My O365 account has been compromised. Now what?

Nowadays, one of the most common security support requests from our customers (and increasing) is for assistance with remediating an account compromise. The most common scenario is that a member of their organization became the victim of a phishing scam and the attacker obtained the password for their account.

If your Office 365 subscription has been compromised, your accounts may be blocked to defend you and your contacts. Take into account that sometimes, hackers may have added back-door entries to your account which empowers attacker to regain control of your account even after you have recovered it. In order to protect the account, you must complete the following instructions.

These steps allow you to get rid of any back-door entries added to your account:

First of all, Block user sign-in

• • Go to Office365 Admin Center – https://admin.microsoft.com/
  • Expand “Users” and press “Active users”
  • Select user that you need and block sing-in
  • Confirm blocking
  • Press “Save Changes”

Check O365 environment

• • • Check user sign-in log. Go to https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/AllUsers
    • Press on the user name and select “Sign-ins”
    • You can find here the last login information, with IP addresses and locations.

EXO Message Flow

• • • Check the message flow to identify suspicious emails that might have been sent on behalf of the user. Go to Exchange Online Admin Panel – https://outlook.office365.com/ecp
    • Click “Message flow”, then select “Message Trace” tab.
    • Select user by pressing “add sender” and press “search”
    • Сheck all outgoing messages for suspicious emails.
    • Also check tabs “rules” and “connectors” for any strange data

Check Physical Devices

• Check all user’s workstations, laptops and mobile devices.
  • Install AV software, for example https://malwarebytes.com/ or any other
  • Run full scan and check results.
  • Install all Windows updates.

Determine the source

• • Ask the user about any recently lost devices.
  • Ask the user about any suspicious situations and actions, like download and open strange attachments, software installation, visited web-sites and others
  • Ask the user about any public Wi-Fi networks he used.

Eliminate the source of infection, if found

Reset user password and unlock account

• • Press a key picture and reset user password, then unlock the user account.
  • We also strongly recommend to set MFA authentification fol all users, you can use Microsoft instruction https://docs.microsoft.com/en-us/office365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide

I know that probably you have pass over this situation, but maybe for other people will help to take immediate actions to recover from an Office 365 compromise.

Recommendations to secure your Office 365 tenant – Part 2

Last week I post a little talk about security, so my idea is to continue it. Regarding security in business, we can acquire Microsoft 365 (M365), which is super cool in terms of security. It includes all the best from Office 365 but also includes features available only as add-ons for Office package, plus, of course, Windows Defender and EMS.

Office message encryption

Encryption can easily make your corporate communication a lot safer, for me, this feature is cool, It makes it possible to:

• Send encrypted emails to anyone inside your organization or outside
• To any email address, including Office 365, Microsoft accounts (like Hotmail or Outlook.com), etc…
  • receive encrypted messages and open them from any app on any device
  • be sure that recipients won’t be able to forward this email to others, as encrypted emails are sent with a “Do Not Forward” setting.

 

Anti-phishing protection (ATP)

M365 Business includes Office 365 Advanced Threat Protection (ATP), where specialized code unmasks phishing attacks trying to penetrate the organization via corporate e-mail.

Often such attacks are impersonation based. You can easily set it right by choosing among various policy options to better identify and prevent phishing and spoofing attempts.

ATP safe attachments and safe links

ATP safe attachments tool opens every attached file in a virtual environment before releasing it to the user. The possible outcomes are:

• safe attachment will be open right away after scanning;
• attachment containing malicious content will be removed and a warning message will be displayed.

Exchange Online Archiving

Organizations often need to keep their business correspondence for litigation, compliance or other purposes. Online Archiving can complete the task of backing up emails.

• an archive mailbox is created within the user’s primary mailbox
• users may use both their archives and primary mailboxes
• deleted items or even a deleted mailbox can be recovered
• Able to set retention tags, which specifies how long the message is kept and the action taken when retention time expires
• if retention tag is not applied, default retention tag will be applied to the file.

Azure Information protection

It offers capabilities for detecting, classifying and labelling files. Once applied label makes them confidential, general or any other to your choice. AIP can classify and label your data:

• at rest
• in use
• in motion

And wherever it may reside:

• Microsoft’s Cloud
• SaaS apps
• non-Microsoft Clouds
• your own data center in on-premises file servers (needs the AIP P2 license)
• other platforms such as Apple/Mac
• non-Microsoft file types (e.g. PDFs in Adobe Reader).

This is pretty cool. It means that your data is protected no matter which service it actually ends up in, because all these services recognize the labels, so protections, implied by labels, are always going to be respected.

Intune

Allows to manage and control both Microsoft and non-Microsoft devices.

Data loss prevention

Data loss prevention (DLP) is a specific policy which may assist you in detecting personal sensitive data stored in various locations, like SharePoint or OneDrive etc., and prevent your users from inadvertently sharing it.

Windows Defender

Windows Defender in M365 is protecting end points running Windows in your organization. Similar to O365 and Azure AD, Windows Defender has its own Advanced Threat Protection and these three ATPs actually collaborate

As you can see, M365 offers many more advanced security features that will turn threat protection into something that meet all your security requirements.

Till next time folks!

Recommendations to secure your Office 365 tenant

As is well known, online security is given attention to a lot lately with high-profile hacks and cyber-attacks all over the world. Unfortunately, small and medium sized businesses are often becoming targets of cyber-criminals too, due to low investment in security…

So with this post, I will try to outcome some solutions to help small and medium size business to mitigate those problems. Here we go!

Training users

The biggest threat by far in companies, are the users… the best thing that we can do is train them, so my two cents are:

• build a culture of security awareness informing users about most common threats
• follow the ultimate rule “Think before click”
• make absolutely certain that you’re on the website you think you’re on,

Check out Secure Score

Secure score gives a lot of information in security posture. Every company and organization has his own indicators in terms of security. Also we can find possible threats and recommendations to improve the security and get a better score. So don’t underestimate it!

The use of MFA

Two-step authentication is one of the simplest methods to protect an account, because even if hackers get a password, we will have a second factor to protect the account.

Check out your admin accounts

Identity is a weak point in security, so users with privilege presents a valuable target for hackers, so follow the next points:

• MFA use is a must
• use only for administrative functions (not regular users)

Protect against spam and malware

Office 365 already has built-in malware and spam filters, but you can increase your protection regarding that by the following:

• set anti-malware policy that will block attachments most often used by hackers.
• fine tune your Exchange Online or EOP

Protect against ransomware

Ransomware is the main problem nowadays, your files are being encrypted and the hackers demand money to restore the access. It is better to prevent rather than deal the consequences. So the main point here are:

• educate users (remember first point)
• create back-up copies of your files (Azure backup is great!)
• create mail flow rules to block some attachment types

Disable mail auto forwarding

Sometimes when hackers gain access to credentials, they create auto-forwarding rules, that it may present in data leakage or even data loss. We can prevent this behaviour creating a transport rule blocking any auto-forward message types is among the simplest and handy ways to do it.

Enable mailbox auditing

The information pointing out who was logging in, sending e-mails or performing other mailbox activities may turn out to be very useful for identifying suspicious behavior and possibly showing that account was compromised.

I know that I am not covering all the points, but following this, I’m sure that your organization would be a bit more secure 😉

Azure Spot VM

Today I want to talk with you about Azure Spot virtual machines, I think that it’s a very interesting alternative to save money in dev/test environments.

What Microsoft says about Spot VMs: Using Azure Spot VMs allows you to take advantage of our unused capacity at a significant cost savings. At any point in time when Azure needs the capacity back, the Azure infrastructure will evict Spot VMs. VMs can be evicted based on capacity or the max price you set. For virtual machines, the eviction policy is set to Deallocate which moves your evicted VMs to the stopped-deallocated state, allowing you to redeploy the evicted VMs later.

Important characteristics of Azure Spot VMs are:

• Azure does not offer SLA for this type of VM.
• If Azure needs the capacity for “pay as you go” workloads, Azure’s infrastructure will evict the Spot virtual machines with a 30-second warning.
• VMs can be evicted based on capacity or the max price you set.
• The amount of available capacity can vary based on size, region or time of day.

Features not compatible with ephemeral disks at the time of publication of this article:

• B-series
• Promo versions of any size
• Ephemeral OS disks

Auditing in ADFS 2016

By default, AD FS in Windows Server 2016 has a basic level of auditing enabled. With basic auditing, administrators will only be able to see up to five events for a single request. But we can  raise the auditing level using the PowerShell cmdlet Set-AdfsProperties -AuditLevel.

The following table identifies the available auditing levels.

Audit Level	PowerShell syntax	Description
None	Set-AdfsProperties – AuditLevel None	Auditing is disabled and no events will be logged.
Basic (Default)	Set-AdfsProperties – AuditLevel Basic	No more than 5 events will be logged for a single request
Verbose	Set-AdfsProperties – AuditLevel Verbose	All events will be logged. This will log a significant amount of information per request.

If you need to check the current auditing level, you can use the PowerShell cmdlet Get-dfsProperties.

Using Azure Ad Connect Sync Security Groups

During setup, Azure AD Connect automatically creates Azure AD Connect Sync Security Groups. A Microsoft 365 Enterprise Administrator can use these groups to delegate control in Azure AD Connect to other users. You can also use these groups to assign a user temporary permission to run a manual synchronization or to use Azure AD Connect to troubleshoot directory synchronization issues.

Group Name	Description
ADSyncAdmins	Administrators Group: Members of this group have Full Access to do anything in the Azure AD Connect Sync Service Manager.
ADSyncOperators	Operators Group: Members of this group have access to the operations of the Azure AD Connect Sync Service Manager, including: Execution of Management Agents View of Synchronization Statistics for each run Ability to save the Run History (Operations Tab) to a file Members of this group must be a member of the ADSyncBrowse Group.
ADSyncBrowse	Browse Group: Members of this group have permission to gather information about a user’s lineage when resetting passwords.
ADSyncPasswordSet	Password Reset Group: Members of this group have permission to perform all operations by using the password management interface. Members of this group must be a member of the ADSyncBrowse Group.

The groups are created as local groups on domain-joined servers, or as Active Directory domain groups when you install Azure AD Connect on a domain controller

Enabling MFA with Conditional Access

Following the previous post about Enabling MFA, imagine that you followed my recommendations about enabling and enforced by using MFA, but now what you want to do is to enable MFA but in a CA policy, with the following PS you can make the conversion from MFA to CA based MFA.

The advantage? More powerful, you can select which services can ask for MFA, the condition of the device, and many other features…

# Sets the MFA requirement state
function Set-MfaState {

[CmdletBinding()]
param(
[Parameter(ValueFromPipelineByPropertyName=$True)]
$ObjectId,
[Parameter(ValueFromPipelineByPropertyName=$True)]
$UserPrincipalName,
[ValidateSet("Disabled","Enabled","Enforced")]
$State
)

Process {
Write-Verbose ("Setting MFA state for user '{0}' to '{1}'." -f $ObjectId, $State)
$Requirements = @()
if ($State -ne "Disabled") {
$Requirement =
[Microsoft.Online.Administration.StrongAuthenticationRequirement]::new()
$Requirement.RelyingParty = "*"
$Requirement.State = $State
$Requirements += $Requirement
}

Set-MsolUser -ObjectId $ObjectId -UserPrincipalName $UserPrincipalName `
-StrongAuthenticationRequirements $Requirements
}
}

# Disable MFA for all users
Get-MsolUser -All | Set-MfaState -State Disabled