Blogs by Ashwin

  Summary Microsoft 365 Defender reviews of Restricted Entities will offer a list of users accounts restricted from sending e-mail. If one of the outbound sending limits is exceeded, then, the user will be restricted from sending email, however, they can still receive email. Reason Users on the restricted users list have a high possibility of being compromised. Reviewing this list will help in remediating these user accounts, and then unblock them. How to? To review the report, use the Microsoft 365 Admin center: Go to  Security to open the Security portal. Under Email & collaboration navigate to Review. Click Restricted Entities. Review alerts and take appropriate action (unblocking) after account has been remediated. Monitor: To verify the report is being reviewed at least weekly, confirm that the necessary procedures are in place and being followed.

  Summary Enabling it allows you to know about any suspicious activity going on in Microsoft 365, so you can investigate situations that are potentially problematic and, if needed, take action to address the security issues. Reason Notifications of triggered alert are received for atypical or suspicious activities, know how an organization's data in Microsoft 365 is accessed and used, suspend user accounts exhibiting suspicious activity, and require users to log back in to Microsoft 365 apps after an alert has been triggered. How to? To enable the Microsoft Defender for Cloud Apps, use the Microsoft 365 Admin center: Go to  Security. Select More Resources. Select Open under Microsoft Defender for Cloud App Security. Ensure the dashboard opens and the feature is enabled. Monitor: To verify Microsoft Defender for Cloud Apps is enabled, use the Microsoft 365 Admin center: Select  Security. Select  More Resources. Select  Open  under  Microsoft Defender for Cloud App Security. Ensure t

  Summary Spoof intelligence present in the Security Center should be used on the Anti-spam settings page in order to review all senders, who are spoofing either domains that are part of an organization, or spoofing external domains. Spoof intelligence is available as a part of Office 365 Enterprise E5 or separately as part of Defender for Office 365 and as of October, 2018 Exchange Online Protection (EOP). Reason Malicious actors generally spoof domains to trick users into conducting actions they normally would not or should not, via phishing emails. Running this report will inform the message administrators of current activities, and the phishing techniques used by bad actors . This information can also be used to inform end users and plan against future campaigns.  How to? To review the report, use the Microsoft 365 Admin center: Go to  Security. Under Email & collaboration click on Policies & rules then select Threat policies. Under Rules click on Tenant Allow / Block Lists

  Summary Non-global Administrator Role Group assignments should be reviewed at least every week. Reason Although these roles are less powerful than a global admin, they do grant special privileges that can be used illicitly. If anything unusual is seen, then, the user must be contacted in order to confirm it is a legitimate need.  How to? To review non-global administrator role group assignments, use the Microsoft 365 Admin center: Go to  Security. Click on  Audit  then select  Search. Set  Added member to Role  and Remove a u ser from a directory role for Activities. Now, set  Start date  and  End date. Click  Search. Review. Monitor: To verify non-global administrator role group assignments are being reviewed at least weekly, confirm that the necessary procedures are in place and being followed.

  Summary This report consists of the details of any account provisioning that was attempted by an external application. Reason If a third party provider is not used to manage accounts, any entry on the list is likely illicit; otherwise, it is a great way to monitor transaction volumes and look for new or unusual third party applications that are managing users. If anything unusual is seen, then, the provider must be informed in order to determine the authenticity of the action.                                                                                                                                                How to? To review the report, use the Microsoft 365 Admin center: Select  Security. Click on Audit  then select Search. Set Activities to Added user for User administration activities. Now, set Start date and End date. Click Search. Review. To review Account Provisioning Activity Report, use the Exchange Online PowerShell Module: Connect to Exchange Online using  Connect

  Summary All the security threats should be reviewed at least weekly, in the Threat Protection status report which shows specific instances of Microsoft blocking malware attachment from reaching your users, phishing being blocked, impersonation attempts, etc. Reason This report is not strictly actionable, however, reviewing it will offer you a sense of the overall volume of various security threats targeting your users, which may prompt you to adopt more aggressive threat mitigations.                                                                                                                                                How to? To review the report, use the Microsoft 365 Admin center: Select Security. Click on Reports and under Email & collaboration select Email & collaboration reports. Under Threat protection status click on View details Review the chart and look for Email Malware statistics. Monitor: To verify that the report is being reviewed at least weekly, confirm t

  Summary E-mail can be forwarded automatically after configuring the Exchange Online environment with the help of Transport Rules in Admin Center, Auto Forwarding per mailbox, and client-based rules in Outlook. Administrators and users both are provided with many methods to automatically and quickly e-mails outside of an organization. Reason By reviewing the rules weekly, the Messaging Administrator can gain insight into possible attempts to exfiltrate data from an organization; it can also help in creating a recognition of baseline, legitimate activity of users which in turn can aide in identifying the more malicious activity of bad actors when/if they chose to use this side-channel. What If? There is no impacting to reviewing these reports. How to? To review mail forwarding rule,  use the Microsoft 365 Admin Center: Go to Exchange admin center. Expand Reports then pick Mail flow. Now, click on Auto forwarded messages report. Review. Note: Mail flow reports cannot be viewed from the

  Summary Role-based Access Control allows the users to be assigned according to their roles within an organization. It's more manageable form of access control that is less prone to errors. These user roles can be audited inside of Microsoft Purview to provide a security auditor insight into user privilege change. Reason By reviewing weekly, one can easily identify the right changes required in an organization and largely maintaining the Least Privilege and preventing Privilege creep. Insider Threats, either intentional or unintentional can occur when a user has higher than needed privileges and if accountability of role membership is maintained, then, it will keep the Insiders and malicious actors limited in the scope of potential damaging activities. What If? Enabling this setting will require the Administrators assigning rights to users, to justify the changes to the security auditors. Documentation including detailed policies, procedures, and change requests will need to be co

  Summary It is common knowledge, that the Microsoft 365 platforms generally allow users to reset their password in case they forget them. The self-service password reset activity report logs each time a user successfully resets their password this way and should be reviewed at least weekly. Reason An attacker can easily compromise an account, and then change the password to something only they can manage and control.                                                                                                                                                    How to? To review the report, perform the following steps using Azure Portal: Go to portal.azure.com. Click  Azure Active Directory. Now, click on 'Usage & insights' under 'Monitoring'. Select 'Authentication methods activity' and the 'Usage' tab. Review the list of users who have reset their passwords in the last seven days by clicking on 'Self-service password resets and account unlocks

  Summary This report consists of a usage summary for all Software as a Service (SaaS) applications that are integrated with the directory. Reason By reviewing the list of app registrations regularly in order to look for risky apps enabled by the users that could cause data spillage or accidental elevation of privilege. Attackers can often get access to data illicitly via third-party SaaS applications.                                                                                                                                                    How to? To review the report, perform the following steps using Azure Portal: Go to portal.azure.com. Click  Azure Active Directory. Now, select Enterprise applications. Review the information. Monitor: To verify that the report is being reviewed at least weekly, confirm that the necessary procedures are in place and being followed.

  Summary This report generally consists of the records of accounts that have had activity that could indicate they are compromised, like the accounts having: successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords. signed in to your tenant from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network) successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions   Reason By reviewing this report regularly allows identification and remediation of compromised accounts.                                                                                                                                                        How to? To review the report, perform the following steps using Azure portal: Go to portal.azure.com. Click Azure Active Directo

  Summary Enabling mailbox auditing will help the Microsoft 365 back office teams in tracking logons to a mailbox as well as the actions taken while the user is logged on. When the mailbox audit logging is turned on for a mailbox, it will allow to search the audit log for mailbox activity, along with the additional actions performed by administrators, delegates, and owners logged by default. Reason By default, Microsoft has turned on mailbox audit logging since January, 2019, for all organizations, which means that certain actions performed by mailbox owners, delegates, and admins are automatically logged, and the corresponding mailbox audit records will be available for search in the mailbox audit log. Also after turning on this setting, the AuditEnabled property for affected mailboxes won't be changed from False to True; i.e., it ignores the AuditEnabled property on mailboxes. However, only certain mailbox types support default auditing On User Mailboxes Shared Mailboxes Microsof

  Summary Enabling the audit log search in Microsoft Purview compliance will allow the recording of the user and admin activity of an organization, that can be retained for 90 days. However, if an organization is using a third-party Security Information and Event Management (SIEM) application to access the auditing data, then, a global admin can turn off audit log search in Microsoft 365. Reason This setting can help Office 365  back office teams to investigate activities for regular security operational or forensic purposes. How to? To enable Microsoft 365 audit log search, use the Microsoft 365 Admin Center: Log in as an administrator. Navigate to the Microsoft Purview compliance portal by going to  https://compliance.office.com Under solutions, select Audit. Now, click on Start recording user and admin activity next to information warning at the top. Click Yes on the dialog box to confirm. To enable Microsoft 365 audit log search via  Exchange Online PowerShell: Connect to Exchange

  Summary MailTips helps end users in identifying strange patterns to emails they send. Reason MailTips setting generally provide users with Visual aid whenever they send emails to large groups of recipients or send emails to the recipients not within the tenant. How to? To enable MailTips, use the Exchange Online PowerShell Module: Run Microsoft  Exchange Online PowerShell Module Connect Using Connect-ExchangeOnline. Now, run the following PowerShell command- Set-OrganizationConfig -MailTipsAllTipsEnabled $true - MailTipsExernalRecipientsTipsEnabled $true -MailTipsGroupMetricsEnabled  $true -MailTipsLargeAudienceThreshold '25' Monitor: To verify MailTips are enabled, use the Exchange Online PowerShell Module: Run Microsoft  Exchange Online PowerShell Module Connect Using  Connect-ExchangeOnline. Now, run the following PowerShell command- Get-OrganizationConfig | Select-Object MailTipsAllTipsEnabled, MailTipsExernalRecipientsTipsEnabled, MailTipsGroupMetricsEnabled, MailTipsLar

  Summary Exchange Online Protection (EOP) is known as a cloud-based filtering service that protects an organization against spam, malware, and other email threats. It is present in all Microsoft 365 organizations with Exchange Online mailboxes. EOP generally uses flexible anti-malware policies that can be easily set to notify Admins of malicious activity. Reason This setting can alert an administrator about an internal user sending contaminated messages indicating a compromised account or machine, that would require to be investigated. Note- Audit and Remediation guidance may focus on the Default policy, but, if there is a custom policy in the organization's tenant, then, make sure that the setting is set as outlined in the highest priority policy list.  What If? Notification of account with potential issues should not cause an impact to the user. How to? To enable notifications for internal users sending malware, use the Microsoft 365 Admin Center: Click  Security to open the Sec

  Summary Publish Domain-Based Message Authentication, Reporting and Conformance (DMARC) records for each Exchange Online Accepted Domain. Reason Generally, DMARC works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate mail senders to make sure that destination email systems trust messages sent from the system's domain. What If? The impact of setting up DMARC records should be none, but, a proper DMARC record setup should be done by an organization, to ensure continuous mail-flow. How to? To add DMARC records, use the following steps: For each Exchange Online Accepted Domain, add the following record to DNS-   Record: _dmarc.domain1.com Type: TXT Value: v=DMARC1; p=none;        2. This will create basic DMARC policy that audits compliance. Monitor: To verify that DMARC records are published, perform  the following steps: Open a command prompt. For each Accepted Domains in Exchange Online type the following command- nslookup -type=txt _dmarc.do

  Summary A corresponding Sender Policy Framework (SPF) record should be created for every domain that is configured in Exchange. Reason These SPF records allows Exchange Online Protection and other mail systems know where messages from the domains are allowed to originate. This information will help the system in determining a way to treat the message; based on whether it is spoofed or valid.  What If? The impact of setting up SPF records should be minimal, but, a proper SPF record setup should be done by an organization, because, an email can be flagged as spam if SPF is not setup correctly. How to? To setup SPF records for Exchange Online accepted domains, perform the following steps: If all the emails in a domain is sent from and received by Exchange Online, add the following TXT record for each Accepted Domain- v=spfl include:spf.protection.outlook.com -all       2. If there are other systems that can send email in the environment, then, refer to this article for the            pr

  Summary DKIM should be used along with SPF and DMARC to prevent spoofers from sending messages that look like they are coming from your domain. Reason If DKIM is enabled with Office 365, then, the messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages are generated by a server authorized by the organization and not being spoofed. What If? Although, setting up DKIM will not affect anything, but, the organizations must ensure appropriate setup to ensure continuous mail-flow. How to? To setup DKIM records, first add the records to the DNS system, for each domain in Exchange Online that you plan to use to send email with: After creating the DNS records, enable DKIM signing in the Office 365 Admin Portal. Launch the Security Admin Center. Under  E-mail & Collaboration  navigate to  Policies & rules > Threat policies. Now, under Rules pick DKIM. After that, click on each domain and cl

  Summary Office 365 generally includes all the built-in features that can help in protecting the users from phishing attacks, by default. However, Anti-Phishing Policies can also be set up in order to increase the protection level, for example, by refining settings to better detect as well as prevent impersonation and spoofing attacks. The default policy will apply to all users within an organization, and is a single view where you can fine-tune anti-phishing protection. Custom policies can be created and configured for specific users, groups or domains within the organization and will take precedence over the default policy for the scoped users. Reason This policy can protect the users from phishing attacks (like impersonation and spoofing), while also using safety tips simultaneously, to warn the users about the potentiality of harmful messages. What If? Turning on Anti-Phishing policy, does not cause any impact, the messages can be displayed when applicable. How to? To set the Anti

  Summary This policy, if enabled, can extend the malware protection to include the routing of all the messages and attachments without an known malware signature to a special hypervisor environment. In that environment, a behavior analysis is performed with the help of a variety of machine learning and analysis techniques to detect malicious intent. Reason This policy helps in identifying and stopping previously unknown malwares more accurately. What If? During scanning, the delivery of emails with attachments may suffer some delay. How to? To enable the Safe Attachments policy,  use the Microsoft 365 Admin Center: Select  Security in order to open the Microsoft 365 Defender portal.  Under E-mail & Collaboration navigate to Policies & rules > Threat policies. Now, under Policies select Safe Attachments. Click + Create. After that, enter Policy Name and Description. Pick Block, Monitor, Replace or Dynamic Delivery. Select Save. Monitor: To verify the  Safe Attachments policy

  Summary The Exchange Online Mail Transport rules should be set, so that, they do not whitelist any specific domains. Reason If certain domains are whitelisted in the transport rules, they can bypass the regular malware and phishing scanning, which in turn allows an attacker to launch attacks against any user from a safe haven domain. What If? One should be careful while implementing to make sure that there is no business need for case-by-case whitelisting. However, if all the whitelisted domains are removed, then, it will surely affect the incoming mail flow to an organization although modern systems sending legitimate mails should have no issues with it. How to? To alter the mail transport rules so they do not whitelist any specific domain,  use the Microsoft 365 Admin Center: Select Exchange. Go for Mail Flow and Rules. Now, for each rule that whitelists specific domains, select the rule and click the 'Delete' icon. To remove mail transport rules, you may also  use the Exch