Office365 from a hacker's perspective: Real-life Threats, Tactics and Remedies

Office365 from a
Hacker’s perspective
Real life threats, tactics and remedies
Twitter: @BenMenesi
http://www.ytria.com/sapio365

Speaker
 Head of Products at Ytria
 Started out in the IBM world (Admin & Developer)
 SharePoint & Exchange Admin and Developer
 Certified Ethical Hacker v9 and current OSCP student
 Enjoys breaking things
 Speaker at IT events around the globe on all things
collaboration and security (SPS Toronto, Calgary, Geneva,
Cambridge, Chicago etc…)
Ben Menesi
@BenMenesi
Twitter: @BenMenesi

Ytria
 Founded in ‘99 in Montreal, Canada
 Started in the IBM Software World
 500+ customers, 3k orgs, 165 countries
 Sapio365 GA Summer of 2018
Who we are
Twitter: @BenMenesi

Ytria
 Locally installed Administration Client for O365: Users, Groups, Teams, OneDrive & more
 PowerShell-less reporting, bulk updates, unparalleled security monitoring.
 Free for <50 users, 3 month key for anyone at Omaha SP UG: https://ytria.com/sapio365
What we do: sapio365
Twitter: @BenMenesi

Agenda
What we’ll cover today
Ransomware Attacks
Email security Multi-Factor Authentication
Illicit Consent Grants
Twitter: @BenMenesi

Statistics
Some numbers from the field
 Verizon’s 2017 & 2018 Data Breach Investigations Report:
https://www.verizondigitalmedia.com/blog/2017/07/2017-verizon-data-
breach-investigations-report/: 53000 incidents & 2216 data breaches
58% Victims are businesses with < 1000 employees (62% in 2017)
92%
68% Breaches took months(!!!) to discover
Twitter: @BenMenesi
Malware vectors: Email. (6.3% Web, 1.3% other)

On-Prem. vs. Cloud security
Benefits of your data in the cloud
Broader scope of threat intelligence
Larger and more specialized security muscle than most SMBs
Fast and instant delivery (no manual patching required)
Twitter: @BenMenesi

On-Prem. vs. Cloud security
Disadvantages of using cloud services
Vulnerability mitigation out of your control
Your organization is part of a larger attack surface
Less wiggle-room to tailor defenses to your needs
Twitter: @BenMenesi

Ransomware
 Basestriker attack: gets around Microsoft’s ATP SafeLinks by leveraging the
<base> URL tag.
Practical example
Twitter: @BenMenesi
 Traditional way to embed URLs in a phishing email:
 Using the <base> tag:

Ransomware
Attack Timeline
02.05.2018
Microsoft
alerted by
Avanan
02.05.2018
Proofpoint
alerted by
Avanan
16.05.2018
Microsoft
fixes
vulnerability
14 days
Twitter: @BenMenesi

Ransomware
A more recent attack: MFA bypass via IMAP
 https://www.proofpoint.com/us/threat-insight/post/threat-actors-leverage-
credential-dumps-phishing-and-legacy-email-protocols
 Highlights (details discussed later)
 100,000 unauthorised login attempts analyzed (December 2018 – onwards)
 72% tenants were targeted at least once
 40% tenants had at least 1 compromised account
 15 of 10,000 active user accounts breached

Ransomware
Twitter: @BenMenesi

Ransomware attacks
 DOJ Statistics: 1000 attacks / day in 2015, 4000 attacks / day in 2017
 WannaCry: 150 countries, estimated at $4B
 NotPetya: $250-300M for Maersk alone, $1.2B in total revenue
 54% of companies experienced one or more successful attacks
 Total cost of a successful cyber attack is over $5M or $301 / employee
Why are they so important?
Twitter: @BenMenesi

How do they spread?
Ransomware Protection
 60% of ransomware attacks come from infected emails BUT:
 Also, vulnerable (application) servers
 Example: city of Atlanta hit by SamSam (originally discovered in 2016) in 2018
 Malware infection likely through SMBv1 open on a web server
 Aftermath: $2.6M cost
 Conclusion: Update, patch, pay attention
to cyber hygiene!
Twitter: @BenMenesi

 Cautionary tale: Herrington & Company gets ransomwared
 Engages Data Recovery company to retrieve data
 DR company quotes $6000 to recover data
 Data recovery is WAY too fast
 FBI confirms that PDR indeed paid ransom to decrypt victim’s files
 https://pbs.twimg.com/media/DbfP0G7WAAEWQIa.jpg:large
 How do we prevent ransomware?
Decrypting Ransomware
Twitter: @BenMenesi

 Microsoft introduced Files Restore
OneDrive
 Allows to restore entire OneDrive
account to a previous point in
time within 30 days
 Monitors file assets notifies if an
attack is detected
Office365 Ransomware Protection
Twitter: @BenMenesi

 Careful!
 Real time notification might not be as accurate as we think
 AXCrypt encryption on OneDrive flies easily under the radar.
 Ransomware prevention: have users store important data in OneDrive
Office365 Ransomware Protection
Twitter: @BenMenesi

Email & Sharing
Twitter: @BenMenesi

 Email Encryption: End-to end
encryption
 Prevent Forwarding: Restrict email
recipients from forwarding or copying
emails you send (plus: MS Office docs.
Attached are encrypted even after
downloading)
 What happens if the recipient is
outside your organization:
New(ish) advanced email protection options
Email encryption
Twitter: @BenMenesi

OME: Automatically enabled
Email encryption
Twitter: @BenMenesi

 OME Viewer App. – Now deprecated
 iOS mail app didn’t support decrypting messages protected by OME.
 Rights restrictions become void (even though if using an Office365 mail
server, forwarding such a mail is still not allowed)
 To toggle this: Set-ActiveSyncOrganizationSettings –AllowRMSSupportForUnenlightenedApps <$true|$false>
 Note: previously encrypted messages won’t be viewable on IOS
 Review what’s new in OME: https://docs.microsoft.com/en-
us/office365/securitycompliance/set-up-new-message-encryption-capabilities
 Tip: customize your OME message look and feel: https://support.office.com/en-
us/article/add-your-organizations-brand-to-your-encrypted-messages-
7a29260d-2959-42aa-8916-feceff6ee51d
New advanced email protection options
Email encryption
Twitter: @BenMenesi

 This one is thanks to Al Hoitingh: https://alberthoitingh.com/2018/12/20/ome-
message-revocation/
 Encrypted status means: email & content didn’t leave the perimeter.
 You can use Message Trace to locate the outgoing mail and then use powershell
to:
 Query the OME status: Get-OMEMessageStatus -MessageID “message id”
 Set message as revoked: Set-OMEMessageRevocation -Revoke $true -
MessageID “message id”
Revoking Encrypted Messages
Email encryption
Twitter: @BenMenesi

Revoking Encrypted Messages
Email encryption
Twitter: @BenMenesi
Because the data never left perimeter, it’s the ‘link’ that’s broken at the moment of
revocation and recipient will get this:

Twitter: @BenMenesi

Azure AD applications
 In the light of the Facebook Cambridge Analytica scandal, we should take a
look at Azure AD registered applications
 Phishing campaigns could trick users into granting access to applications
 https://blogs.technet.microsoft.com/office365security/defending-
against-illicit-consent-grants/
 Exploit first demonstrated by Kevin Mitnick
Twitter: @BenMenesi

 Demo
 Infrastructure:
Exploit Scenario
Twitter: @BenMenesi
User Apache Web
Server
Hacker

 Infrastructure – bit more detail (Thanks to Albert Hoitingh)
Exploit Scenario

 Let’s see this live!
Exploit Scenario

 User receives a legit
looking email:
Exploit Scenario
Twitter: @BenMenesi

 Picks account to authenticate
Exploit Scenario
Twitter: @BenMenesi

 Presented with permissions that need
consent (and they make sense)
Exploit Scenario
Twitter: @BenMenesi

 All mails encrypted
 … and this is just one of many outcome possibilities
Exploit Scenario
Twitter: @BenMenesi

 Why build integrated applications?
 Using various APIs, you can grant apps access to your tenant data:
 Mail, calendars, contacts, conversations
 Users, groups, files and folders
 SharePoint sites, lists, list items
 OneDrive items, permissions and more
 Integration: Azure AD provides secure sign-in and authorization
 Developer registers the application with Azure AD
 Assign permissions to the application
 Tenant administrator / user must consent to permissions
Introduction – Digital #metoo era: Consent is key!
Twitter: @BenMenesi

 Who can register applications in your tenant?
 By default: any member! This can be a security issue
 Keep in mind: there is a record of what data was shared with which
application. Also: when user adds / allows application to access
their data, event can be audited (Audit reports)
 See more: https://docs.microsoft.com/en-us/azure/active-
directory/develop/active-directory-how-applications-are-added#who-
has-permission-to-add-applications-to-my-azure-ad-instance
Registering the application
Twitter: @BenMenesi

 Endpoint v1: Azure AD Admin center (aad.portal.azure.com) > Enterprise
Applications > New Application
Azure AD Endpoints: Endpoint 1
Twitter: @BenMenesi

 Endpoint v1 properties
 Only supports 1 platform / application
 Supports ALL
APIs
 Static permissions
Twitter: @BenMenesi

 Endpoint v2 properties (apps.dev.Microsoft.com)
 Supports multiple platforms
 Only supports Graph API
 Scopes vs. Resources (dynamic
permissions)
 Strategic new direction for Microsoft
 Gotcha: v1 and v2 aren’t compatible!
Twitter: @BenMenesi

 What you’ll need
 Application Name
Twitter: @BenMenesi

 Application password
Twitter: @BenMenesi

 Platform
 Redirect URL(s)
Twitter: @BenMenesi

 Platform
 Redirect URL(s)
 Owner(s)
 Permissions
 Delegated
 Application
Twitter: @BenMenesi

 Azure AD v1. endpoint permissions (delegated only): 87
 Azure AD v2. endpoint permissions
 Delegated: 77
 Application: 39
Permissions
Twitter: @BenMenesi

 Application will access and do stuff on your behalf: consent required
 Two types of consent:
 User can consent (limited scope actions, delegated permissions only)
 Admin must consent (larger scope actions, some delegated, all
application permissions)
Consent
Twitter: @BenMenesi

 Oauth2 / OpenID
Connect
Authorization flow
Twitter: @BenMenesi

 How does it work?
 User consents to permissions required by the app
 Application asks for authorization from the Azure AD
 Azure AD makes the user sign in and returns code to application
 Application uses code to retrieve JWT bearer token to use resource
(Microsoft Graph API)
 Keep in mind: JWT doesn’t authenticate, only authorizes!
 Hijacking the JWT token is extremely dangerous
Authorization flow
Twitter: @BenMenesi

How do you prevent illicit consent grants
Application Registration & consent restrictions
Regular application & permission enumeration
Cloud App Security
Educate users
Twitter: @BenMenesi

 Azure Portal > Azure Active Directory > User settings
Remedy: Restricting app registrations
Twitter: @BenMenesi

 Azure Portal > Azure Active Directory > User settings
Remedy: Restricting consent grants
Twitter: @BenMenesi

 While we’re at it…
 Simple users are by default allowed to access the Azure AD
Administration portal allowing them to view:
 All users’ group memberships
 All users’ assigned licenses and enabled services
 All users’ directory roles (find global administrator accounts)
 Best to disable this: Azure Active Directory > User Settings >
Administration Portal
Remedy: Restricting consent & app registrations
Twitter: @BenMenesi

 Enumerating applications using PowerShell:
 Install the AzureAD PowerShell module
 Launch PowerShell ISE as an Administrator and:
Install-Module AzureAD
 Connect to Azure AD:
Connect-AzureAD
 Use PowerShell script:
https://gist.github.com/psignoret/41793f8c6211d2df5051d77ca3728c09
 Example:
.Get-AzureADPSPermissions.ps1 | Export-Csv -Path "permissions.csv" -
NoTypeInformation
Remedy: Enumerating apps and permissions
Twitter: @BenMenesi

 What you get:
Twitter: @BenMenesi

 Gotcha: won’t show redirect URLs!
 To get Apps and Redirect URLs: Get-AzureRmADApplication
 Requires AzureRM.Resources and Connect-AzureRMADAccount:
Twitter: @BenMenesi

 Use “consent” string to filter:
Remedy: Searching your Audit Logs
Twitter: @BenMenesi

 Create an OAUTH App Security Policy
Remedy: Cloud App Security
Twitter: @BenMenesi

Remedy: Cloud App Security
Twitter: @BenMenesi

What you get with cloud app security from our scenario:
Twitter: @BenMenesi

Password Attacks
Twitter: @BenMenesi

Brute force attacks
 In the news in August 2017: sophisticated and coordinated attack against 48
Office365 customers
 Brute Force attack unique: targeting multiple cloud providers
 100,000 failed login attempts from 67 Ips and 12 networks over 7 months
 Slow and low to avoid intrusion detection
 Users see unsuccessful login attempts using name up to 17 name variations
 Passwords likely the same (password spray attack)
 https://www.tripwire.com/state-of-security/featured/new-type-brute-force-attack-
office-365-accounts/
Brute forcing office365 logins
Twitter: @BenMenesi

Brute force attacks
 Demo
How hard is it to acquire the right login names?
Twitter: @BenMenesi

Brute force attacks
 Before this Tuesday (02/04/2019):
 10 unsuccessful attempts: captcha
 Another 10: lockout (10 mins)
 In reality: 10 tries = lockout
 No customization allowed
Account Lockout in Office365
Twitter: @BenMenesi

Brute force attacks
 As of Tuesday 02/04/2019 – WOOHOO! 
 https://techcommunity.microsoft.com/t5/Azure-Active-Directory-
Identity/Azure-AD-Password-Protection-is-now-generally-available/ba-
p/377487#.XKYVYnSP8eU.twitter
Account Lockout in Office365
Twitter: @BenMenesi

Authentication
 Multi Factor Authentication
 Focus: cloud only -> Azure Active Directory MFA
 Grants access to users with a password / PIN / Security Token / Device /
DNA information.
 Free support for MFA on Office365 apps.
 Interesting story:
What could’ve stopped all this? MFA
Twitter: @BenMenesi

Authentication
MFA: true story
 I’ll just put this here…
 Thanks to @RachelTobac for this gem:
https://goo.gl/CFcA5t
Twitter: @BenMenesi

Authentication
MFA – true story
 Good news: management through
the app is better
Twitter: @BenMenesi

Authentication
MFA – the elephant in the room
 2 serious outages in 2018 alone.
Twitter: @BenMenesi

Authentication
MFA – in case of emergencies
 Consider implementing a break glass account (via Exclusions from Baseline
MFA policy): https://practical365.com/security/multi-factor-authentication-
default-for-admins/
 Azure AD Portal > Conditional Access
Twitter: @BenMenesi

Authentication
The way around MFA
 Recent breaches discovered by Proofpoint
 https://www.proofpoint.com/us/threat-insight/post/threat-actors-
leverage-credential-dumps-phishing-and-legacy-email-protocols
 Essentially: Using IMAP to get around MFA by mimicking legacy email clients
Twitter: @BenMenesi

Authentication
The way around MFA
 Microsoft’s response: https://docs.microsoft.com/en-us/microsoft-
365/enterprise/secure-email-recommended-policies
 Require MFA
 Block clients that don’t support modern auth.
 App Passwords
Twitter: @BenMenesi

Attack Simulation
 Available as part of Threat Intelligence (available in Office365 Enterprise E5)
 Follows logical penetration testing steps
 You must be a global administrator or member of the Security Admin group in
the Security & Compliance Center AND have MFA enabled on your account.
 What does it allow you to do?
 Requirements
 Multi Factor Authentication must be enabled
 Attack simulations must be set up
The all new Office365 Attack Simulator
Spear Phishing Campaigns
Password Brute-Force
Attacks
Password Spray Attacks
Twitter: @BenMenesi

Attack Simulation
 Where to find it: protection.office.com / Threat Management
The all new Office365 Attack Simulator
Twitter: @BenMenesi

Attack Simulation
 Only works for individual users (no groups for now)
 Tip: target users identified as top targeted in the Threat Management
dashboard
 Tip2: You’ll need to enable Office Analytics
Spear Phishing campaigns
Twitter: @BenMenesi

Attack Simulation
 User tries logs in to phishing site
 Redirected to awareness page
Twitter: @BenMenesi

Attack Simulation
 Tip: best to use your own phishing sites, google already flagged most of them.
Twitter: @BenMenesi

Attack Simulation
 Use a pre-set word list against one or multiple user accounts
 Uses the same method an attacker would
 I mean literally: watch out! Currently this locks out the user
account.
 Only supports very limited password lists (Internal server error at 10k
passwords)
 Best online resources for common credentials:
https://github.com/danielmiessler/SecLists/tree/master/Passwords/Com
mon-Credentials
Brute Force Password
Twitter: @BenMenesi

Attack Simulation
 Tries one or a few passwords against all accounts
 Story: known password against two accounts
 Both accounts DID have that password
 Why?
 Gotcha: second user had MFA enabled, which doesn’t appear to be
supported.
Password Spray Attack
Twitter: @BenMenesi

Threat Tracker
 Tracks major malware campaigns (WannaCry, Petya, etc)
 Let’s you track the impact of these campaigns in your tenant
Generally available in office365 – Security & Complicance
Twitter: @BenMenesi

Office365 passwords
 Current (4th April 2019) password format isn’t hard to guess:
 Tip: make sure to have users modify their passwords on first login
About generating random passwords
Twitter: @BenMenesi

Office365 passwords
 Always 8 characters
 Starts with 3 letters
 Ends in 5 numbers
Guessing random passwords
ConsonantConsonants
21 21
Vowel
5
Numbers
10 10 10 10 10
220,500,000
Twitter: @BenMenesi

Office365 passwords
 Pretty easy to create a password list for brute-force:
 Using crunch: crunch 8 8 aeiou BCDFGHJKLMNPQRSTVWXYZ
0123456789 bcdfghjklmnpqrstvwxyz –t ,@^%%%%%
 File size: only ~ 1GB
Guessing random passwords
Twitter: @BenMenesi

Office365 passwords
 Simulate attacks against your own environment
 Keep an eye out for more attack simulation tools
 Use your own phishing tactics and word lists
 Educate users on strong passwords
Conclusion
Twitter: @BenMenesi

Check out sapio365
Twitter: @BenMenesi
Download sapio365 (free for 3 months): www.ytria.com/sapio365

Thank you
Questions & Feedback welcome
Let’s connect! (ben.menesi@ytria.com)
@BenMenesi
Linkedin.ca/in/benedekmenesi
Twitter: @BenMenesi

Office365 from a hacker's perspective: Real-life Threats, Tactics and Remedies

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Office365 from a hacker's perspective: Real-life Threats, Tactics and Remedies

Similar to Office365 from a hacker's perspective: Real-life Threats, Tactics and Remedies (20)

Recently uploaded

Recently uploaded (20)

Office365 from a hacker's perspective: Real-life Threats, Tactics and Remedies

Editor's Notes