June 14, 2020 HAWKEYE

12 Steps to Secure Your Organization’s Office 365 Accounts Effectively

Recently, our Incident response team at HAWKEYE received a frantic call from one of our clients saying that their o365 email accounts seems to have been hacked. One of their investors received an email from an attacker asking them to transfer a huge amount of money to the client with the bank account details.

The email was sent as a follow up to an original email sent from our client, so that the investor did not have anything to suspect. Luckily the Investor already had the actual bank account details and the money was transferred to the right account belong to the client. On reviewing the bank account details shared in the email, the investor felt something abnormal and notified our client.

The primary question was how the attacker got a copy of a copy of the original email. There were many odds to suspect.

It can be:

  • An insider attack: where one of the recipients of the original email intentionally forwarded the email to the attacker
  • One of the recipient’s o365 account is compromised and the attacker was able to login to o365 webmail to view the emails
  • One of the recipient’s laptop or mobile phone was compromised where an email client is configured to review all emails.
  • The partners email account is compromised, so that the attacker has visibility to all the emails received by them.
  • And so on.

After detailed investigation on each email accounts part of this email and running through almost 200000 o365 logs, we concluded that one of the recipients had an auto-forward rule configured to the attacker’s email address without the user’s knowledge. Further digging in to it revealed that the user had received an email few months back with a Phishing payload. The email posed as one from the HR of the company. He clicked on the attachment that prompted him with a disguised o365 Login page. He had logged in with credentials and OTP. So, the attacker was able to login to the user’s webmail account and configure the auto-forward rule. How smart….

While most of the organizations move their email to o365 cloud to use ease of management, this brings us the question: How can we protect o365 email accounts? Here are 12 steps that must be implemented to protect o365 email space.

User Awareness Training:

I see the question mark on your face. Come-on… every security advisor says this. There is nothing technical about it.

Well, it’s high time we understand that the user is the most vulnerable asset for any organization. We can deploy security controls for every other vulnerability, but not for vulnerable user behavior. User ignorance or negligence has always had a high role in any data breaches or financial frauds in most of the reported cases. So, what to train the user: View our blog on User awareness training for effective email security.

Protect Your Admin Accounts:

Admin accounts are the most targeted attack vector on any application due to the high privileges they hold. It often gives god power to the attacker when they have cracked an Admin account. O365 Admins should be specially trained to keep their credentials safe along with MFA.

Set Strong Password Policy:

Passwords are both vulnerability and security of any application. As it’s hard to remember too many passwords, users would tent to use the same simple password for years across all their applications. This makes the attackers job easy to crack one application and use the same credentials on all other applications. O365 allows to set password policy that enforce user to set strong passwords that expires in a configured period of time. How to set Password policy from o365 portal: Read here.

Multi Factor Authentication (MFA):

So, what if the user still set a password which is easy to crack? We have Multi factor authentication for our rescue. Multifactor Authentication uses a second device (Like your phone) to receive a One-time-Password (OTP) and user must use this code to login along with their credentials. Each time the OTP changes. This is the easiest and secure way to protect from the credentials getting stolen.

To set up multi-factor authentication:

  1. In the admin center, select Users > Active Users.
  2. In the Active Users section, select Multi-Factor Authentication.
  3. On the Multi-Factor Authentication page, select User if you are enabling this for one user Or you can perform a Bulk Update.
  4. Select Enable under Quick Steps.
  5. In the pop-up window, choose Enable Multi-Factor Authentication.

Disable Auto-forwarding Rules:

In the above scenario I have mentioned, it was an Auto-forwarding Rule that put the entire organization in risk. Auto-forwarding email rules pointing to external domains should be explicitly denied and pointing to Internal accounts should be reviewed and limited.

How to block Auto forwarding Rules in o365:

  1. Go to the Exchange admin center.
  2. In the mail flow category, select rules.
  3. Select +, and then Create a new rule.
  4. Select More options at the bottom of the dialog box to see the full set of options.
  5. Apply the settings in the following table. Leave the rest of the settings at the default, unless you want to change these.
  6. Select Save.

Setting

Reject Auto-Forward emails to external domains

Name Prevent auto forwarding of email to external domains
Apply this rule if … The sender . . . is external/internal . . . Inside the organization
Add condition The recipient . . . is external/internal . . . Outside the organization
Add condition The message properties . . . include the message type . . . Auto-forward
Do the following … Block the message . . . reject the message and include an explanation.
Provide message text Auto-forwarding email outside this organization is prevented for security reasons.

Encrypt Your Office Messages:

Office 365 has Office Message Encryption enabled by default. This feature allows users to send encrypted messages between users within or external to the organization. Encrypted messages ensure protection against Man in the Middle attack. How to use Office Message Encryption on Outlook: Send, view, and reply to encrypted messages in Outlook for PC.

O365 Anti Malware protection:

O365 features Malware protection is an effective way to block infected payloads in email. Once enabled, this module examines each email attachment for known malware signatures and patterns and block positives.

How to setup o365 Malware protection: Read here.

Protect against Ransomware using Mail Flow Rules

Ransomware is the most effective attack due to ease of deployment and the lucrative ransom organization is expected to spend on retrieving data. With this technic, an attacker sends a malicious payload to users as an email attachment. Opening this attachment would run a script that would encrypt all the files on the user’s workstation. Then the attacker would offer to decrypt the message for a ransom, hence it’s called Ransomware. There is no direct way to block Ransomware as such as it can hit the user in any form. However, there are some effective measures which can be implemented.

  • Warn users before opening Office file attachments that include macros. Ransomware can be hidden inside macros, so we’ll warn users to not open these files from people they do not know.
  • Block file types that could contain ransomware or other malicious code. We’ll start with a common list of executables (listed in the table below). If your organization uses any of these executable types and you expect these to be sent in email, add these to the previous rule (warn users).

To create a mail transport rule, complete the following steps:

  1. Go to the Exchange admin center.
  2. In the mail flow category, select rules.
  3. Select +, and then Create a new rule.
  4. Select **** at the bottom of the dialog box to see the full set of options.
  5. Apply the settings in the following table for each rule. Leave the rest of the settings at the default, unless you want to change these.
  6. Select Save.

Setting

Warn users before opening attachments of Office files

Block file types that could contain ransomware or other malicious code

Name Anti-ransomware rule: warn users Anti-ransomware rule: block file types
Apply this rule if . . . Any attachment . . . file extension matches . . . Any attachment . . . file extension matches . . .
Specify words or phrases Add these file types:
dotm, docm, xlsm, sltm, xla, xlam, xll, pptm, potm, ppam, ppsm, sldm
Add these file types:
ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh, exe, pif
Do the following . . . Notify the recipient with a message Block the message . . . reject the message and include an explanation
Provide message text Do not open these types of files—unless you were expecting them—because the files may contain malicious code and knowing the sender isn’t a guarantee of safety.

Protect against Phishing with o365 Advanced Threat Protection

Spear Phishing is a technique used by attackers where user will be sent an email which disguises itself as an email from a trusted party. The email may contain malicious attachment or links that can deploy the attackers indented payload on the user’s machine or force the user to perform an action favoring the attacker. This is the most used attack technic as it’s easy to deceive a user to believe that the email is from a trusted source.

O365 ATP features Anti-phishing policies. How to setup Anti-Phishing policy:

  1. Go to https://protection.office.com.
  2. In the Security & Compliance Center, in the left navigation pane, under Threat management, select Policy.
  3. On the Policy page, select ATP anti-phishing.
  4. On the Anti-phishing page, select + Create. A wizard launches that steps you through defining your anti-phishing policy.
  5. Specify the name, description, and settings for your policy as recommended in the chart below.
  6. After you have reviewed your settings, select Create this policy or Save, as appropriate.

Setting or option

Recommended setting

Name Domain and most valuable campaign staff
Description Ensure most important staff and our domain are not being impersonated.
Add users to protect Select + Add a condition, The recipient is. Type user names or enter the email address of the candidate, campaign manager, and other important staff members. You can add up to 20 internal and external addresses that you want to protect from impersonation.
Add domains to protect Select + Add a condition, The recipient domain is. Enter the custom domain associated with your Microsoft 365 subscription, if you defined one. You can enter more than one domain.
Choose actions If email is sent by an impersonated user: select Redirect message to another email address, and then type the email address of the security administrator; for example, securityadmin@contoso.com. If email is sent by an impersonated domain: select Quarantine message.
Mailbox intelligence By default, mailbox intelligence is selected when you create a new anti-phishing policy. Leave this setting On for best results.
Add trusted senders and domains For this example, don’t define any overrides.
Applied to Select The recipient domain is. Under Any of these, select Choose. Select + Add. Select the check box next to the name of the domain, for example, contoso.com, in the list, and then select Add. Select Done.

O365 Safe Attachments:

O365 Safe Attachment policy scans for malware on email attachments and blocks the email that is infected. The policy is part of o365 ATP.

To enable Safe Attachment Policy

  1. Go to https://protection.office.com and sign in with your admin account.
  2. In the Security & Compliance Center, in the left navigation pane, under Threat management, select Policy.
  3. On the Policy page, select ATP safe attachments.
  4. On the Safe attachments page, apply this protection broadly by selecting the Turn on ATP for SharePoint, OneDrive, and Microsoft Teams check box.
  5. Select + to create a new policy.
  6. Apply the settings in the following table.
  7. After you have reviewed your settings, select Create this policy or Save, as appropriate.

NameBlock current and future emails with detected malware.

Setting or option

Recommended setting

Description Block current and future emails and attachments with detected malware.
Save attachments unknown malware response Select Block – Block the current and future emails and attachments with detected malware.
Redirect attachment on detection Enable redirection (select this box) Enter the admin account or a mailbox setup for quarantine. Apply the above selection if malware scanning for attachments times out or error occurs (select this box).
Applied to The recipient domain is . . . select your domain.

Effective Protection at End points and Email Clients:

With all the protection on the cloud enabled, emails will not be still protected if the email client is not secure. What if the attacker can compromise the user’s workstation or the email client? It sure would give visibility to all the emails the user has received and attacker can send emails on behalf of the user. Al least the following points should be considered for End point protection:

  • All users are only using email clients approved by security team.
  • Email clients should be using secured encryption protocols
  • Endpoint workstations are secured with EDR and Antivirus solutions.

Monitor o365 logs with SIEM Solution:

So, with all the above points covered, are we secured? a BIG NO. Attack technic are evolved every day, if not every hour. There are way too many unknown attack technics than the known ones. A pair of trained eyes are always our best bet to identify the anomalies that pass through all the detection systems. o365 logging must be collected a SIEM Solution which is closely monitored by well trained and experienced professionals.

At HAWKEYE, we use a State of the Art SIEM and AI Solution for o365 monitoring and is monitored by professionals with at least 5 years of experience on security analysis. Along with this our Security Research team is always active on hunting for new vulnerabilities, attack technics and effective counter measures. This helps us serving our clients with the best security service they can get.

This post is written by Ranjith KesavanSr. Cyber Security Lead – Operations Center (SOC and Blue Team) at DTS Solution

, , , , , ,


CONTACT US

We welcome you to contact us for more information
about HAWKEYE - SOC As A Service.