Blogs by Ashwin

  Summary The Exchange Online mail transport rules should be set such that, the emails cannot be forwarded to the domains outside of an organization. Automatic forwarding to prevent the users from auto-forwarding mail via Outlook or Outlook on the web should also be disabled, and the Client Rules Forwarding Block, which does not allow the use of any client-side rules that forward email to an external domain, should also be enabled. Note- Any exclusions should be implemented according to an organizational policy. Reason Generally, attackers create these rules to exfiltrate data from a tenancy which could be accomplished via access to an end-user account or otherwise. What If? Before implementing the set up, it should be ensured that there is no business need for case-by-case auto-forwarding. Disabling auto-forwarding to remote domains will affect all users and in an organization. Any exclusions should be implemented according to the organizational policy. How to? Note- It is a three ste

  Summary The organizations having Microsoft 365 with mailboxes in Exchange Online or standalone Exchange Online protection (EOP) organizations without the Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP. Exchange Online Spam Policies can be configured to copy emails and notify someone when a sender in your tenant has been blocked for sending spam emails.  Reason If an account is blocked, that means, it has been breached and an attacker has been using it to send spam emails to other people. Note- Audit and Remediation guidance may focus on the Default policy, but, if a Custom Policy exists in the organization's tenant then, it should be ensured that the setting is set as outlined in the highest priority policy listed. What If? The blocked notifications does not affect the users.  How to? To set the Exchange Online Spam Policies correctly,  use the Microsoft 365 Admin Center: Go to the Microsoft Admin Center and click  Security.

  Summary Users can easily block known and custom malicious file types from being attached to emails via the Common Attachment Types Filter. Reason If the known malicious files are blocked, then, it will obviously help in preventing malware-infested files from infecting a host. What If? The blocking of common malicious file types does not affect the modern computing environments. How to? To enable the Common Attachment Types Filter,  use the Microsoft 365 Admin Center: Go to the Microsoft Admin Center and click Security. Under Email & collaboration > Policies & rules > Threat policies. Now, select Anti-malware and pick the highest priority policy. In the Edit tab under at the bottom click on Edit protection settings, check the Enable the common attachments filter.  To enable the Common Attachment Types Filter,  use the Exchange Online PowerShell Module: Connect to Exchange Online using Connect-ExchangeOnline. Now, run the following Exchange Online PowerShell command:   Se

  Summary Collaboration in Microsoft Teams is enabled via file sharing which is conducted within Teams, using SharePoint Online, by default; however, third-party cloud services are also allowed. Note- Skype for business is deprecated as of July 31, 2021 although these settings may still be valid for a period of time.  Reason If only authorized cloud storage providers are accessible from Teams, it will help in dissuading the use of non-approved storage providers.  What If? This change's impact highly depends upon current practices in the tenant. If the other storage providers are not used, then, the impact will be minimum, but, if they are being used regularly, then, this will affect their ability to continue to do so. How to? To set external file sharing in Teams,  use the Microsoft 365 Admin Center: Under A dmin centers  pick  Teams. Expand  Teams  then select  Teams settings. Now, set each cloud storage service under Files to On if it is authorized. ** To verify external file sha

  Summary SharePoint allows the users ability to share files, folder, and site collections. Internal users can share with external collaborators, who with the right permissions, could share those to another external party. Reason Although sharing and collaboration is crucial, but, file, folder or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information. What If? This change's impact highly depends upon current practices. If the sharing with external parties is not done regularly, then, the impact will be minimum, but, if the sharing with external parties is done regularly, then, minimal impact could occur as those external users will be unable to 're-share' the content. How to? To set SharePoint sharing settings,  use the Microsoft 365 Admin Center: Under A dmin centers  pick SharePoint. Expand Policies then select Sharing. Expand More external sharing settings, uncheck Allow guests to share

  Summary Enabling these policies for Microsoft Teams blocks sensitive content when shared in teams or channels. The content will be scanned for specific types of data such as social security numbers, credit card numbers, or passwords. Reason If DLP policies are enabled, then, they can alert the users and administrators about the types of data not to be exposed which in turn helps in protecting the data from accidental exposure.  What If? Setting up these policies will allow sensitive data in Teams channels or chat messages to be detected or blocked.  How to? To enable DLP policies,  use the Microsoft 365 Admin Center: Under A dmin centers  pick  Compliance  to open  Microsoft 365 purview compliance portal. Under  Solutions  select  Data loss prevention  and then  Policies. Now, click  Create policies. After that, either start with a template or create a custom policy. Provide a Name for your policy. At the Choose locations step, either choose Protect content in Exchange email, Teams c

  Summary Enabling these policies helps Exchange Online and SharePoint Online content to be scanned for specific types of data like social security numbers, credit card numbers, or passwords.  Reason If DLP policies are enabled, then, they can alert the users and administrators about the type of data not to be exposed which in turn helps in protecting the data from accidental exposure.  What If? Setting up these policies will allow Exchange Online and SharePoint Online to be detected or blocked. Appropriate procedures should be followed in order test and implement DLP policies according to an organization's standards. How to? To enable DLP policies,  use the Microsoft 365 Admin Center: Under A dmin centers pick Compliance to open Microsoft purview. Under Solutions select Data loss prevention and then Policies. Now, click Create policy. Monitor: To verify that DLP policies are enabled,  use the Microsoft 365 Admin Center: Under A dmin centers  pick  Compliance  to open  Microsoft pu

  Summary The default for Teams external communications is now set to 'People in my organization can communicate with Teams users whose accounts aren't managed by an organization' since December 2021, which also means that the users can communicate with personal Microsoft accounts (e.g. Hotmail, Outlook, etc.) that may lead to data loss/phishing/social engineering risks. Note: Skype for business is deprecated as of July 31, 2021 although these settings may still be valid for a period of time.   Reason Users should not be allowed to communicate with Skype or Teams users outside an organization. This may also lead to potential security threats as all those external users can easily interact with an organization's users over Skype for Business or Teams making the users more prone to data loss/phishing/social engineering attacks via Teams. What If? This change's impact highly depends on current practices in the tenant. If users do not regularly communicate with external

  Summary SharePoint Online Classification policies should be setup and used on the data stored in the SharePoint Online sites. Reason These policies will help in categorizing the most important data, so that it can be protected effectively from illicit access, and will help make it easier to investigate discovered breaches.  What If? This setting will not cause any kind of significant impact to an organization, but, ensuring long term adherence with policies may require a significant training and ongoing compliance effort across an organization. Organizations should ensure that training and planning is part of the classification policy creation process. How to? To set up data classification policies, use the Microsoft 365 Admin Center: Under A dmin centers select Compliance to open the Microsoft Purview compliance portal. Under Solutions pick Information protection. Select Labels tab. Click  Create a label to create a label. Now, select the label and click on the Publish label. Finall

  Summary Customer Lockbox feature should be enabled in which your approval is required by Microsoft for any datacenter operation that grants a Microsoft support engineer or other employee direct access to any data. For example, in some cases a Microsoft support engineer might need access to your Microsoft 365 content in order to help troubleshoot and fix an issue for you. Customer lockbox requests also have an expiration time, and content access is removed after the support engineer has fixed the issue.  Reason When this feature is enabled, it can protect the data against data spillage and exfiltration.  What If? In this setting Microsoft will require access to the tenant environment prior to a Microsoft engineer accessing the environment for support or troubleshooting.  How to? To enable the Customer Lockbox feature, use the Microsoft 365 Admin Portal: Browse to the Microsoft 365 admin center.  Expand Settings then select Org settings. Choose Security & privacy in the right pane.

  Summary External sharing of Sway items like reports, newsletters, presentations, etc. should be disabled, in order to contain sensitive information. Reason External sharing of Sway documents containing sensitive information should be disabled to prevent accidental or arbitrary data leak. What If? This setting will stop the external sharing of interactive reports, presentations, newsletters, and other items created in Sway by the users. How to? To ensure Sways cannot be viewed outside of your organization, use the Microsoft 365 Admin Center: Expand  Settings  then select  Org settings. Under Services, pick  Sway. Now, under Sharing uncheck the following Let people in your organization share their sways with people outside your organization.       4. Click Save. Monitor: To verify Sways cannot be viewed outside of your organization, use the Microsoft 365 Admin Center: Expand  Settings  then select  Org settings. Under Services, pick  Sway. Now, confirm that under  Sharing  the followin

  Summary Microsoft Forms can be used for phishing attacks by asking personal or sensitive information and collecting the results. There is a built-in protection in Microsoft 365, that can proactively scan for phishing attempt in forms facing such personal information request. Reason If internal phishing protection for Microsoft forms is enabled, then, it can prevent attackers from using forms for phishing attacks via personal or sensitive information or URLs. What If? If potential phishing is detected, then, form will be temporarily blocked and no response collection can done until it is unblocked by the administrator or keywords were removed by the creator. How to? To set Microsoft Forms settings, use the Microsoft 365 Admin Center: Expand  Settings then select Org settings. Under Services, pick Microsoft Forms. Now, select the checkbox for Add internal phishing protection under Phishing protection. Click  Save. Monitor: To verify Microsoft Forms settings, use the Microsoft 365 Admin

  Summary Users can install add-ins in their Microsoft Word, Excel, and PowerPoint applications by default, which allows data access within the application. Users should not be permitted to install add-ins in Word, Excel, or PowerPoint. Reason Generally, attackers use vulnerable and custom-built add-ins to access data in user applications.  Although permitting users to install add-ins by themselves helps them in acquiring useful add-ins (that can integrate with Microsoft applications) easily, it can also pose risk if not used and monitored carefully. Future user's ability to install add-ins in Microsoft Word, Excel, or PowerPoint should be disabled as it helps in reducing the threat surface and mitigate risks. What If? This change can impact both end users and administrators. End users will not be able to install add-ins that they may want to install. How to? To prohibit users from installing Word, Excel, and PowerPoint add-ins, use the Microsoft 365 Admin Center: Select Settings 

  Summary Users can easily install add-ins in their Microsoft Outlook Desktop client, by default, hence allowing data access within the client application. Do not allow users to install add-in Outlook. Reason Attackers often use vulnerable and custom built add-ins to access data in user applications. Although users are allowed to install add-ins by themselves, they are not permitted to easily acquire useful add-ins that can integrate with Microsoft applications, because it can represent a risk if not used and monitored carefully. Future user's ability should be disabled to install add-ins in Microsoft Outlook, so that, the associated risk can be mitigated and threat-surface can be reduced.  What If? This change can impact both end users and administrators. End users will not be able to integrate third-party applications they wish to use and the administrators may receive requests from end users to grant them permission to necessary third-party applications. How to? To prohibit user

  Summary If the admin consent workflow is not enabled, then, the user in a tenant will be blocked whenever they try to access any app that requires permissions to access organizational data. A generic error message will be seen saying that they are unauthorized to access the app and they should ask their admin for help. Reason This setup will offer a secure way to grant access to the applications requiring admin approval. Hence, when a user is unable to provide consent, they can send a request for admin approval via email to the admins designated as reviewers. A reviewer will act on the request, and the user will be notified of the action.  What If? In order to approve requests, a reviewer must be a global administrator, cloud application administrator, or application administrator, must already have one of these admin roles assigned; simply designating them as reviewer doesn't elevate their privileges. How to? To enable the admin consent workflow (Preview), use the Microsoft 365

  Summary Users can generally consent to the applications accessing an organization's data, by default, although only for some permissions. For example, by default a user can consent to allow an app to access their own mailbox or the Teams conversations for a team the user owns, but cannot consent to allow an app unattended access to read and write to all SharePoint sites in your organization. Users should not grant consent to apps accessing company data on their behalf. Reason Attackers often use custom applications to trick users into granting them access to company data. When users are allowed to consent by themselves, they become capable of acquiring useful applications that integrate with Microsoft 365, Azure and other services, it can also represent a risk if it is not used and monitored carefully. Future user consent operations must be disabled to help reduce the threat-surface and mitigate risks. However, even if the user consent is disabled, previous consent grants will st

  Summary SharePoint online allows the download of the files detected by Defender for Office 365 as infected, by default. Reason As the name suggests, Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files and whenever an infected file is detected, it is automatically blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team. What If? The only potential impact associated with implementation of this setting is potential inconvenience related with the small percentage of false positive detections that may occur. How to? To set O365 SharePoint to Disallow download of infected files, use PowerShell: Connect using Connect-SPOService, you will need to enter the URL for your Sharepoint Online admin page https://*-admin.sharepoint.com as well as a Global Admin account. Run the following PowerShell command to set the value to True. Set-SPOTe

  Summary Safe attachments for SharePoint, OneDrive, and Microsoft Teams scans these services for malicious files. Reason The safe attachments stated above, protects your organization from inadvertently sharing malicious files. Whenever a malicious file is detected, it will be blocked so that no one can open, copy, move, or share it, until further actions are take by the organization's security team. What If? The impact of this one is minimal and equivalent to the impact associated with anti-virus scanners in an environment. How to? To enable Safe Attachments for SharePoint, OneDrive, and Microsoft Teams use the Microsoft 365 Admin Center: Under  Admin centers  click  Security, in order to open the Microsoft 365 Defender. Under  Email & collaboration  select  Policies & rules. Now, click on Global Settings. Click the toggle to Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams. Select  Save. To enable Safe Attachments for SharePoint, OneDrive, and