SlideShare a Scribd company logo

Office 365 in today's digital threats landscape: attacks & remedies from a hacker - Salt Lake M365 Friday

panagenda
panagenda

After the positive feedback of Ben Menesi's session at the 2019 SPS Ottawa, he was asked to repeat it at Salt Lake M365 Friday in February 2020. Abstract: Office 365 environments are very attractive targets for attackers. So, it's never been more important to understand how its security structure works, and how to best configure it. In this in-depth session, we'll run through real-time attack scenarios and examine common attack vectors. And then we'll explore the various defense capabilities of Office 365, the MS Graph API, and Azure AD. We'll deep-dive into external sharing, authentication options, third-party application security (what apps should and shouldn't be able to do), and even some do's and don'ts regarding Azure AD endpoints and authorization mechanisms. You'll walk away with a solid understanding of how to use the Office 365 defense tools at your disposal, such as the Attack Simulator and Threat Intelligence, as well as how they relate to real-world attacks. https://www.linkedin.com/in/benedekmenesi/

Software
1 of 84
Download to read offline
Make Your Data Work For You Office365 from a Hacker‘s perspective Real life threats, tactics and remedies Ben Menesi Ottawa, Canada 5 October, 2019
Speaker • Ben Menesi – VP Products & Innovation at panagenda – Started out in the IBM world – SharePoint & Exchange Admin & Dev – Certified Ethical Hacker v9 and OSCP student – Enjoys breaking things – Speaker at IT events around the globe (SPS New York City, Toronto, Calgary, Montreal, Geneva, Cambridge) – Owns a bar (recently) @BenMenesi
panagenda • Who we are – HQ in Vienna, Austria – Offices in Boston, Germany, The Netherlands and Australia – >10M user licenses across over 80 countries
Panagenda – what we do • Quality of Service monitoring using bots
Panagenda – what we do • Teams Analytics & Organizational Intelligence
Agenda • What we’ll cover today Ransomware Attacks Email security Multi-Factor Authentication Illicit Consent Grants
Statistics • Some numbers from the field – Verizon’s 2017 & 2018 Data Breach Investigations Report: 53000 incidents & 2216 data breaches 58% Victims are businesses with < 1000 employees (62% in 2017) 92% 68% Breaches took months(!!!) to discover Malware vectors: Email. (6.3% Web, 1.3% other)
Statistics • Some numbers on Phishing – Avanan’s Global Phish Report: https://www.avanan.com/hubfs/2019- Global-Phish-Report.pdf | 55,5M emails analyzed – BakerHostetler‘s DSIR Report (750+ incidents): https://f.datasrvr.com/fr1/019/33725/2019_BakerHostetler_DSIR_Final. pdf 33% Phishing mails passed through Exchange Online Protection 43% 90% Emails after malware or credentials Branded phishing emails impersonating Microsoft 34% Office365 account exposure after compromised device
On-Prem. Vs. Cloud Security • Benefits of your data in the cloud Broader scope of threat intelligence Larger and more specialized security muscle than most SMBs Fast and instant delivery (no manual patching required)
On-Prem. Vs. Cloud Security • Disadvantages of using cloud services Vulnerability / Risk Mitigation is out of our control Part of a larger, very attractive attack surface Less flexibility in customizing defenses
Vulnerability Mitigation • Practical example – Basestriker attack: gets around Microsoft’s ATP SafeLinks by leveraging the <base> tag: ▪ Traditional way to embed URLs in a phishing email: ▪ Using the <base> tag:
Vulnerability Mitigation • Vulnerability Lifecycle 02.05.2018 Microsoft alerted by Avanan 02.05.2018 Proofpoint alerted by Avanan 16.05.2018 Microsoft fixes vulnerability 14 days
Ransomware
Ransomware Attacks Why are they so important? ▪ DOJ Statistics: 1000 attacks / day in 2015, 4000 attacks / day in 2017 ▪ WannaCry: 150 countries, estimated at $4B ▪ NotPetya: $250-300M for Maersk alone, $1.2B in total revenue ▪ 54% of companies experienced one or more successful attacks ▪ Total cost of a successful cyber attack is over $5M or $301 / employee
Ransomware Attacks How do they spread? ▪ 60% of ransomware attacks come from infected emails BUT: ▪ Also, vulnerable (application) servers ▪ Example: city of Atlanta hit by SamSam (originally discovered in 2016) in 2018 ▪ Malware infection likely through SMBv1 open on a web server ▪ Aftermath: $2.6M cost
Decrypting Ransomware ▪ Cautionary tale: Herrington & Company gets ransomwared ▪ Engages Data Recovery company to retrieve data ▪ DR company quotes $6000 to recover data ▪ Data recovery is WAY too fast ▪ FBI confirms that PDR indeed paid ransom to decrypt victim’s files ▪ https://pbs.twimg.com/media/DbfP0G7WAAEWQIa.jpg:la rge ▪ How do we prevent ransomware?
Ransomware Protection ▪ Microsoft introduced Files Restore OneDrive ▪ Allows to restore entire OneDrive account to a previous point in time within 30 days ▪ Monitors file assets notifies when attack is detected (allegedly ☺)
Ransomware Protection ▪ Careful! ▪ Real time notification might not be as accurate as we think ▪ AxCrypt encryption on OneDrive files stays under the radar ▪ Ransomware prevention: have users store important data in OneDrive
Email & Sharing
▪ Email Encryption: End-to end encryption ▪ Prevent Forwarding: Restrict email recipients from forwarding or copying emails you send (plus: MS Office docs. Attached are encrypted even after downloading) ▪ What happens if the recipient is outside your organization: Email Encryption
▪ OME: Automatically Enabled Email Encryption
▪ Revoking Encrypted Messages ▪ This one is thanks to Albert Hoitingh: https://alberthoitingh.com/2018/12/20/ome-message-revocation/ ▪ Encrypted status means: email & content didn’t leave the perimeter. ▪ You can use Message Trace to locate the outgoing mail and then use powershell to: ▪ Query the OME status: Get-OMEMessageStatus -MessageID “message id” ▪ Set message as revoked: Set-OMEMessageRevocation -Revoke $true -MessageID “message id” Email Encryption
▪ Revoking Encrypted Messages ▪ Because the data never left the perimeter, it’s the ‘link’ that’s broken at the moment of revocation and recipient will get this: Email Encryption
Illicit Consent Grants
▪ In the light of the Facebook Cambridge Analytica scandal, we should take a look at Azure AD registered applications ▪ Phishing campaigns could trick users into granting access to applications ▪ https://blogs.technet.microsoft.com/office365security/defendi ng-against-illicit-consent-grants/ ▪ Exploit first demonstrated by Kevin Mitnick Illicit Consent Grants
▪ Exploit Scenario ▪ Demo ▪ Infrastructure Illicit Consent Grants User Apache Web Server Hacker
▪ Exploit Scenario: Let’s dive in! Illicit Consent Grants
▪ Exploit Scenario ▪ User received a legit looking email: Illicit Consent Grants
▪ Exploit Scenario ▪ User received a legit looking email: Illicit Consent Grants
▪ Exploit Scenario ▪ Picks account to authenticate Illicit Consent Grants
▪ Exploit Scenario ▪ Presented with permissions that need user consent only Illicit Consent Grants
▪ Exploit Scenario ▪ All mails are encrypted ▪ … and this is just one of many possibilities Illicit Consent Grants
▪ Exploit Scenario: Infrastructure – bit more detail Illicit Consent Grants
▪ Consent is key ▪ Why build integrated applications? ▪ Using various APIs, you can grant apps access to your tenant data: ▪ Mail, calendars, contacts, conversations ▪ Users, groups, files and folders ▪ SharePoint sites, lists, list items ▪ OneDrive items, permissions and more ▪ Integration: Azure AD provides secure sign-in and authorization ▪ Developer registers the application with Azure AD ▪ Assign permissions to the application ▪ Tenant administrator / user must consent to permissions Digital #metoo era
▪ Registering the application ▪ Who can register applications in your tenant? ▪ By default: any member! This can be a security issue ▪ Keep in mind: there is a record of what data was shared with which application. Also: when user adds / allows application to access their data, event can be audited (Audit reports) ▪ See more: https://docs.microsoft.com/en-us/azure/active- directory/develop/active-directory-how-applications-are- added#who-has-permission-to-add-applications-to-my-azure- ad-instance Azure AD Applications
▪ Authorization Flow: Oauth2 / OpenID Azure AD Applications
▪ Authorization flow: let’s simplify ▪ User consents to permissions required by the app ▪ Application asks for authorization from the Azure AD ▪ Azure AD makes the user sign in and returns code to application ▪ Application uses code to retrieve JWT bearer token to use resource (Microsoft Graph API) ▪ Keep in mind: JWT doesn’t authenticate, only authorizes! Azure AD Applications
Preventing illicit consent grants Regular application & permission enumeration Cloud App Security Educating users Application Registration & consent restriction
▪ Remedy: Restricting app registrations ▪ Azure Portal > Azure Active Directory > User Settings Azure AD Applications
▪ Remedy: Restricting consent grants ▪ Azure Portal > Azure Active Directory > User Settings ▪ Watch out! This means that all application consent will be REQUIRED to be done by Global Admins Azure AD Applications
▪ Remedy: Enumerating apps and permissions ▪ Enumeration using PowerShell: ▪ Install the AzureAD PowerShell module ▪ Launch PowerShell ISE as an Administrator and: Install-Module AzureAD ▪ Connect to Azure AD: Connect-AzureAD ▪ Use PowerShell script: https://gist.github.com/psignoret/41793f8c6211d2df5051d77ca3728 c09 ▪ Example: .Get-AzureADPSPermissions.ps1 | Export-Csv -Path "permissions.csv" -NoTypeInformation Azure AD Applications
▪ Remedy: Enumerating apps and permissions ▪ What you get: Azure AD Applications
▪ Remedy: Enumerating apps and permissions ▪ Gotcha: won’t show redirect URLs! ▪ Requires AzureRM.Resources and Connect- AzureRMADAccount: Azure AD Applications
▪ Remedy: Searching your Audit Logs ▪ Use the ‘consent’ string to filter Azure AD Applications
▪ Remedy: Cloud App Security ▪ Portal.cloudappsecurity.com ▪ Create an OAUTH App Security Policy Azure AD Applications
▪ Remedy: Cloud App Security ▪ Create an OAUTH App Security Policy Azure AD Applications
▪ What you get with CAS from our attack scenario Azure AD Applications
Password Attacks
▪ Brute forcing office365 logins ▪ In the news in August 2017: sophisticated and coordinated attack against 48 Office365 customers ▪ Brute Force attack unique: targeting multiple cloud providers ▪ 100,000 failed login attempts from 67 Ips and 12 networks over 7 months ▪ Slow and low to avoid intrusion detection ▪ Users see unsuccessful login attempts using name up to 17 name variations ▪ Passwords likely the same (password spray attack) ▪ https://www.tripwire.com/state-of-security/featured/new-type-brute- force-attack-office-365-accounts/ Brute Force Attacks
▪ How hard is it to acquire the right login names? ▪ Demo Brute Force Attacks
▪ Account Lockout in Office365 ▪ Before 02/04/2019: ▪ 10 unsuccessful attempts: captcha ▪ Another 10: lockout (10 mins) ▪ In reality: 10 tries = lockout ▪ No customization allowed Brute Force Attacks
▪ Account Lockout in Office365 ▪ As of 02/04/2019: WOOHOO ☺ Brute Force Attacks
▪ Credential stuffing: using login + password combos exposed in data breaches against Office365 ▪ About 85% of users reuse passwords ▪ Enforcing unique passwords for the enterprise is impossible A new(ish) attack / vulnerability
▪ What is credential stuffing: leverages previous data breaches to obtain user name + password combinations via bots Credential Stuffing
▪ Problem: attacker might only need one single attempt for successful intrusion ▪ Cloudflare estimates success rate at 0.1% = weak ▪ 1M logins = 1k successful logins: still a major issue ▪ Prevention possibilities ▪ 1.) Multi Factor Authentication ▪ 2.) Bot management systems (IP Reputation database) to prevent bots from login attempts ▪ 3.) Due diligence in breached data Credential Stuffing
▪ Suggestion: ▪ Use MFA AND regularly scan for breached accounts ▪ How to scan breached accounts: ▪ Troy Hunt’s https://haveibeenpwned.com offers a $3,5/month subscription for using their API ▪ Using the REST API, you can retrieve any and all accounts that have been exposed in data breaches. ▪ Here‘s how: Credential Stuffing: Prevention
▪ 1.) Purchase a subscription at: https://haveibeenpwned.com/API ▪ 2.) Simple GET request with headers & domain param. Credential Stuffing: Prevention
▪ 3.) Analyze results Credential Stuffing: Prevention
▪ What could’ve stopped all this? MFA ▪ Interesting story about MFA: https://goo.gl/CFcA5t Brute Force Attacks
▪ Good news: management through the app is better Brute Force Attacks
▪ MFA – the elephant in the room ▪ 2 serious outages in 2018 alone Brute Force Attacks
▪ MFA – in case of emergencies ▪ Consider implementing a break glass account (via Exclusions from Baseline MFA Policy): https://practical365.com/security/multi-factor-authentication- default-for-admins/ ▪ Azure AD Portal > Conditional Access Brute Force Attacks
▪ The way around MFA ▪ Recent breaches discovered by Proofpoint: https://www.proofpoint.com/us/threat-insight/post/threat- actors-leverage-credential-dumps-phishing-and-legacy-email- protocols ▪ Essentially: using IMAP to get around MFA by mimicking legacy email clients Brute Force Attacks
MFA exploit Highlights ▪ 100,000 unauthorised login attempts analyzed (December 2018 – onwards) ▪ 72% tenants were targeted at least once ▪ 40% tenants had at least 1 compromised account ▪ 15 of 10,000 active user accounts breached
▪ Microsoft’s response: https://docs.microsoft.com/en- us/microsoft-365/enterprise/secure-email- recommended-policies ▪ Require MFA ▪ Block clients that don’t support modern auth. ▪ App Passwords Brute Force Attacks
▪ Available as part of Threat Intelligence (available in Office365 Enterprise E5) ▪ You must be a global administrator or member of the Security Admin group in the Security & Compliance Center AND have MFA enabled Attack Simulator Spear Phishing Campaigns Password Brute-Force Attacks Password Spray Attacks
▪ Where do you find it: protection.office.com > Threat Management Attack Simulator
▪ Spear Phishing campaigns ▪ Tip: target users identified as top targeted in the Threat Management dashboard ▪ Tip2: You’ll need to enable Office Analytics Attack Simulator
▪ Spear Phishing campaigns ▪ User tries to log in to phishing site ▪ Redirected to awareness page Attack Simulator
▪ Spear Phishing campaigns ▪ Tip: best to use your own phishing landing site ;) Attack Simulator
▪ Brute Force Password ▪ Use a pre-set word list against one or multiple user accounts ▪ Uses the same method an attacker would ▪ I mean literally: watch out! Currently this locks out the user account. ▪ Only supports very limited password lists (Internal server error at 10k passwords) ▪ Best online resources for common credentials: https://github.com/danielmiessler/SecLists/tree/master/Passw ords/Common-Credentials Attack Simulator
▪ Password Spray Attack ▪ Tries one or a few passwords against all accounts ▪ Story: known password against two accounts ▪ Both accounts DID have that password ▪ Why? ▪ Why? ▪ Gotcha: second user had MFA enabled, which doesn’t appear to be supported. Attack Simulator
▪ Generally available in office365 – Security & Compliance ▪ Tracks major malware campaigns (WannaCry, Petya, etc) ▪ Let’s you track the impact of these campaigns in your tenant Threat Tracker
▪ Security Analytics tool ▪ Applies numeric score to security settings ▪ Uses benchmarking to compare to other Office365 subscribers ▪ Access Secure Score here: https://securescore.office.com Secure Score
Secure Score ▪ Total score, improvement actions and history ▪ Actual recommendations and improvement tracking
Secure Score ▪ How does it work? ▪ Currently takes 77 data points into consideration Secure Score Recommendations by Type Apps Data Device Identity
Secure Score ▪ Focus areas (products) 0 5 10 15 20 25 Azure AD Exchange Online Intune Cloud App Security Microsoft Information Protection OneDrive for Business SharePoint Online Skype for Business
Secure Score ▪ Issues ▪ No Teams suggestions ▪ Quite a few recommendations require E5 ▪ MFA for everyone – what if I want a break-glass account?
▪ About generating random passwords ▪ Current password format isn’t hard to guess: ▪ Tip: make sure to have users modify their passwords on first login Office365 passwords
▪ Guessing random passwords ▪ Always 8 characters ▪ Starts with 3 letters ▪ Ends in 5 numbers Office365 passwords ConsonantConsonants 21 21 Vowel 5 Numbers 10 10 10 10 10 220,500,000
▪ Guessing random passwords ▪ Pretty easy to create a password list for brute-force: ▪ Using crunch: crunch 8 8 aeiou BCDFGHJKLMNPQRSTVWXYZ 0123456789 bcdfghjklmnpqrstvwxyz –t ,@^%%%%% ▪ File size: only ~ 1GB Office365 passwords
▪ Simulate attacks against your own environment ▪ Keep an eye out for more attack simulation tools ▪ Use your own phishing tactics and word lists ▪ Educate users on strong passwords Conclusion
OfficeExpert You can sign up for our sandbox https://www.panagenda.com/officeexpert-sandbox
Thank You Questions & Feedback: LOVE IT Get in touch: ben.menesi@panagenda.com Presentation online: slideshare.net/benedek.Menesi @BenMenesi Linkedin.ca/in/benedekmenesi

Recommended

Office365 from a hacker's perspective: Real life Threats, Tactics and Remedie...
Office365 from a hacker's perspective: Real life Threats, Tactics and Remedie...Office365 from a hacker's perspective: Real life Threats, Tactics and Remedie...
Office365 from a hacker's perspective: Real life Threats, Tactics and Remedie...Benedek Menesi
 
Office365 in today's digital threats landscape: attacks & remedies from a hac...
Office365 in today's digital threats landscape: attacks & remedies from a hac...Office365 in today's digital threats landscape: attacks & remedies from a hac...
Office365 in today's digital threats landscape: attacks & remedies from a hac...Benedek Menesi
 
Microsoft365 from a Hacker's Perspective
Microsoft365 from a Hacker's PerspectiveMicrosoft365 from a Hacker's Perspective
Microsoft365 from a Hacker's PerspectiveBenedek Menesi
 
Office365 from a hacker's perspective: Real-life Threats, Tactics and Remedies
Office365 from a hacker's perspective: Real-life Threats, Tactics and Remedies Office365 from a hacker's perspective: Real-life Threats, Tactics and Remedies
Office365 from a hacker's perspective: Real-life Threats, Tactics and Remedies Benedek Menesi
 
Analyzing Microsoft Teams engagement & adoption: Why, What & How?
Analyzing Microsoft Teams engagement & adoption: Why, What & How?Analyzing Microsoft Teams engagement & adoption: Why, What & How?
Analyzing Microsoft Teams engagement & adoption: Why, What & How?Benedek Menesi
 
Wrong slides! Please check description for correct deck
Wrong slides! Please check description for correct deck Wrong slides! Please check description for correct deck
Wrong slides! Please check description for correct deck Benedek Menesi
 
Protecting Microsoft Teams from Cyber Security Threats - a Practical Guide
Protecting Microsoft Teams from Cyber Security Threats - a Practical GuideProtecting Microsoft Teams from Cyber Security Threats - a Practical Guide
Protecting Microsoft Teams from Cyber Security Threats - a Practical GuideBenedek Menesi
 
Protecting Microsoft Teams from Cyber Security Threats - a Practical Guide
Protecting Microsoft Teams from Cyber Security Threats - a Practical GuideProtecting Microsoft Teams from Cyber Security Threats - a Practical Guide
Protecting Microsoft Teams from Cyber Security Threats - a Practical GuideBenedek Menesi
 

Recommended

Office365 from a hacker's perspective: Real life Threats, Tactics and Remedie...
Office365 from a hacker's perspective: Real life Threats, Tactics and Remedie...Office365 from a hacker's perspective: Real life Threats, Tactics and Remedie...
Office365 from a hacker's perspective: Real life Threats, Tactics and Remedie...Benedek Menesi
 
Office365 in today's digital threats landscape: attacks & remedies from a hac...
Office365 in today's digital threats landscape: attacks & remedies from a hac...Office365 in today's digital threats landscape: attacks & remedies from a hac...
Office365 in today's digital threats landscape: attacks & remedies from a hac...Benedek Menesi
 
Microsoft365 from a Hacker's Perspective
Microsoft365 from a Hacker's PerspectiveMicrosoft365 from a Hacker's Perspective
Microsoft365 from a Hacker's PerspectiveBenedek Menesi
 
Office365 from a hacker's perspective: Real-life Threats, Tactics and Remedies
Office365 from a hacker's perspective: Real-life Threats, Tactics and Remedies Office365 from a hacker's perspective: Real-life Threats, Tactics and Remedies
Office365 from a hacker's perspective: Real-life Threats, Tactics and Remedies Benedek Menesi
 
Analyzing Microsoft Teams engagement & adoption: Why, What & How?
Analyzing Microsoft Teams engagement & adoption: Why, What & How?Analyzing Microsoft Teams engagement & adoption: Why, What & How?
Analyzing Microsoft Teams engagement & adoption: Why, What & How?Benedek Menesi
 
Wrong slides! Please check description for correct deck
Wrong slides! Please check description for correct deck Wrong slides! Please check description for correct deck
Wrong slides! Please check description for correct deck Benedek Menesi
 
Protecting Microsoft Teams from Cyber Security Threats - a Practical Guide
Protecting Microsoft Teams from Cyber Security Threats - a Practical GuideProtecting Microsoft Teams from Cyber Security Threats - a Practical Guide
Protecting Microsoft Teams from Cyber Security Threats - a Practical GuideBenedek Menesi
 
Protecting Microsoft Teams from Cyber Security Threats - a Practical Guide
Protecting Microsoft Teams from Cyber Security Threats - a Practical GuideProtecting Microsoft Teams from Cyber Security Threats - a Practical Guide
Protecting Microsoft Teams from Cyber Security Threats - a Practical GuideBenedek Menesi
 
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365Douglas Bienstock
 
Thr30117 - Securely logging to Microsoft 365
Thr30117 - Securely logging to Microsoft 365Thr30117 - Securely logging to Microsoft 365
Thr30117 - Securely logging to Microsoft 365Robert Crane
 
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...Scott Hoag
 
SPC18 - Getting Started with Office 365 Advanced Threat Protection for ShareP...
SPC18 - Getting Started with Office 365 Advanced Threat Protection for ShareP...SPC18 - Getting Started with Office 365 Advanced Threat Protection for ShareP...
SPC18 - Getting Started with Office 365 Advanced Threat Protection for ShareP...jeffgellman
 
An introduction to Office 365 Advanced Threat Protection (ATP)
An introduction to Office 365 Advanced Threat Protection (ATP)An introduction to Office 365 Advanced Threat Protection (ATP)
An introduction to Office 365 Advanced Threat Protection (ATP)Robert Crane
 
Be A Hero: Combat Cloud Security Threats with Google Apps Unlimited & CloudLock
Be A Hero: Combat Cloud Security Threats with Google Apps Unlimited & CloudLockBe A Hero: Combat Cloud Security Threats with Google Apps Unlimited & CloudLock
Be A Hero: Combat Cloud Security Threats with Google Apps Unlimited & CloudLockCloudLock
 
Codeless Security for the Apps You Buy & Build on AWS
Codeless Security for the Apps You Buy & Build on AWSCodeless Security for the Apps You Buy & Build on AWS
Codeless Security for the Apps You Buy & Build on AWSCloudLock
 
How to get deeper administration insights into your tenant
How to get deeper administration insights into your tenantHow to get deeper administration insights into your tenant
How to get deeper administration insights into your tenantRobert Crane
 
M86 Security apresenta Secure Web Gateway
M86 Security apresenta Secure Web GatewayM86 Security apresenta Secure Web Gateway
M86 Security apresenta Secure Web GatewayINSPIRIT BRASIL
 
Office 365 Security Best Practices
Office 365 Security Best PracticesOffice 365 Security Best Practices
Office 365 Security Best PracticesCommunity IT Innovators
 
2020-03-05 Secure IT day 2020 Abalon - comment protéger votre environnement ...
2020-03-05 Secure IT day 2020 Abalon - comment protéger votre environnement ...2020-03-05 Secure IT day 2020 Abalon - comment protéger votre environnement ...
2020-03-05 Secure IT day 2020 Abalon - comment protéger votre environnement ...Patrick Guimonet
 
Defcon 27 - Phishing in the Cloud Era
Defcon 27 - Phishing in the Cloud EraDefcon 27 - Phishing in the Cloud Era
Defcon 27 - Phishing in the Cloud EraNetskope
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaoneMichael Coates
 
Phishing in the Cloud Era (BSides)
Phishing in the Cloud Era (BSides)Phishing in the Cloud Era (BSides)
Phishing in the Cloud Era (BSides)Netskope
 
Comprehensive Protection and Visibility into Advanced Email Attacks
Comprehensive Protection and Visibility into Advanced Email Attacks Comprehensive Protection and Visibility into Advanced Email Attacks
Comprehensive Protection and Visibility into Advanced Email Attacks Symantec
 
Security and compliance in Office 365 -Part 1
Security and compliance in Office 365 -Part 1Security and compliance in Office 365 -Part 1
Security and compliance in Office 365 -Part 1Vignesh Ganesan I Microsoft MVP
 
Advanced Web Security Deployment
Advanced Web Security DeploymentAdvanced Web Security Deployment
Advanced Web Security DeploymentCisco Canada
 
Securing Governing and Protecting Your Office 365 Investments
Securing Governing and Protecting Your Office 365 InvestmentsSecuring Governing and Protecting Your Office 365 Investments
Securing Governing and Protecting Your Office 365 InvestmentsChris Bortlik
 
Govern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for SuccessGovern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for SuccessAlert Logic
 
4 Modern Security - Integrated SecOps and incident response with MTP
4 Modern Security - Integrated SecOps and incident response with MTP4 Modern Security - Integrated SecOps and incident response with MTP
4 Modern Security - Integrated SecOps and incident response with MTPAndrew Bettany
 
Office 365 Saturday - Office 365 Security Best Practices
Office 365 Saturday - Office 365 Security Best PracticesOffice 365 Saturday - Office 365 Security Best Practices
Office 365 Saturday - Office 365 Security Best PracticesBenoit HAMET
 
Bp101-Can Domino Be Hacked
Bp101-Can Domino Be HackedBp101-Can Domino Be Hacked
Bp101-Can Domino Be HackedHoward Greenberg
 

More Related Content

What's hot

Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365Douglas Bienstock
 
Thr30117 - Securely logging to Microsoft 365
Thr30117 - Securely logging to Microsoft 365Thr30117 - Securely logging to Microsoft 365
Thr30117 - Securely logging to Microsoft 365Robert Crane
 
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...Scott Hoag
 
SPC18 - Getting Started with Office 365 Advanced Threat Protection for ShareP...
SPC18 - Getting Started with Office 365 Advanced Threat Protection for ShareP...SPC18 - Getting Started with Office 365 Advanced Threat Protection for ShareP...
SPC18 - Getting Started with Office 365 Advanced Threat Protection for ShareP...jeffgellman
 
An introduction to Office 365 Advanced Threat Protection (ATP)
An introduction to Office 365 Advanced Threat Protection (ATP)An introduction to Office 365 Advanced Threat Protection (ATP)
An introduction to Office 365 Advanced Threat Protection (ATP)Robert Crane
 
Be A Hero: Combat Cloud Security Threats with Google Apps Unlimited & CloudLock
Be A Hero: Combat Cloud Security Threats with Google Apps Unlimited & CloudLockBe A Hero: Combat Cloud Security Threats with Google Apps Unlimited & CloudLock
Be A Hero: Combat Cloud Security Threats with Google Apps Unlimited & CloudLockCloudLock
 
Codeless Security for the Apps You Buy & Build on AWS
Codeless Security for the Apps You Buy & Build on AWSCodeless Security for the Apps You Buy & Build on AWS
Codeless Security for the Apps You Buy & Build on AWSCloudLock
 
How to get deeper administration insights into your tenant
How to get deeper administration insights into your tenantHow to get deeper administration insights into your tenant
How to get deeper administration insights into your tenantRobert Crane
 
M86 Security apresenta Secure Web Gateway
M86 Security apresenta Secure Web GatewayM86 Security apresenta Secure Web Gateway
M86 Security apresenta Secure Web GatewayINSPIRIT BRASIL
 
2020-03-05 Secure IT day 2020 Abalon - comment protéger votre environnement ...
2020-03-05 Secure IT day 2020 Abalon - comment protéger votre environnement ...2020-03-05 Secure IT day 2020 Abalon - comment protéger votre environnement ...
2020-03-05 Secure IT day 2020 Abalon - comment protéger votre environnement ...Patrick Guimonet
 
Defcon 27 - Phishing in the Cloud Era
Defcon 27 - Phishing in the Cloud EraDefcon 27 - Phishing in the Cloud Era
Defcon 27 - Phishing in the Cloud EraNetskope
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaoneMichael Coates
 
Phishing in the Cloud Era (BSides)
Phishing in the Cloud Era (BSides)Phishing in the Cloud Era (BSides)
Phishing in the Cloud Era (BSides)Netskope
 
Comprehensive Protection and Visibility into Advanced Email Attacks
Comprehensive Protection and Visibility into Advanced Email Attacks Comprehensive Protection and Visibility into Advanced Email Attacks
Comprehensive Protection and Visibility into Advanced Email Attacks Symantec
 
Advanced Web Security Deployment
Advanced Web Security DeploymentAdvanced Web Security Deployment
Advanced Web Security DeploymentCisco Canada
 
Securing Governing and Protecting Your Office 365 Investments
Securing Governing and Protecting Your Office 365 InvestmentsSecuring Governing and Protecting Your Office 365 Investments
Securing Governing and Protecting Your Office 365 InvestmentsChris Bortlik
 
Govern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for SuccessGovern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for SuccessAlert Logic
 
4 Modern Security - Integrated SecOps and incident response with MTP
4 Modern Security - Integrated SecOps and incident response with MTP4 Modern Security - Integrated SecOps and incident response with MTP
4 Modern Security - Integrated SecOps and incident response with MTPAndrew Bettany
 

What's hot (20)

Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365
 
Thr30117 - Securely logging to Microsoft 365
Thr30117 - Securely logging to Microsoft 365Thr30117 - Securely logging to Microsoft 365
Thr30117 - Securely logging to Microsoft 365
 
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...
 
SPC18 - Getting Started with Office 365 Advanced Threat Protection for ShareP...
SPC18 - Getting Started with Office 365 Advanced Threat Protection for ShareP...SPC18 - Getting Started with Office 365 Advanced Threat Protection for ShareP...
SPC18 - Getting Started with Office 365 Advanced Threat Protection for ShareP...
 
An introduction to Office 365 Advanced Threat Protection (ATP)
An introduction to Office 365 Advanced Threat Protection (ATP)An introduction to Office 365 Advanced Threat Protection (ATP)
An introduction to Office 365 Advanced Threat Protection (ATP)
 
Be A Hero: Combat Cloud Security Threats with Google Apps Unlimited & CloudLock
Be A Hero: Combat Cloud Security Threats with Google Apps Unlimited & CloudLockBe A Hero: Combat Cloud Security Threats with Google Apps Unlimited & CloudLock
Be A Hero: Combat Cloud Security Threats with Google Apps Unlimited & CloudLock
 
Codeless Security for the Apps You Buy & Build on AWS
Codeless Security for the Apps You Buy & Build on AWSCodeless Security for the Apps You Buy & Build on AWS
Codeless Security for the Apps You Buy & Build on AWS
 
How to get deeper administration insights into your tenant
How to get deeper administration insights into your tenantHow to get deeper administration insights into your tenant
How to get deeper administration insights into your tenant
 
M86 Security apresenta Secure Web Gateway
M86 Security apresenta Secure Web GatewayM86 Security apresenta Secure Web Gateway
M86 Security apresenta Secure Web Gateway
 
Office 365 Security Best Practices
Office 365 Security Best PracticesOffice 365 Security Best Practices
Office 365 Security Best Practices
 
2020-03-05 Secure IT day 2020 Abalon - comment protéger votre environnement ...
2020-03-05 Secure IT day 2020 Abalon - comment protéger votre environnement ...2020-03-05 Secure IT day 2020 Abalon - comment protéger votre environnement ...
2020-03-05 Secure IT day 2020 Abalon - comment protéger votre environnement ...
 
Defcon 27 - Phishing in the Cloud Era
Defcon 27 - Phishing in the Cloud EraDefcon 27 - Phishing in the Cloud Era
Defcon 27 - Phishing in the Cloud Era
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaone
 
Phishing in the Cloud Era (BSides)
Phishing in the Cloud Era (BSides)Phishing in the Cloud Era (BSides)
Phishing in the Cloud Era (BSides)
 
Comprehensive Protection and Visibility into Advanced Email Attacks
Comprehensive Protection and Visibility into Advanced Email Attacks Comprehensive Protection and Visibility into Advanced Email Attacks
Comprehensive Protection and Visibility into Advanced Email Attacks
 
Security and compliance in Office 365 -Part 1
Security and compliance in Office 365 -Part 1Security and compliance in Office 365 -Part 1
Security and compliance in Office 365 -Part 1
 
Advanced Web Security Deployment
Advanced Web Security DeploymentAdvanced Web Security Deployment
Advanced Web Security Deployment
 
Securing Governing and Protecting Your Office 365 Investments
Securing Governing and Protecting Your Office 365 InvestmentsSecuring Governing and Protecting Your Office 365 Investments
Securing Governing and Protecting Your Office 365 Investments
 
Govern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for SuccessGovern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for Success
 
4 Modern Security - Integrated SecOps and incident response with MTP
4 Modern Security - Integrated SecOps and incident response with MTP4 Modern Security - Integrated SecOps and incident response with MTP
4 Modern Security - Integrated SecOps and incident response with MTP
 

Similar to Office 365 in today's digital threats landscape: attacks & remedies from a hacker - Salt Lake M365 Friday

Office 365 Saturday - Office 365 Security Best Practices
Office 365 Saturday - Office 365 Security Best PracticesOffice 365 Saturday - Office 365 Security Best Practices
Office 365 Saturday - Office 365 Security Best PracticesBenoit HAMET
 
Bp101-Can Domino Be Hacked
Bp101-Can Domino Be HackedBp101-Can Domino Be Hacked
Bp101-Can Domino Be HackedHoward Greenberg
 
Secure Your Cloud Migration - Secureworld 2019 Charlotte
Secure Your Cloud Migration - Secureworld 2019 CharlotteSecure Your Cloud Migration - Secureworld 2019 Charlotte
Secure Your Cloud Migration - Secureworld 2019 CharlotteMike Brannon
 
March 2021 Microsoft 365 Need to Know Webinar
March 2021 Microsoft 365 Need to Know WebinarMarch 2021 Microsoft 365 Need to Know Webinar
March 2021 Microsoft 365 Need to Know WebinarRobert Crane
 
SharePoint Saturday Ottawa - How secure is my data in office 365?
SharePoint Saturday Ottawa - How secure is my data in office 365?SharePoint Saturday Ottawa - How secure is my data in office 365?
SharePoint Saturday Ottawa - How secure is my data in office 365?AntonioMaio2
 
Microsoft Azure Rights Management
Microsoft Azure Rights ManagementMicrosoft Azure Rights Management
Microsoft Azure Rights ManagementDavid J Rosenthal
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeThuan Ng
 
Webinar Mastery Series: How Security & Compliance become easier with SkyConne...
Webinar Mastery Series: How Security & Compliance become easier with SkyConne...Webinar Mastery Series: How Security & Compliance become easier with SkyConne...
Webinar Mastery Series: How Security & Compliance become easier with SkyConne...Mithi SkyConnect
 
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...Peter Selch Dahl
 
Managing enterprise applications, permissions, and consent in Azure Active Di...
Managing enterprise applications, permissions, and consent in Azure Active Di...Managing enterprise applications, permissions, and consent in Azure Active Di...
Managing enterprise applications, permissions, and consent in Azure Active Di...CoLaboraDK
 
Managing enterprise applications, permissions, and consent in Azure Active Di...
Managing enterprise applications, permissions, and consent in Azure Active Di...Managing enterprise applications, permissions, and consent in Azure Active Di...
Managing enterprise applications, permissions, and consent in Azure Active Di...Peter Selch Dahl
 
Novaquantum advanced security for Microsoft 365
Novaquantum advanced security for Microsoft 365Novaquantum advanced security for Microsoft 365
Novaquantum advanced security for Microsoft 365NovaQuantum
 
RightScale Webinar: Get Your App To Azure
RightScale Webinar: Get Your App To AzureRightScale Webinar: Get Your App To Azure
RightScale Webinar: Get Your App To AzureRightScale
 
December 2019 Microsoft 365 Need to Know Webinar
December 2019 Microsoft 365 Need to Know WebinarDecember 2019 Microsoft 365 Need to Know Webinar
December 2019 Microsoft 365 Need to Know WebinarRobert Crane
 
Cloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdfCloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdfErikHof4
 
aMS Aachen -Personal and confidential data - how to manage them in M365 2022-...
aMS Aachen -Personal and confidential data - how to manage them in M365 2022-...aMS Aachen -Personal and confidential data - how to manage them in M365 2022-...
aMS Aachen -Personal and confidential data - how to manage them in M365 2022-...Sébastien Paulet
 
#SPSToronto The SharePoint Framework and the Microsoft Graph on steroids with...
#SPSToronto The SharePoint Framework and the Microsoft Graph on steroids with...#SPSToronto The SharePoint Framework and the Microsoft Graph on steroids with...
#SPSToronto The SharePoint Framework and the Microsoft Graph on steroids with...Vincent Biret
 
AWS November meetup Slides
AWS November meetup SlidesAWS November meetup Slides
AWS November meetup SlidesJacksonMorgan9
 

Similar to Office 365 in today's digital threats landscape: attacks & remedies from a hacker - Salt Lake M365 Friday (20)

Office 365 Saturday - Office 365 Security Best Practices
Office 365 Saturday - Office 365 Security Best PracticesOffice 365 Saturday - Office 365 Security Best Practices
Office 365 Saturday - Office 365 Security Best Practices
 
Bp101-Can Domino Be Hacked
Bp101-Can Domino Be HackedBp101-Can Domino Be Hacked
Bp101-Can Domino Be Hacked
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
 
Secure Your Cloud Migration - Secureworld 2019 Charlotte
Secure Your Cloud Migration - Secureworld 2019 CharlotteSecure Your Cloud Migration - Secureworld 2019 Charlotte
Secure Your Cloud Migration - Secureworld 2019 Charlotte
 
March 2021 Microsoft 365 Need to Know Webinar
March 2021 Microsoft 365 Need to Know WebinarMarch 2021 Microsoft 365 Need to Know Webinar
March 2021 Microsoft 365 Need to Know Webinar
 
SharePoint Saturday Ottawa - How secure is my data in office 365?
SharePoint Saturday Ottawa - How secure is my data in office 365?SharePoint Saturday Ottawa - How secure is my data in office 365?
SharePoint Saturday Ottawa - How secure is my data in office 365?
 
Microsoft Azure Rights Management
Microsoft Azure Rights ManagementMicrosoft Azure Rights Management
Microsoft Azure Rights Management
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More Safe
 
Webinar Mastery Series: How Security & Compliance become easier with SkyConne...
Webinar Mastery Series: How Security & Compliance become easier with SkyConne...Webinar Mastery Series: How Security & Compliance become easier with SkyConne...
Webinar Mastery Series: How Security & Compliance become easier with SkyConne...
 
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
 
Managing enterprise applications, permissions, and consent in Azure Active Di...
Managing enterprise applications, permissions, and consent in Azure Active Di...Managing enterprise applications, permissions, and consent in Azure Active Di...
Managing enterprise applications, permissions, and consent in Azure Active Di...
 
Managing enterprise applications, permissions, and consent in Azure Active Di...
Managing enterprise applications, permissions, and consent in Azure Active Di...Managing enterprise applications, permissions, and consent in Azure Active Di...
Managing enterprise applications, permissions, and consent in Azure Active Di...
 
Novaquantum advanced security for Microsoft 365
Novaquantum advanced security for Microsoft 365Novaquantum advanced security for Microsoft 365
Novaquantum advanced security for Microsoft 365
 
RightScale Webinar: Get Your App To Azure
RightScale Webinar: Get Your App To AzureRightScale Webinar: Get Your App To Azure
RightScale Webinar: Get Your App To Azure
 
December 2019 Microsoft 365 Need to Know Webinar
December 2019 Microsoft 365 Need to Know WebinarDecember 2019 Microsoft 365 Need to Know Webinar
December 2019 Microsoft 365 Need to Know Webinar
 
Cloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdfCloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdf
 
aMS Aachen -Personal and confidential data - how to manage them in M365 2022-...
aMS Aachen -Personal and confidential data - how to manage them in M365 2022-...aMS Aachen -Personal and confidential data - how to manage them in M365 2022-...
aMS Aachen -Personal and confidential data - how to manage them in M365 2022-...
 
#SPSToronto The SharePoint Framework and the Microsoft Graph on steroids with...
#SPSToronto The SharePoint Framework and the Microsoft Graph on steroids with...#SPSToronto The SharePoint Framework and the Microsoft Graph on steroids with...
#SPSToronto The SharePoint Framework and the Microsoft Graph on steroids with...
 
AWS November meetup Slides
AWS November meetup SlidesAWS November meetup Slides
AWS November meetup Slides
 
AWS User Group November
AWS User Group NovemberAWS User Group November
AWS User Group November
 

More from panagenda

Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Why you need monitoring to keep your Microsoft 365 journey successful
Why you need monitoring to keep your Microsoft 365 journey successfulWhy you need monitoring to keep your Microsoft 365 journey successful
Why you need monitoring to keep your Microsoft 365 journey successfulpanagenda
 
Developer Special: How to Prepare Applications for Notes 64-bit Clients
Developer Special: How to Prepare Applications for Notes 64-bit ClientsDeveloper Special: How to Prepare Applications for Notes 64-bit Clients
Developer Special: How to Prepare Applications for Notes 64-bit Clientspanagenda
 
Everything You Need to Know About HCL Notes 14
Everything You Need to Know About HCL Notes 14Everything You Need to Know About HCL Notes 14
Everything You Need to Know About HCL Notes 14panagenda
 
Alles was Sie über HCL Notes 14 wissen müssen
Alles was Sie über HCL Notes 14 wissen müssenAlles was Sie über HCL Notes 14 wissen müssen
Alles was Sie über HCL Notes 14 wissen müssenpanagenda
 
Workshop: HCL Notes 14 Upgrades einfach gemacht – von A bis Z
Workshop: HCL Notes 14 Upgrades einfach gemacht – von A bis ZWorkshop: HCL Notes 14 Upgrades einfach gemacht – von A bis Z
Workshop: HCL Notes 14 Upgrades einfach gemacht – von A bis Zpanagenda
 
How to Perform HCL Notes 14 Upgrades Smoothly
How to Perform HCL Notes 14 Upgrades SmoothlyHow to Perform HCL Notes 14 Upgrades Smoothly
How to Perform HCL Notes 14 Upgrades Smoothlypanagenda
 
The Ultimate Administrator’s Guide to HCL Nomad Web
The Ultimate Administrator’s Guide to HCL Nomad WebThe Ultimate Administrator’s Guide to HCL Nomad Web
The Ultimate Administrator’s Guide to HCL Nomad Webpanagenda
 
Die ultimative Anleitung für HCL Nomad Web Administratoren
Die ultimative Anleitung für HCL Nomad Web AdministratorenDie ultimative Anleitung für HCL Nomad Web Administratoren
Die ultimative Anleitung für HCL Nomad Web Administratorenpanagenda
 
Bring the Modern and Seamless User Experience You Deserve to HCL Nomad
Bring the Modern and Seamless User Experience You Deserve to HCL NomadBring the Modern and Seamless User Experience You Deserve to HCL Nomad
Bring the Modern and Seamless User Experience You Deserve to HCL Nomadpanagenda
 
Wie man HCL Nomad eine moderne User Experience verschafft
Wie man HCL Nomad eine moderne User Experience verschafftWie man HCL Nomad eine moderne User Experience verschafft
Wie man HCL Nomad eine moderne User Experience verschafftpanagenda
 
Im Praxistest – Microsoft Teams Performance im hybriden Arbeitsalltag
Im Praxistest – Microsoft Teams Performance im hybriden ArbeitsalltagIm Praxistest – Microsoft Teams Performance im hybriden Arbeitsalltag
Im Praxistest – Microsoft Teams Performance im hybriden Arbeitsalltagpanagenda
 
Hybrid Environments and What They Mean for HCL Notes and Nomad
Hybrid Environments and What They Mean for HCL Notes and NomadHybrid Environments and What They Mean for HCL Notes and Nomad
Hybrid Environments and What They Mean for HCL Notes and Nomadpanagenda
 
Hybride Umgebungen und was sie für HCL Notes und Nomad bedeuten
Hybride Umgebungen und was sie für HCL Notes und Nomad bedeutenHybride Umgebungen und was sie für HCL Notes und Nomad bedeuten
Hybride Umgebungen und was sie für HCL Notes und Nomad bedeutenpanagenda
 
MVP vs. MCM: Microsoft Teams Troubleshooting
MVP vs. MCM: Microsoft Teams TroubleshootingMVP vs. MCM: Microsoft Teams Troubleshooting
MVP vs. MCM: Microsoft Teams Troubleshootingpanagenda
 
HCL Notes und Nomad Fehlerbehebung für Dummies
HCL Notes und Nomad Fehlerbehebung für DummiesHCL Notes und Nomad Fehlerbehebung für Dummies
HCL Notes und Nomad Fehlerbehebung für Dummiespanagenda
 
HCL Notes and Nomad Troubleshooting for Dummies
HCL Notes and Nomad Troubleshooting for DummiesHCL Notes and Nomad Troubleshooting for Dummies
HCL Notes and Nomad Troubleshooting for Dummiespanagenda
 
The CEO is Having MS Teams Call Quality Issues! Now What?
The CEO is Having MS Teams Call Quality Issues! Now What?The CEO is Having MS Teams Call Quality Issues! Now What?
The CEO is Having MS Teams Call Quality Issues! Now What?panagenda
 

More from panagenda (20)

Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Why you need monitoring to keep your Microsoft 365 journey successful
Why you need monitoring to keep your Microsoft 365 journey successfulWhy you need monitoring to keep your Microsoft 365 journey successful
Why you need monitoring to keep your Microsoft 365 journey successful
 
Developer Special: How to Prepare Applications for Notes 64-bit Clients
Developer Special: How to Prepare Applications for Notes 64-bit ClientsDeveloper Special: How to Prepare Applications for Notes 64-bit Clients
Developer Special: How to Prepare Applications for Notes 64-bit Clients
 
Everything You Need to Know About HCL Notes 14
Everything You Need to Know About HCL Notes 14Everything You Need to Know About HCL Notes 14
Everything You Need to Know About HCL Notes 14
 
Alles was Sie über HCL Notes 14 wissen müssen
Alles was Sie über HCL Notes 14 wissen müssenAlles was Sie über HCL Notes 14 wissen müssen
Alles was Sie über HCL Notes 14 wissen müssen
 
Workshop: HCL Notes 14 Upgrades einfach gemacht – von A bis Z
Workshop: HCL Notes 14 Upgrades einfach gemacht – von A bis ZWorkshop: HCL Notes 14 Upgrades einfach gemacht – von A bis Z
Workshop: HCL Notes 14 Upgrades einfach gemacht – von A bis Z
 
How to Perform HCL Notes 14 Upgrades Smoothly
How to Perform HCL Notes 14 Upgrades SmoothlyHow to Perform HCL Notes 14 Upgrades Smoothly
How to Perform HCL Notes 14 Upgrades Smoothly
 
The Ultimate Administrator’s Guide to HCL Nomad Web
The Ultimate Administrator’s Guide to HCL Nomad WebThe Ultimate Administrator’s Guide to HCL Nomad Web
The Ultimate Administrator’s Guide to HCL Nomad Web
 
Die ultimative Anleitung für HCL Nomad Web Administratoren
Die ultimative Anleitung für HCL Nomad Web AdministratorenDie ultimative Anleitung für HCL Nomad Web Administratoren
Die ultimative Anleitung für HCL Nomad Web Administratoren
 
Bring the Modern and Seamless User Experience You Deserve to HCL Nomad
Bring the Modern and Seamless User Experience You Deserve to HCL NomadBring the Modern and Seamless User Experience You Deserve to HCL Nomad
Bring the Modern and Seamless User Experience You Deserve to HCL Nomad
 
Wie man HCL Nomad eine moderne User Experience verschafft
Wie man HCL Nomad eine moderne User Experience verschafftWie man HCL Nomad eine moderne User Experience verschafft
Wie man HCL Nomad eine moderne User Experience verschafft
 
Im Praxistest – Microsoft Teams Performance im hybriden Arbeitsalltag
Im Praxistest – Microsoft Teams Performance im hybriden ArbeitsalltagIm Praxistest – Microsoft Teams Performance im hybriden Arbeitsalltag
Im Praxistest – Microsoft Teams Performance im hybriden Arbeitsalltag
 
Hybrid Environments and What They Mean for HCL Notes and Nomad
Hybrid Environments and What They Mean for HCL Notes and NomadHybrid Environments and What They Mean for HCL Notes and Nomad
Hybrid Environments and What They Mean for HCL Notes and Nomad
 
Hybride Umgebungen und was sie für HCL Notes und Nomad bedeuten
Hybride Umgebungen und was sie für HCL Notes und Nomad bedeutenHybride Umgebungen und was sie für HCL Notes und Nomad bedeuten
Hybride Umgebungen und was sie für HCL Notes und Nomad bedeuten
 
MVP vs. MCM: Microsoft Teams Troubleshooting
MVP vs. MCM: Microsoft Teams TroubleshootingMVP vs. MCM: Microsoft Teams Troubleshooting
MVP vs. MCM: Microsoft Teams Troubleshooting
 
HCL Notes und Nomad Fehlerbehebung für Dummies
HCL Notes und Nomad Fehlerbehebung für DummiesHCL Notes und Nomad Fehlerbehebung für Dummies
HCL Notes und Nomad Fehlerbehebung für Dummies
 
HCL Notes and Nomad Troubleshooting for Dummies
HCL Notes and Nomad Troubleshooting for DummiesHCL Notes and Nomad Troubleshooting for Dummies
HCL Notes and Nomad Troubleshooting for Dummies
 
The CEO is Having MS Teams Call Quality Issues! Now What?
The CEO is Having MS Teams Call Quality Issues! Now What?The CEO is Having MS Teams Call Quality Issues! Now What?
The CEO is Having MS Teams Call Quality Issues! Now What?
 

Recently uploaded

Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
Software Coding for software engineering
Software Coding for software engineeringSoftware Coding for software engineering
Software Coding for software engineeringssuserb3a23b
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfkalichargn70th171
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commercemanigoyal112
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationvaddepallysandeep122
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
cpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.pptcpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.pptrcbcrtm
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 

Recently uploaded (20)

Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
Software Coding for software engineering
Software Coding for software engineeringSoftware Coding for software engineering
Software Coding for software engineering
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commerce
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentation
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
cpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.pptcpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.ppt
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 

Office 365 in today's digital threats landscape: attacks & remedies from a hacker - Salt Lake M365 Friday

  • 1. Make Your Data Work For You Office365 from a Hacker‘s perspective Real life threats, tactics and remedies Ben Menesi Ottawa, Canada 5 October, 2019
  • 2. Speaker • Ben Menesi – VP Products & Innovation at panagenda – Started out in the IBM world – SharePoint & Exchange Admin & Dev – Certified Ethical Hacker v9 and OSCP student – Enjoys breaking things – Speaker at IT events around the globe (SPS New York City, Toronto, Calgary, Montreal, Geneva, Cambridge) – Owns a bar (recently) @BenMenesi
  • 3. panagenda • Who we are – HQ in Vienna, Austria – Offices in Boston, Germany, The Netherlands and Australia – >10M user licenses across over 80 countries
  • 4. Panagenda – what we do • Quality of Service monitoring using bots
  • 5. Panagenda – what we do • Teams Analytics & Organizational Intelligence
  • 6. Agenda • What we’ll cover today Ransomware Attacks Email security Multi-Factor Authentication Illicit Consent Grants
  • 7. Statistics • Some numbers from the field – Verizon’s 2017 & 2018 Data Breach Investigations Report: 53000 incidents & 2216 data breaches 58% Victims are businesses with < 1000 employees (62% in 2017) 92% 68% Breaches took months(!!!) to discover Malware vectors: Email. (6.3% Web, 1.3% other)
  • 8. Statistics • Some numbers on Phishing – Avanan’s Global Phish Report: https://www.avanan.com/hubfs/2019- Global-Phish-Report.pdf | 55,5M emails analyzed – BakerHostetler‘s DSIR Report (750+ incidents): https://f.datasrvr.com/fr1/019/33725/2019_BakerHostetler_DSIR_Final. pdf 33% Phishing mails passed through Exchange Online Protection 43% 90% Emails after malware or credentials Branded phishing emails impersonating Microsoft 34% Office365 account exposure after compromised device
  • 9. On-Prem. Vs. Cloud Security • Benefits of your data in the cloud Broader scope of threat intelligence Larger and more specialized security muscle than most SMBs Fast and instant delivery (no manual patching required)
  • 10. On-Prem. Vs. Cloud Security • Disadvantages of using cloud services Vulnerability / Risk Mitigation is out of our control Part of a larger, very attractive attack surface Less flexibility in customizing defenses
  • 11. Vulnerability Mitigation • Practical example – Basestriker attack: gets around Microsoft’s ATP SafeLinks by leveraging the <base> tag: ▪ Traditional way to embed URLs in a phishing email: ▪ Using the <base> tag:
  • 12. Vulnerability Mitigation • Vulnerability Lifecycle 02.05.2018 Microsoft alerted by Avanan 02.05.2018 Proofpoint alerted by Avanan 16.05.2018 Microsoft fixes vulnerability 14 days
  • 14. Ransomware Attacks Why are they so important? ▪ DOJ Statistics: 1000 attacks / day in 2015, 4000 attacks / day in 2017 ▪ WannaCry: 150 countries, estimated at $4B ▪ NotPetya: $250-300M for Maersk alone, $1.2B in total revenue ▪ 54% of companies experienced one or more successful attacks ▪ Total cost of a successful cyber attack is over $5M or $301 / employee
  • 15. Ransomware Attacks How do they spread? ▪ 60% of ransomware attacks come from infected emails BUT: ▪ Also, vulnerable (application) servers ▪ Example: city of Atlanta hit by SamSam (originally discovered in 2016) in 2018 ▪ Malware infection likely through SMBv1 open on a web server ▪ Aftermath: $2.6M cost
  • 16. Decrypting Ransomware ▪ Cautionary tale: Herrington & Company gets ransomwared ▪ Engages Data Recovery company to retrieve data ▪ DR company quotes $6000 to recover data ▪ Data recovery is WAY too fast ▪ FBI confirms that PDR indeed paid ransom to decrypt victim’s files ▪ https://pbs.twimg.com/media/DbfP0G7WAAEWQIa.jpg:la rge ▪ How do we prevent ransomware?
  • 17. Ransomware Protection ▪ Microsoft introduced Files Restore OneDrive ▪ Allows to restore entire OneDrive account to a previous point in time within 30 days ▪ Monitors file assets notifies when attack is detected (allegedly ☺)
  • 18. Ransomware Protection ▪ Careful! ▪ Real time notification might not be as accurate as we think ▪ AxCrypt encryption on OneDrive files stays under the radar ▪ Ransomware prevention: have users store important data in OneDrive
  • 20. ▪ Email Encryption: End-to end encryption ▪ Prevent Forwarding: Restrict email recipients from forwarding or copying emails you send (plus: MS Office docs. Attached are encrypted even after downloading) ▪ What happens if the recipient is outside your organization: Email Encryption
  • 21. ▪ OME: Automatically Enabled Email Encryption
  • 22. ▪ Revoking Encrypted Messages ▪ This one is thanks to Albert Hoitingh: https://alberthoitingh.com/2018/12/20/ome-message-revocation/ ▪ Encrypted status means: email & content didn’t leave the perimeter. ▪ You can use Message Trace to locate the outgoing mail and then use powershell to: ▪ Query the OME status: Get-OMEMessageStatus -MessageID “message id” ▪ Set message as revoked: Set-OMEMessageRevocation -Revoke $true -MessageID “message id” Email Encryption
  • 23. ▪ Revoking Encrypted Messages ▪ Because the data never left the perimeter, it’s the ‘link’ that’s broken at the moment of revocation and recipient will get this: Email Encryption
  • 25. ▪ In the light of the Facebook Cambridge Analytica scandal, we should take a look at Azure AD registered applications ▪ Phishing campaigns could trick users into granting access to applications ▪ https://blogs.technet.microsoft.com/office365security/defendi ng-against-illicit-consent-grants/ ▪ Exploit first demonstrated by Kevin Mitnick Illicit Consent Grants
  • 26. ▪ Exploit Scenario ▪ Demo ▪ Infrastructure Illicit Consent Grants User Apache Web Server Hacker
  • 27. ▪ Exploit Scenario: Let’s dive in! Illicit Consent Grants
  • 28. ▪ Exploit Scenario ▪ User received a legit looking email: Illicit Consent Grants
  • 29. ▪ Exploit Scenario ▪ User received a legit looking email: Illicit Consent Grants
  • 30. ▪ Exploit Scenario ▪ Picks account to authenticate Illicit Consent Grants
  • 31. ▪ Exploit Scenario ▪ Presented with permissions that need user consent only Illicit Consent Grants
  • 32. ▪ Exploit Scenario ▪ All mails are encrypted ▪ … and this is just one of many possibilities Illicit Consent Grants
  • 33. ▪ Exploit Scenario: Infrastructure – bit more detail Illicit Consent Grants
  • 34. ▪ Consent is key ▪ Why build integrated applications? ▪ Using various APIs, you can grant apps access to your tenant data: ▪ Mail, calendars, contacts, conversations ▪ Users, groups, files and folders ▪ SharePoint sites, lists, list items ▪ OneDrive items, permissions and more ▪ Integration: Azure AD provides secure sign-in and authorization ▪ Developer registers the application with Azure AD ▪ Assign permissions to the application ▪ Tenant administrator / user must consent to permissions Digital #metoo era
  • 35. ▪ Registering the application ▪ Who can register applications in your tenant? ▪ By default: any member! This can be a security issue ▪ Keep in mind: there is a record of what data was shared with which application. Also: when user adds / allows application to access their data, event can be audited (Audit reports) ▪ See more: https://docs.microsoft.com/en-us/azure/active- directory/develop/active-directory-how-applications-are- added#who-has-permission-to-add-applications-to-my-azure- ad-instance Azure AD Applications
  • 36. ▪ Authorization Flow: Oauth2 / OpenID Azure AD Applications
  • 37. ▪ Authorization flow: let’s simplify ▪ User consents to permissions required by the app ▪ Application asks for authorization from the Azure AD ▪ Azure AD makes the user sign in and returns code to application ▪ Application uses code to retrieve JWT bearer token to use resource (Microsoft Graph API) ▪ Keep in mind: JWT doesn’t authenticate, only authorizes! Azure AD Applications
  • 38. Preventing illicit consent grants Regular application & permission enumeration Cloud App Security Educating users Application Registration & consent restriction
  • 39. ▪ Remedy: Restricting app registrations ▪ Azure Portal > Azure Active Directory > User Settings Azure AD Applications
  • 40. ▪ Remedy: Restricting consent grants ▪ Azure Portal > Azure Active Directory > User Settings ▪ Watch out! This means that all application consent will be REQUIRED to be done by Global Admins Azure AD Applications
  • 41. ▪ Remedy: Enumerating apps and permissions ▪ Enumeration using PowerShell: ▪ Install the AzureAD PowerShell module ▪ Launch PowerShell ISE as an Administrator and: Install-Module AzureAD ▪ Connect to Azure AD: Connect-AzureAD ▪ Use PowerShell script: https://gist.github.com/psignoret/41793f8c6211d2df5051d77ca3728 c09 ▪ Example: .Get-AzureADPSPermissions.ps1 | Export-Csv -Path "permissions.csv" -NoTypeInformation Azure AD Applications
  • 42. ▪ Remedy: Enumerating apps and permissions ▪ What you get: Azure AD Applications
  • 43. ▪ Remedy: Enumerating apps and permissions ▪ Gotcha: won’t show redirect URLs! ▪ Requires AzureRM.Resources and Connect- AzureRMADAccount: Azure AD Applications
  • 44. ▪ Remedy: Searching your Audit Logs ▪ Use the ‘consent’ string to filter Azure AD Applications
  • 45. ▪ Remedy: Cloud App Security ▪ Portal.cloudappsecurity.com ▪ Create an OAUTH App Security Policy Azure AD Applications
  • 46. ▪ Remedy: Cloud App Security ▪ Create an OAUTH App Security Policy Azure AD Applications
  • 47. ▪ What you get with CAS from our attack scenario Azure AD Applications
  • 49. ▪ Brute forcing office365 logins ▪ In the news in August 2017: sophisticated and coordinated attack against 48 Office365 customers ▪ Brute Force attack unique: targeting multiple cloud providers ▪ 100,000 failed login attempts from 67 Ips and 12 networks over 7 months ▪ Slow and low to avoid intrusion detection ▪ Users see unsuccessful login attempts using name up to 17 name variations ▪ Passwords likely the same (password spray attack) ▪ https://www.tripwire.com/state-of-security/featured/new-type-brute- force-attack-office-365-accounts/ Brute Force Attacks
  • 50. ▪ How hard is it to acquire the right login names? ▪ Demo Brute Force Attacks
  • 51. ▪ Account Lockout in Office365 ▪ Before 02/04/2019: ▪ 10 unsuccessful attempts: captcha ▪ Another 10: lockout (10 mins) ▪ In reality: 10 tries = lockout ▪ No customization allowed Brute Force Attacks
  • 52. ▪ Account Lockout in Office365 ▪ As of 02/04/2019: WOOHOO ☺ Brute Force Attacks
  • 53. ▪ Credential stuffing: using login + password combos exposed in data breaches against Office365 ▪ About 85% of users reuse passwords ▪ Enforcing unique passwords for the enterprise is impossible A new(ish) attack / vulnerability
  • 54. ▪ What is credential stuffing: leverages previous data breaches to obtain user name + password combinations via bots Credential Stuffing
  • 55. ▪ Problem: attacker might only need one single attempt for successful intrusion ▪ Cloudflare estimates success rate at 0.1% = weak ▪ 1M logins = 1k successful logins: still a major issue ▪ Prevention possibilities ▪ 1.) Multi Factor Authentication ▪ 2.) Bot management systems (IP Reputation database) to prevent bots from login attempts ▪ 3.) Due diligence in breached data Credential Stuffing
  • 56. ▪ Suggestion: ▪ Use MFA AND regularly scan for breached accounts ▪ How to scan breached accounts: ▪ Troy Hunt’s https://haveibeenpwned.com offers a $3,5/month subscription for using their API ▪ Using the REST API, you can retrieve any and all accounts that have been exposed in data breaches. ▪ Here‘s how: Credential Stuffing: Prevention
  • 57. ▪ 1.) Purchase a subscription at: https://haveibeenpwned.com/API ▪ 2.) Simple GET request with headers & domain param. Credential Stuffing: Prevention
  • 58. ▪ 3.) Analyze results Credential Stuffing: Prevention
  • 59. ▪ What could’ve stopped all this? MFA ▪ Interesting story about MFA: https://goo.gl/CFcA5t Brute Force Attacks
  • 60. ▪ Good news: management through the app is better Brute Force Attacks
  • 61. ▪ MFA – the elephant in the room ▪ 2 serious outages in 2018 alone Brute Force Attacks
  • 62. ▪ MFA – in case of emergencies ▪ Consider implementing a break glass account (via Exclusions from Baseline MFA Policy): https://practical365.com/security/multi-factor-authentication- default-for-admins/ ▪ Azure AD Portal > Conditional Access Brute Force Attacks
  • 63. ▪ The way around MFA ▪ Recent breaches discovered by Proofpoint: https://www.proofpoint.com/us/threat-insight/post/threat- actors-leverage-credential-dumps-phishing-and-legacy-email- protocols ▪ Essentially: using IMAP to get around MFA by mimicking legacy email clients Brute Force Attacks
  • 64. MFA exploit Highlights ▪ 100,000 unauthorised login attempts analyzed (December 2018 – onwards) ▪ 72% tenants were targeted at least once ▪ 40% tenants had at least 1 compromised account ▪ 15 of 10,000 active user accounts breached
  • 65. ▪ Microsoft’s response: https://docs.microsoft.com/en- us/microsoft-365/enterprise/secure-email- recommended-policies ▪ Require MFA ▪ Block clients that don’t support modern auth. ▪ App Passwords Brute Force Attacks
  • 66. ▪ Available as part of Threat Intelligence (available in Office365 Enterprise E5) ▪ You must be a global administrator or member of the Security Admin group in the Security & Compliance Center AND have MFA enabled Attack Simulator Spear Phishing Campaigns Password Brute-Force Attacks Password Spray Attacks
  • 67. ▪ Where do you find it: protection.office.com > Threat Management Attack Simulator
  • 68. ▪ Spear Phishing campaigns ▪ Tip: target users identified as top targeted in the Threat Management dashboard ▪ Tip2: You’ll need to enable Office Analytics Attack Simulator
  • 69. ▪ Spear Phishing campaigns ▪ User tries to log in to phishing site ▪ Redirected to awareness page Attack Simulator
  • 70. ▪ Spear Phishing campaigns ▪ Tip: best to use your own phishing landing site ;) Attack Simulator
  • 71. ▪ Brute Force Password ▪ Use a pre-set word list against one or multiple user accounts ▪ Uses the same method an attacker would ▪ I mean literally: watch out! Currently this locks out the user account. ▪ Only supports very limited password lists (Internal server error at 10k passwords) ▪ Best online resources for common credentials: https://github.com/danielmiessler/SecLists/tree/master/Passw ords/Common-Credentials Attack Simulator
  • 72. ▪ Password Spray Attack ▪ Tries one or a few passwords against all accounts ▪ Story: known password against two accounts ▪ Both accounts DID have that password ▪ Why? ▪ Why? ▪ Gotcha: second user had MFA enabled, which doesn’t appear to be supported. Attack Simulator
  • 73. ▪ Generally available in office365 – Security & Compliance ▪ Tracks major malware campaigns (WannaCry, Petya, etc) ▪ Let’s you track the impact of these campaigns in your tenant Threat Tracker
  • 74. ▪ Security Analytics tool ▪ Applies numeric score to security settings ▪ Uses benchmarking to compare to other Office365 subscribers ▪ Access Secure Score here: https://securescore.office.com Secure Score
  • 75. Secure Score ▪ Total score, improvement actions and history ▪ Actual recommendations and improvement tracking
  • 76. Secure Score ▪ How does it work? ▪ Currently takes 77 data points into consideration Secure Score Recommendations by Type Apps Data Device Identity
  • 77. Secure Score ▪ Focus areas (products) 0 5 10 15 20 25 Azure AD Exchange Online Intune Cloud App Security Microsoft Information Protection OneDrive for Business SharePoint Online Skype for Business
  • 78. Secure Score ▪ Issues ▪ No Teams suggestions ▪ Quite a few recommendations require E5 ▪ MFA for everyone – what if I want a break-glass account?
  • 79. ▪ About generating random passwords ▪ Current password format isn’t hard to guess: ▪ Tip: make sure to have users modify their passwords on first login Office365 passwords
  • 80. ▪ Guessing random passwords ▪ Always 8 characters ▪ Starts with 3 letters ▪ Ends in 5 numbers Office365 passwords ConsonantConsonants 21 21 Vowel 5 Numbers 10 10 10 10 10 220,500,000
  • 81. ▪ Guessing random passwords ▪ Pretty easy to create a password list for brute-force: ▪ Using crunch: crunch 8 8 aeiou BCDFGHJKLMNPQRSTVWXYZ 0123456789 bcdfghjklmnpqrstvwxyz –t ,@^%%%%% ▪ File size: only ~ 1GB Office365 passwords
  • 82. ▪ Simulate attacks against your own environment ▪ Keep an eye out for more attack simulation tools ▪ Use your own phishing tactics and word lists ▪ Educate users on strong passwords Conclusion
  • 83. OfficeExpert You can sign up for our sandbox https://www.panagenda.com/officeexpert-sandbox
  • 84. Thank You Questions & Feedback: LOVE IT Get in touch: ben.menesi@panagenda.com Presentation online: slideshare.net/benedek.Menesi @BenMenesi Linkedin.ca/in/benedekmenesi