn network within your daily workflow, building on last year’s announcement of the ...
Updated May 06, 2021
Version 8.0
microsoft 365
Lynn Towle's avatar
Lynn Towle
Iron Contributor
Mar 14, 2019

Hi Issa,

 

[Edited]

 

Let me first start by saying I'm a fan of integration, but there needs to be some serious consideration put into how malicious third party actors can game the functionality to create an even larger security issue. Here is the issue; without granular control over the functionality, there are serious issues concerning malicious third party actors spoofing and/or becoming a first degree contact.

 

LinkedIn is a social media site for business, and I see the benefits of allowing more interaction, but integrating document sharing in Microsoft apps will create a perception of legitimacy for a public security zone. In essence you are creating a "federation lite" with LinkedIn and 365 tenants, and in doing so, our security posture just became significantly more complex.

 

Social engineering from LinkedIn profiles will become even more common place, as you now have a entire database of users, that if you just become a first degree contact with, you have the default capability to work on documents with. While nothing stops a third party actor from sharing malicious files with users now, it is all done through email, which is hard enough to convince users to be wary of in the first place. Integrating notifications, such as "Bob or Susan wants to share and work on this document with you" in an application, from a service from LinkedIn, is just going to compound that issue, as again you have now created the perception that LinkedIn interactions are legitimate.

 

All it will take is for one malicious actor to upload/modify a specially configured macro enabled workbook to create havoc. Onedrive doesn't do security scanning of documents, it will allow a macro enabled document to be uploaded, and with the new chat features, it would be EXTREMELY easy to convince someone to just open the workbook on their desktop version of Excel and enable the macro to run.

 

That is just one scenario, there are thousands more.

 

All of this is just from 5 minutes of thinking about the security issues that this type of integration can create.

 

Granular control is a must, and if it's not available during the initial rollout, as stated, we will need to disable LinkedIn integration with our Tenant.