Nowadays business are being compromised by an Office pop up asking them to grant permissions to what that looks like a normal Office app. But, when you click on accept, you’re unknowingly providing a bad actor’s application access to your contact info, mailbox settings, and sign-in access.
The following action is to impersonate the victim, sending emails and accessing to their files in their behalf, and thus this application are external to the organization, the attacker can access to the account info without MFA.
Scary stuff that you probably want to avoid, isn’t it?
What can I do to prevent the attack?
In order to reduce this risk, you can change the configuration of your tenant to only install applications that are approved by an admin. Also keep in mind a hardening of the tenant. By doing this, you will avoid some problems in the future
Search (all activities and all users) and enter the start date and end date if required and then click Search.
Click Filter results and enter Consent to application in the Activity field.
Click on the result to see the details of the activity. Click More Information to get details of the activity. Check to see if IsAdminContent is set to True.
How I can respond to those attacks?
If you have identified an application with illicit permissions, you can revoke the applications permission in the AAD portal:
You can revoke the application’s permission in the Azure Active Directory Portal by:
Navigate to the affected user in the Azure Active Directory User blade.
Select the illicit application.
Click Remove in the drill down. Then, do reconnassaince on any accounts that had consented to the app, resetting their password, requiring MFA, and digging through Cloud App Security and other logging tools to find out what has been done in the account. Look for phishing emails sent to other users in the organization and to the contact lists, files accessed on OneDrive or SharePoint, etc.
Most of the time, when we are talking about security in M365, we talk about how to encrypt files and give permission to those files. But… did you know you can Protect a document in SharePoint and OneDrive from being accidentally altered or overwritten? What I can say that It is a very useful feature when autosave is enabled in Excel or Word files.
But… What key points do you need to know?
You can only protect individual documents, not a complete document library.
You can not protect OneNote documents, in desktop nor online nor that half-baked OneNote for Windows 10.
In the desktop apps you can protect Word, Excel and PowerPoint documents against overwriting. (You can also use other ways of protection, but that is out-of-scope for now)
In the online apps you can only protect Word and Excel, but not PowerPoint.
You can protect Word and Excel files in SharePoint and OneDrive.
You can only send with “review-only” in Word, not in Excel, PowerPoint or OneNote (I hope that in the future this will change).
You can only send with “review-only” when you share with “people you specify” or “people in your tenant with the link”.
You can use “review-only” in Word in SharePoint and OneDrive.
When you share the document from SharePoint with an external person who has no access to the site, they receive a code via mail as soon as they try to open the document.
How does a Word-document open, and which options do you have when you share the document with or without protection, with our without “review-only” and with people with various roles in your SharePoint site? See the table below. The first word is the option that the document opens with.
Zero Trust is a principle that is coming to all business, why? because helps secure corporate resources by eliminating unknown and unmanaged devices and limiting lateral movement.
So… when we are trying to implement a Zero Trust model, we will touching all components—user identity, device, network, and applications— to be validated and more important to be trustworthy.
But, what about the main components to be aware of? Let’s keep a further detail to that list:
Identity – Identity is the best starting point for Zero Trust. I’am a big fan of AAD identity, and Conditional Access, PIM is a great way to start
Implement conditional access controls – we can stop compromise identity credentials from accessing to corporate resources and more important, avoid a move laterally in the network.
Strengthen credentials – Weak passwords undermine the security of your identity system, so take aware of that and use MFA
Integrate intelligence and behavior analytics – Having tools to automate tasks and detect some behaviours, are great! Keep an eye to ATP, WDATP, MCAS…
Reduce your attack surface – nothing to explain here 🙂
Increase security awareness – Use a Security Information and Event Management (SIEM) system to aggregate and correlate the data to better detect suspicious activities and patterns.
Enable end-user self-help – users are the core of the business, we cannot enable security tools without thinking in them
Don’t overpromise – Zero Trust is not a single ‘big bang’ initiative, so keep in that mind
Show value along the way – One of the most effective ways to build long-term support for a Zero Trust initiative is to demonstrate incremental value with each investment.
As you can see here A Zero Trust model is not easy to achieve, but it’s a key element of any long-term modernization objective for the digital enterprise. If you want to assess your system yourself, keep an eye to the following tool: Take the Zero Trust Assessment (microsoft.com)
Using M365 ecosystem enable us to collaborate and share data without problem, but nowadays, companies are concerned about security and the holes that those applications open in organizations.
Even though we are ultimately responsible for protecting our sensitive data, there are native security capabilities to address Microsoft Office 365 security concerns. Moreover, there are third-party solutions that can help us ensure strong security posture across the entire infrastructure.
So let’s list the common concerns that I have gathered from my experience in M365:
Unauthorized or External File Sharing: enabling users to collaborate with external users in applications like Teams and SharePoint
Privilege Abuse: having a user with more permission than they need. It is obvious, but excessive rights increase risk of data breach…
Global Admin Account Breach: this is a game over, if someone gains access to that type of accounts, forget everything, could be a disaster… If you are in that case, apply MFA to that users
Disabled Audit Logs: It is not being enabled by default, but for me is very powerful to know which actions are doing the users
Short Log: by default Microsoft sores 90 days our logs, if you need to archive those logs for further detail, keep that into account.
So what we can do to overcome those concerns?
Enable MFA: it is a very powerful resource, we have it for free, so… use it, it is great, if you have the license try it with Conditional Access
Use DLP and email encryption
Classify Data: help to understand the value of the content in order to apply appropriate security controls. For example, apply tags to not to share documents with external users or even disable the option
Minimize privileges: revoking excessive permission, expiration dates on links
Use the Unified Audit Logging: in order to gain visibility across M365 environment
use ATP, which can block malicious attachments in phishing emails or even verify URLs in messages and documents
Use Cloud App Security: in order to discover Shadow IT, control over permission in M365, application acess, etc…
There is no magic addressing concerns in M365, but the path is to gain visibility in the environment, investigate threats and if you’re case maintain regulatory compliance
But in this post, I want to talk about something related to it, in one of my projects, I have a CA policy that required one of the following selected controls: Require MFA or Require Hybrid AAD joined device
My device was Hybrid, so I was fullfilling one of the requirements, for example, when I was accessing with IE or Edge, the device info gets passed properly and MFA is bypassed for hybrid AAD machines.
But with Chrome, even having the Windows 10 Account extension pushed via GPO, I was able to see in the azure sign-in logs that device info is blank except for Browser and OS, so the AAD join status is not passed and MFA triggers. So it was very weird and it was causing me some problems…
So finally, after hours of troubleshooting, i finally figured out what was wrong. When you automatically install the extension, it doesn’t clear some cookies which Chrome will then try to use the old way of logging in. So in this case what you will need to do is access to chrome://settings/content/all and delete the cookies for login.microsoftonline.com
After doing that, everything was working perfectly, keep aware of that!!
Currently in all project were I’m involved I’m trying to used Best Practices of Security, including the use of PIM. Privileged Identity Management it is a service that is available in Azure AD and is part of Azure AD Plan 2, it is used for all admin related tasks, where no employee has standing access within the company, reducing the surface of an attack.
PIM makes it possible to give a user the privilege to elevate his or her access rights for a preset amount of time to a higher role such as User Administrator or SharePoint Administrator.
PIM gives access to huge quantity of roles in Office 365 and Azure resources where the user is by default a reader and can elevate it to be an owner of a resource (group) for a specific amount of time (which is great!)
Enabling a PIM role is done by going to the Azure Portal and select the role you want to elevate. You need to do this for every role separately.
For example, imagine that you have members that need to elevate their account daily to be a SharePoint and User administrator, so they need to do this daily. After enabling they need to sign out and sign in again to make sure the roles are activated.
No more to give the role to a user and forget which role we give to them…