After the positive feedback of Ben Menesi's session at the 2019 SPS Ottawa, he was asked to repeat it at Salt Lake M365 Friday in February 2020.
Abstract: Office 365 environments are very attractive targets for attackers. So, it's never been more important to understand how its security structure works, and how to best configure it.
In this in-depth session, we'll run through real-time attack scenarios and examine common attack vectors. And then we'll explore the various defense capabilities of Office 365, the MS Graph API, and Azure AD. We'll deep-dive into external sharing, authentication options, third-party application security (what apps should and shouldn't be able to do), and even some do's and don'ts regarding Azure AD endpoints and authorization mechanisms.
You'll walk away with a solid understanding of how to use the Office 365 defense tools at your disposal, such as the Attack Simulator and Threat Intelligence, as well as how they relate to real-world attacks.
https://www.linkedin.com/in/benedekmenesi/
A healthy diet for your Java application Devoxx France.pdf
Office 365 in today's digital threats landscape: attacks & remedies from a hacker - Salt Lake M365 Friday
1. Make Your Data Work For You
Office365 from a
Hacker‘s perspective
Real life threats, tactics and remedies
Ben Menesi
Ottawa, Canada
5 October, 2019
2. Speaker
• Ben Menesi
– VP Products & Innovation at
panagenda
– Started out in the IBM world
– SharePoint & Exchange Admin & Dev
– Certified Ethical Hacker v9 and OSCP
student
– Enjoys breaking things
– Speaker at IT events around the globe
(SPS New York City, Toronto, Calgary,
Montreal, Geneva, Cambridge)
– Owns a bar (recently)
@BenMenesi
3. panagenda
• Who we are
– HQ in Vienna, Austria
– Offices in Boston, Germany, The Netherlands and Australia
– >10M user licenses across over 80 countries
4. Panagenda – what we do
• Quality of Service monitoring using bots
5. Panagenda – what we do
• Teams Analytics & Organizational Intelligence
7. Statistics
• Some numbers from the field
– Verizon’s 2017 & 2018 Data Breach Investigations Report: 53000
incidents & 2216 data breaches
58% Victims are businesses with < 1000 employees (62% in 2017)
92%
68% Breaches took months(!!!) to discover
Malware vectors: Email. (6.3% Web, 1.3% other)
8. Statistics
• Some numbers on Phishing
– Avanan’s Global Phish Report: https://www.avanan.com/hubfs/2019-
Global-Phish-Report.pdf | 55,5M emails analyzed
– BakerHostetler‘s DSIR Report (750+ incidents):
https://f.datasrvr.com/fr1/019/33725/2019_BakerHostetler_DSIR_Final.
pdf
33% Phishing mails passed through Exchange Online Protection
43%
90% Emails after malware or credentials
Branded phishing emails impersonating Microsoft
34% Office365 account exposure after compromised device
9. On-Prem. Vs. Cloud Security
• Benefits of your data in the cloud
Broader scope of threat intelligence
Larger and more specialized security muscle than most SMBs
Fast and instant delivery (no manual patching required)
10. On-Prem. Vs. Cloud Security
• Disadvantages of using cloud services
Vulnerability / Risk Mitigation is out of our control
Part of a larger, very attractive attack surface
Less flexibility in customizing defenses
11. Vulnerability Mitigation
• Practical example
– Basestriker attack: gets around Microsoft’s ATP SafeLinks by
leveraging the <base> tag:
▪ Traditional way to embed URLs in a phishing email:
▪ Using the <base> tag:
12. Vulnerability Mitigation
• Vulnerability Lifecycle
02.05.2018
Microsoft
alerted by
Avanan
02.05.2018
Proofpoint
alerted by
Avanan
16.05.2018
Microsoft
fixes
vulnerability
14 days
14. Ransomware Attacks
Why are they so important?
▪ DOJ Statistics: 1000 attacks / day in 2015, 4000 attacks /
day in 2017
▪ WannaCry: 150 countries, estimated at $4B
▪ NotPetya: $250-300M for Maersk alone, $1.2B in total revenue
▪ 54% of companies experienced one or more successful attacks
▪ Total cost of a successful cyber attack is over $5M or $301 /
employee
15. Ransomware Attacks
How do they spread?
▪ 60% of ransomware attacks come from infected emails
BUT:
▪ Also, vulnerable (application) servers
▪ Example: city of Atlanta hit by SamSam (originally discovered in
2016) in 2018
▪ Malware infection likely through SMBv1 open on a web server
▪ Aftermath: $2.6M cost
16. Decrypting Ransomware
▪ Cautionary tale: Herrington & Company gets
ransomwared
▪ Engages Data Recovery company to retrieve data
▪ DR company quotes $6000 to recover data
▪ Data recovery is WAY too fast
▪ FBI confirms that PDR indeed paid ransom to decrypt victim’s
files
▪ https://pbs.twimg.com/media/DbfP0G7WAAEWQIa.jpg:la
rge
▪ How do we prevent ransomware?
17. Ransomware Protection
▪ Microsoft introduced Files Restore OneDrive
▪ Allows to restore entire OneDrive account to a previous point in
time within 30 days
▪ Monitors file assets notifies
when attack is detected
(allegedly ☺)
18. Ransomware Protection
▪ Careful!
▪ Real time notification might not be as accurate as we think
▪ AxCrypt encryption on OneDrive files stays under the radar
▪ Ransomware prevention: have users store important data
in OneDrive
20. ▪ Email Encryption: End-to end
encryption
▪ Prevent Forwarding: Restrict email
recipients from forwarding or
copying emails you send (plus: MS
Office docs. Attached are encrypted
even after downloading)
▪ What happens if the recipient is
outside your organization:
Email Encryption
22. ▪ Revoking Encrypted Messages
▪ This one is thanks to Albert Hoitingh:
https://alberthoitingh.com/2018/12/20/ome-message-revocation/
▪ Encrypted status means: email & content didn’t leave the perimeter.
▪ You can use Message Trace to locate the outgoing mail and then use
powershell to:
▪ Query the OME status: Get-OMEMessageStatus -MessageID “message id”
▪ Set message as revoked: Set-OMEMessageRevocation -Revoke $true -MessageID
“message id”
Email Encryption
23. ▪ Revoking Encrypted Messages
▪ Because the data never left the perimeter, it’s the ‘link’
that’s broken at the moment of revocation and recipient
will get this:
Email Encryption
25. ▪ In the light of the Facebook Cambridge Analytica
scandal, we should take a look at Azure AD registered
applications
▪ Phishing campaigns could trick users into granting access to
applications
▪ https://blogs.technet.microsoft.com/office365security/defendi
ng-against-illicit-consent-grants/
▪ Exploit first demonstrated by Kevin Mitnick
Illicit Consent Grants
26. ▪ Exploit Scenario
▪ Demo
▪ Infrastructure
Illicit Consent Grants
User Apache Web
Server
Hacker
34. ▪ Consent is key
▪ Why build integrated applications?
▪ Using various APIs, you can grant apps access to your tenant data:
▪ Mail, calendars, contacts, conversations
▪ Users, groups, files and folders
▪ SharePoint sites, lists, list items
▪ OneDrive items, permissions and more
▪ Integration: Azure AD provides secure sign-in and
authorization
▪ Developer registers the application with Azure AD
▪ Assign permissions to the application
▪ Tenant administrator / user must consent to permissions
Digital #metoo era
35. ▪ Registering the application
▪ Who can register applications in your tenant?
▪ By default: any member! This can be a security issue
▪ Keep in mind: there is a record of what data was shared with
which application. Also: when user adds / allows application to
access their data, event can be audited (Audit reports)
▪ See more: https://docs.microsoft.com/en-us/azure/active-
directory/develop/active-directory-how-applications-are-
added#who-has-permission-to-add-applications-to-my-azure-
ad-instance
Azure AD Applications
37. ▪ Authorization flow: let’s simplify
▪ User consents to permissions required by the app
▪ Application asks for authorization from the Azure AD
▪ Azure AD makes the user sign in and returns code to
application
▪ Application uses code to retrieve JWT bearer token to use
resource (Microsoft Graph API)
▪ Keep in mind: JWT doesn’t authenticate, only
authorizes!
Azure AD Applications
39. ▪ Remedy: Restricting app registrations
▪ Azure Portal > Azure Active Directory > User Settings
Azure AD Applications
40. ▪ Remedy: Restricting consent grants
▪ Azure Portal > Azure Active Directory > User Settings
▪ Watch out! This means that all application consent will be
REQUIRED to be done by Global Admins
Azure AD Applications
41. ▪ Remedy: Enumerating apps and permissions
▪ Enumeration using PowerShell:
▪ Install the AzureAD PowerShell module
▪ Launch PowerShell ISE as an Administrator and:
Install-Module AzureAD
▪ Connect to Azure AD:
Connect-AzureAD
▪ Use PowerShell script:
https://gist.github.com/psignoret/41793f8c6211d2df5051d77ca3728
c09
▪ Example:
.Get-AzureADPSPermissions.ps1 | Export-Csv -Path
"permissions.csv" -NoTypeInformation
Azure AD Applications
49. ▪ Brute forcing office365 logins
▪ In the news in August 2017: sophisticated and coordinated attack
against 48 Office365 customers
▪ Brute Force attack unique: targeting multiple cloud providers
▪ 100,000 failed login attempts from 67 Ips and 12 networks over 7 months
▪ Slow and low to avoid intrusion detection
▪ Users see unsuccessful login attempts using name up to 17 name
variations
▪ Passwords likely the same (password spray attack)
▪ https://www.tripwire.com/state-of-security/featured/new-type-brute-
force-attack-office-365-accounts/
Brute Force Attacks
50. ▪ How hard is it to acquire the right login names?
▪ Demo
Brute Force Attacks
51. ▪ Account Lockout in Office365
▪ Before 02/04/2019:
▪ 10 unsuccessful attempts: captcha
▪ Another 10: lockout (10 mins)
▪ In reality: 10 tries = lockout
▪ No customization allowed
Brute Force Attacks
52. ▪ Account Lockout in Office365
▪ As of 02/04/2019: WOOHOO ☺
Brute Force Attacks
53. ▪ Credential stuffing: using login + password combos
exposed in data breaches against Office365
▪ About 85% of users reuse passwords
▪ Enforcing unique passwords for the enterprise is
impossible
A new(ish) attack / vulnerability
54. ▪ What is credential stuffing: leverages previous data
breaches to obtain user name + password combinations
via bots
Credential Stuffing
55. ▪ Problem: attacker might only need one single attempt for
successful intrusion
▪ Cloudflare estimates success rate at 0.1% = weak
▪ 1M logins = 1k successful logins: still a major issue
▪ Prevention possibilities
▪ 1.) Multi Factor Authentication
▪ 2.) Bot management systems (IP Reputation database) to
prevent bots from login attempts
▪ 3.) Due diligence in breached data
Credential Stuffing
56. ▪ Suggestion:
▪ Use MFA AND regularly scan for breached accounts
▪ How to scan breached accounts:
▪ Troy Hunt’s https://haveibeenpwned.com offers a $3,5/month
subscription for using their API
▪ Using the REST API, you can retrieve any and all accounts that
have been exposed in data breaches.
▪ Here‘s how:
Credential Stuffing: Prevention
57. ▪ 1.) Purchase a subscription at:
https://haveibeenpwned.com/API
▪ 2.) Simple GET request with headers & domain param.
Credential Stuffing: Prevention
59. ▪ What could’ve stopped all this?
MFA
▪ Interesting story about MFA:
https://goo.gl/CFcA5t
Brute Force Attacks
60. ▪ Good news: management through
the app is better
Brute Force Attacks
61. ▪ MFA – the elephant in the room
▪ 2 serious outages in 2018 alone
Brute Force Attacks
62. ▪ MFA – in case of emergencies
▪ Consider implementing a break glass account (via Exclusions
from Baseline MFA Policy):
https://practical365.com/security/multi-factor-authentication-
default-for-admins/
▪ Azure AD Portal > Conditional Access
Brute Force Attacks
63. ▪ The way around MFA
▪ Recent breaches discovered by Proofpoint:
https://www.proofpoint.com/us/threat-insight/post/threat-
actors-leverage-credential-dumps-phishing-and-legacy-email-
protocols
▪ Essentially: using IMAP to get around MFA by mimicking legacy
email clients
Brute Force Attacks
64. MFA exploit
Highlights
▪ 100,000 unauthorised login attempts analyzed (December 2018 –
onwards)
▪ 72% tenants were targeted at least once
▪ 40% tenants had at least 1 compromised account
▪ 15 of 10,000 active user accounts breached
65. ▪ Microsoft’s response: https://docs.microsoft.com/en-
us/microsoft-365/enterprise/secure-email-
recommended-policies
▪ Require MFA
▪ Block clients that don’t support modern auth.
▪ App Passwords
Brute Force Attacks
66. ▪ Available as part of Threat Intelligence (available in
Office365 Enterprise E5)
▪ You must be a global administrator or member of the Security
Admin group in the Security & Compliance Center AND have MFA
enabled
Attack Simulator
Spear Phishing Campaigns
Password Brute-Force
Attacks
Password Spray Attacks
67. ▪ Where do you find it: protection.office.com > Threat
Management
Attack Simulator
68. ▪ Spear Phishing campaigns
▪ Tip: target users identified as top targeted in the Threat
Management dashboard
▪ Tip2: You’ll need to enable Office Analytics
Attack Simulator
69. ▪ Spear Phishing campaigns
▪ User tries to log in to phishing
site
▪ Redirected to awareness
page
Attack Simulator
70. ▪ Spear Phishing campaigns
▪ Tip: best to use your own phishing landing site ;)
Attack Simulator
71. ▪ Brute Force Password
▪ Use a pre-set word list against one or multiple user
accounts
▪ Uses the same method an attacker would
▪ I mean literally: watch out! Currently this locks out the user
account.
▪ Only supports very limited password lists (Internal server error at
10k passwords)
▪ Best online resources for common credentials:
https://github.com/danielmiessler/SecLists/tree/master/Passw
ords/Common-Credentials
Attack Simulator
72. ▪ Password Spray Attack
▪ Tries one or a few passwords against all accounts
▪ Story: known password against two accounts
▪ Both accounts DID have that password
▪ Why?
▪ Why?
▪ Gotcha: second user had MFA enabled, which doesn’t appear to be
supported.
Attack Simulator
73. ▪ Generally available in office365 – Security & Compliance
▪ Tracks major malware campaigns (WannaCry, Petya, etc)
▪ Let’s you track the impact of these campaigns in your tenant
Threat Tracker
74. ▪ Security Analytics tool
▪ Applies numeric score to security settings
▪ Uses benchmarking to compare to other Office365 subscribers
▪ Access Secure Score here: https://securescore.office.com
Secure Score
75. Secure Score
▪ Total score, improvement actions and history
▪ Actual recommendations and improvement tracking
76. Secure Score
▪ How does it work?
▪ Currently takes 77 data points into consideration
Secure Score Recommendations by Type
Apps
Data
Device
Identity
77. Secure Score
▪ Focus areas (products)
0 5 10 15 20 25
Azure AD
Exchange Online
Intune
Cloud App Security
Microsoft Information Protection
OneDrive for Business
SharePoint Online
Skype for Business
78. Secure Score
▪ Issues
▪ No Teams suggestions
▪ Quite a few recommendations require E5
▪ MFA for everyone – what if I want a break-glass account?
79. ▪ About generating random passwords
▪ Current password format isn’t hard to guess:
▪ Tip: make sure to have users modify their passwords on first login
Office365 passwords
81. ▪ Guessing random passwords
▪ Pretty easy to create a password list for brute-force:
▪ Using crunch: crunch 8 8 aeiou BCDFGHJKLMNPQRSTVWXYZ
0123456789 bcdfghjklmnpqrstvwxyz –t ,@^%%%%%
▪ File size: only ~ 1GB
Office365 passwords
82. ▪ Simulate attacks against your own environment
▪ Keep an eye out for more attack simulation tools
▪ Use your own phishing tactics and word lists
▪ Educate users on strong passwords
Conclusion
84. Thank You
Questions & Feedback: LOVE IT
Get in touch: ben.menesi@panagenda.com
Presentation online: slideshare.net/benedek.Menesi
@BenMenesi
Linkedin.ca/in/benedekmenesi