Cybersecurity and Microsoft 365 in Action

#M365May @M365May M365May.com @SP_Twit
CYBERSECURITY AND
MICROSOFT 365
IN ACTION
SÉBASTIEN PAULET
@SP_TWIT

THANK YOU TO OUR SPONSORSTHANK YOU TO OUR SPONSORS

TRADITIONAL OWNERS
We acknowledge the traditional custodians of the land on which this online conference is
hosted, and the traditional custodians of the lands where our Australian-based speakers
and participants are located.
We would also like to pay our respects to Elders past, present and future
Tēnā koutou, tēnā koutou, tēnā tātou katoa.
On behalf of M365 May we would like to welcome and acknowledge all our speakers and
participants from Aotearoa New Zealand. Thank you for supporting this hui.
Tēnā koutou, tēnā koutou, tēnā tātou katoa.
WELCOME TO OUR SPEAKERS AND PARTICIPANTS FROM AROUND THE WORLD

SÉBASTIEN PAULET
Document Mgt, Compliance, IT Security, Lean
Blog : https://sppublish.wordpress.com/

6
Security and M365

MICROSOFT 365
Windows Office 365 EM+S

ENTERPRISE MOBILITY +
SECURITY
 Azure Active Directory Premium
 Azure MFA
 Azure Advanced Protection
 Microsoft Cloud App Security
 Azure Information Protection Premium
 Azure Right Management Premium
 Intune

THIS SESSION PROGRAM
 Fraud to the Chairman / Phishing
 Brute force / spray attack
 Bypassing MFA
 Enduser data leak
 Admins data leak
 Endpoint robbery / loss
 Cryptolocker

10
Fraud to the
Chairman /
Phishing

FRAUD TO THE CHAIRMAN /
PHISHING
 Decreases for large companies, an increase for small and medium-sized enterprises
(SMEs)
 To protect yourself :
 Awareness
 Don't leave information on the Internet
 ACTION : Prevent email spoofing by implementing SPF, DKIM, DMARC

EXCHANGE ONLINE PROTECTION
(EOP)
 Feature included in O365. Add-on for Exchange On-Premise
 Incoming emails:
 Filter
 Antivirus
 Policies check
 Anti Spam
 [EMS]If ATP, ATP
 Delivery

[EMS]OFFICE 365 ATP
 Safe Links
 Antiphishing protection of risky mailboxes (max 60 mailboxes protected)
 Attachments analysis

14
Brute force / spray
attack

BREAK A PASSWORD
 Password spray
 Brute force
 User base purchase (73% of users reuse pwd)
 Phishing
 Keylog
 Written passwords
 Extortion

SIMULER UNE ATTAQUE SPRAY/BRUTE
FORCE (O365 E5)
Top 10 passwords:
 123456
 password
 000000
 1qaz2wsx
 a123456
 abc123
 abcd1234
 1234qwer
 qwe123
 123qwe

PREVIEW : ENDUSERS CHECK THEIR
OWN LOGIN DATA
See: https://mysignins.microsoft.com or https://myprofile.microsoft.com/

REGULAR MFA
 Included with Office 365
 Set up the session
cache/authentication method.
 [EMS]Conditional Access
 Keep an admin account without
MFA (Glass breaker) with
random password of 20
characters minimum

DISABLE LEGACY PROTOCOLS
Microsoft will disable basic
authentication protocols (except
SMTP) from October 2020
Protocol / service Parameter (for Policies)
Exchange Active Sync (EAS) AllowBasicAuthActiveSync
Autodiscover AllowBasicAuthAutodiscover
IMAP4 AllowBasicAuthImap
MAPI over HTTP (MAPI/HTTP) AllowBasicAuthMapi
Offline Address Book (OAB) AllowBasicAuthOfflineAddressBook
Outlook Service AllowBasicAuthOutlookService
POP3 AllowBasicAuthPop
Reporting Web Services AllowBasicAuthReportingWebServices
Outlook Anywhere (RPC over HTTP) AllowBasicAuthRpc
Authenticated SMTP AllowBasicAuthSmtp
Exchange Web Services (EWS) AllowBasicAuthWebServices
PowerShell AllowBasicAuthPowerShell

DISABLE AUTOMATIC EMAIL FORWARD
 First action a pirate does once he enters an account : email forward
 Block it by running Exchange Online Powershell Module
<# Delete existing forwards #>
PS > $AllForwards = Get-Mailbox -ResultSize Unlimited -Filter
{(RecipientTypeDetails -ne "DiscoveryMailbox") -and
((ForwardingSmtpAddress -ne $null) -or (ForwardingAddress -ne
$null))} | Select Identity
PS > $AllForwards | % {Set-Mailbox -Identity $_.Identity -
ForwardingSmtpAddress $null -ForwardingAddress $null}
<# Disable forward creation #>
PS > Set-RemoteDomain Default -AutoForwardEnabled $false

22
Bypass MFA

BYPASS 2FA
 Jack Dorsey, Twitter CEO. Hacked by SIM SWAP in August 2019

MITM MFA TOOL : EVILGINX

MITM MFA DEMO : EVILGINX
@SP_twit #aOSNoumea

PASSWORDLESS WITH
AUTHENTICATOR
 On enduser side, go to https://aka.ms/mysecurityinfo to set up Authenticator (requires
recording the phone)
 Don’t protect against MitM attacks

FIDO2
 MIIT attack proof

29
Enduser data leak

INTERNAL THREAT
Source : Haystax Insider threat report 2019

SENSITIVITY LABELS
 Office 365 E3 requis
 Disponible in Outlook, SharePoint, OWA and O365 Pro Plus clients

SENSITIVITY LABELS - EFFECTS
 File encryption
-> Unable to open for unauthorized / not authenticated
users
 Restriction of permissions
-> Disabling copy and paste, printing, screenshot, email
transfer, etc.
 Watermarking
-> on Word files
 [EMS] Blocking copy on USB key / Attachments on non
O365 services
-> Requieres WIP (Windows Information Protection) and
Intune

INFORMATION PROTECTION / RMS
 IRM on O365 (by O365 E3)
 Bring the sharepoint-level permissions to the document.
 Public/private key system and on-the-fly encryption
(public keys RSA 2048 bits, and SHA-256 for signatures)
 See https://docs.microsoft.com/fr-fr/information-protection/understand-explore/how-does-it-work
 Breakable system as soon as you have the “View Only” permissions https://github.com/RUB-NDS/MS-RMS-Attacks

[EMS] CASB WITH CLOUD APP
SECURITY
 Prevent shadow IT
 Licence EMS E5 required
 Allows log/proxy analysis to detect
unauthorized SaaS applications.
 Portal :
https://portal.cloudappsecurity.com/

35
Admin data leak

HE WAS SHAREPOINT ADMIN

POLP – PRINCIPLE OF LEAST
PRIVILEGES APPLIED TO M365 ADMIN
Better security (Snowden only needed backups)
Minimizing the surface of external attacks
Limiting the spread of viruses

GENERAL RECOMMENDATIONS
 Nominal admin accounts.
 2 to 4 global admin accounts MAX
 1 or 2 icebreaker accounts (20+ chars pwd, renewal of password after use and
periodically).
 Dedicated machines to use admin accounts
 MFA/Passwordless mandatory
 Delegation of rights on the principle of the least privilege.

40
Endpoint robbery /
loss

ENDPOINT ROBBERY / LOSS

GENERAL RECOMMENDATIONS
 Bitlocker encryption of hard drives (possibility of becoming local admin otherwise)
 Implementation of MDM/MAM solutions

MDM / MAM
 System Center Configuration Manager (SCCM)
 « old »
 For Windows
 Part of System Center
 Integrable in Intune
 MDM pour O365
 Included in O365
 iOS, Andoid, Windows compatible
 Security policies (password requirement)
 Remote wipe
 [EMS]Microsoft Intune
 Complete MDM
 Included in EMS or apart
 Does MDM for O365
 + Mac OS
 + Apps deployment
 + In App policies (retrict
Copy/paste)

[EMS] REMOTE TERMINAL WIPE FROM
ENDPOINT MANAGER
 https://devicemanagement.microsoft.com/

45
Cryptolockers and
ransomwares

SECURE ACTIVE DIRECTORY
 AD remains the first point of vulnerability

ONEDRIVE FOR BUSINESS
 Use OneDrive to sync Desktop / My documents / Pictures

RESTORING ONEDRIVE, SHAREPOINT
AND TEAMS DOCUMENTS


[EMS] BLOCK UNSAFE MACHINES
WITH INTUNE
 Create an Intune policy https://devicemanagement.microsoft.com/


50
And if I have no
time?

SAFETY IF YOU START FROM
SCRATCH A TENANT
 Admin MFA
 Users MFA
 Deactivation of legacy
protocols
 MFA for actions with privilege
 This is the future of Microsoft
default settings within 5 years

COMPETITION WEEK 4
SCAN THE QR CODE TO ENTER THE PRIZE DRAW
COMPETITION AND PRIZE RULES
m365may.com/competition-rules

Cybersecurity and Microsoft 365 in Action

Recommended

Recommended

More Related Content

Similar to Cybersecurity and Microsoft 365 in Action

Similar to Cybersecurity and Microsoft 365 in Action (20)

More from Sébastien Paulet

More from Sébastien Paulet (20)

Recently uploaded

Recently uploaded (20)

Cybersecurity and Microsoft 365 in Action

Editor's Notes