The document details a presentation by Ben Menesi on Office 365 security from a hacker's perspective, highlighting real-life threats such as ransomware, phishing, and brute force attacks. It discusses various tactics for protecting data, including multi-factor authentication, email encryption, and the importance of monitoring and controlling application permissions. Additionally, it emphasizes the need for effective security practices and user education to mitigate risks associated with cloud services and cyber threats.

1. Make Your Data Work For You
Office365 from a Hacker‘s
perspective
Real life threats, tactics and remedies
Ben Menesi
New York, NY
27th 07 2019

2. Speaker
• Ben Menesi
– VP Products & Innovation at panagenda
– Started out in the IBM world
– SharePoint & Exchange Admin & Dev
– Certified Ethical Hacker v9 and OSCP student
– Enjoys breaking things
– Speaker at IT events around the globe (SPS
Toronto, Calgary, Geneva, Cambridge)
– Owns a bar (recently) @BenMenesi

3. panagenda
• Who we are
– HQ in Vienna, Austria
– Offices in Boston, Austria, Germany, The Netherlands and Australia
– >1M user licenses across over 80 countries

4. panagenda
• What we do: OfficeExpert
• Quality of Service monitoring using bots
• Teams Analytics

5. Our product: OfficeExpert
• Teams cluster analytics: who’s talking to whom?

6. OfficeExpert
• Teams analytics: Storage Impact

7. OfficeExpert
• Teams analytics: Activity & Adoption

8. Agenda
• What we’ll cover today
Ransomware Attacks
Email security Multi-Factor Authentication
Illicit Consent Grants

9. Statistics
• Some numbers from the field
– Verizon’s 2017 & 2018 Data Breach Investigations Report: 53000 incidents & 2216 data
breaches
58% Victims are businesses with < 1000 employees (62% in 2017)
92%
68% Breaches took months(!!!) to discover
Malware vectors: Email. (6.3% Web, 1.3% other)

10. On-Prem. Vs. Cloud Security
• Benefits of your data in the cloud
Broader scope of threat intelligence
Larger and more specialized security muscle than most SMBs
Fast and instant delivery (no manual patching required)

11. On-Prem. Vs. Cloud Security
• Disadvantages of using cloud services
Vulnerability / Risk Mitigation is out of our control
Part of a larger, very attractive attack surface
Less flexibility in customizing defenses

12. Vulnerability Mitigation
• Practical example
– Basestriker attack: gets around Microsoft’s ATP SafeLinks by leveraging the
<base> tag:
 Traditional way to embed URLs in a phishing email:
 Using the <base> tag:

13. Vulnerability Mitigation
• Vulnerability Lifecycle
02.05.2018
Microsoft alerted
alerted by
Avanan
02.05.2018
Proofpoint
alerted by
Avanan
16.05.2018
Microsoft fixes
fixes
vulnerability
14 days

14. Ransomware

15. Ransomware Attacks
Why are they so important?
 DOJ Statistics: 1000 attacks / day in 2015, 4000 attacks / day in 2017
 WannaCry: 150 countries, estimated at $4B
 NotPetya: $250-300M for Maersk alone, $1.2B in total revenue
 54% of companies experienced one or more successful attacks
 Total cost of a successful cyber attack is over $5M or $301 / employee

16. Ransomware Attacks
How do they spread?
 60% of ransomware attacks come from infected emails BUT:
 Also, vulnerable (application) servers
 Example: city of Atlanta hit by SamSam (originally discovered in 2016) in 2018
 Malware infection likely through SMBv1 open on a web server
 Aftermath: $2.6M cost

17. Decrypting Ransomware
 Cautionary tale: Herrington & Company gets ransomwared
 Engages Data Recovery company to retrieve data
 DR company quotes $6000 to recover data
 Data recovery is WAY too fast
 FBI confirms that PDR indeed paid ransom to decrypt victim’s files
 https://pbs.twimg.com/media/DbfP0G7WAAEWQIa.jpg:large
 How do we prevent ransomware?

18. Ransomware Protection
 Microsoft introduced Files Restore OneDrive
 Allows to restore entire OneDrive account to a previous point in time within 30
days
 Monitors file assets notifies if an
attack is detected

19. Ransomware Protection
 Careful!
 Real time notification might not be as accurate as we think
 AxCrypt encryption on OneDrive files stays under the radar
 Ransomware prevention: have users store important data in OneDrive

20. Email & Sharing

21.  Email Encryption: End-to end encryption
 Prevent Forwarding: Restrict email recipients
from forwarding or copying emails you send
(plus: MS Office docs. Attached are encrypted
even after downloading)
 What happens if the recipient is outside your
organization:
Email Encryption

22.  OME: Automatically Enabled
Email Encryption

23.  Revoking Encrypted Messages
 This one is thanks to Al Hoitingh: https://alberthoitingh.com/2018/12/20/ome-
message-revocation/
 Encrypted status means: email & content didn’t leave the perimeter.
 You can use Message Trace to locate the outgoing mail and then use powershell to:
 Query the OME status: Get-OMEMessageStatus -MessageID “message id”
 Set message as revoked: Set-OMEMessageRevocation -Revoke $true -MessageID “message id”
Email Encryption

24.  Revoking Encrypted Messages
 Because the data never left the perimeter, it’s the ‘link’ that’s broken
at the moment of revocation and recipient will get this:
Email Encryption

25. Illicit Consent Grants

26.  In the light of the Facebook Cambridge Analytica scandal, we should
take a look at Azure AD registered applications
 Phishing campaigns could trick users into granting access to applications
 https://blogs.technet.microsoft.com/office365security/defending-against-illicit-
consent-grants/
 Exploit first demonstrated by Kevin Mitnick
Illicit Consent Grants

27.  Exploit Scenario
 Demo
 Infrastructure
Illicit Consent Grants
User Apache Web
Server
Hacker

28.  Exploit Scenario: Let’s dive in!
Illicit Consent Grants

29.  Exploit Scenario
 User received a legit looking email:
Illicit Consent Grants

30.  Exploit Scenario
 User received a legit looking email:
Illicit Consent Grants

31.  Exploit Scenario
 Picks account to authenticate
Illicit Consent Grants

32.  Exploit Scenario
 Presented with permissions that
need user consent only
Illicit Consent Grants

33.  Exploit Scenario
 All mails are encrypted
 … and this is just one of many possibilities
Illicit Consent Grants

34.  Exploit Scenario: Infrastructure – bit more detail
Illicit Consent Grants

35.  Consent is key
 Why build integrated applications?
 Using various APIs, you can grant apps access to your tenant data:
 Mail, calendars, contacts, conversations
 Users, groups, files and folders
 SharePoint sites, lists, list items
 OneDrive items, permissions and more
 Integration: Azure AD provides secure sign-in and authorization
 Developer registers the application with Azure AD
 Assign permissions to the application
 Tenant administrator / user must consent to permissions
Digital #metoo era

36.  Registering the application
 Who can register applications in your tenant?
 By default: any member! This can be a security issue
 Keep in mind: there is a record of what data was shared with which application.
Also: when user adds / allows application to access their data, event can be
audited (Audit reports)
 See more: https://docs.microsoft.com/en-us/azure/active-
directory/develop/active-directory-how-applications-are-added#who-has-
permission-to-add-applications-to-my-azure-ad-instance
Azure AD Applications

37.  Authorization Flow: Oauth2 / OpenID
Azure AD Applications

38.  Authorization flow: let’s simplify
 User consents to permissions required by the app
 Application asks for authorization from the Azure AD
 Azure AD makes the user sign in and returns code to application
 Application uses code to retrieve JWT bearer token to use resource (Microsoft
Graph API)
 Keep in mind: JWT doesn’t authenticate, only authorizes!
Azure AD Applications

39. Preventing illicit consent grants
Regular application & permission enumeration
Cloud App Security
Educating users
Application Registration & consent restriction

40.  Remedy: Restricting app registrations
 Azure Portal > Azure Active Directory > User Settings
Azure AD Applications

41.  Remedy: Restricting consent grants
 Azure Portal > Azure Active Directory > User Settings
 Watch out! This means that all application consent will be REQUIRED to be
done by Global Admins
Azure AD Applications

42.  Remedy: Enumerating apps and permissions
 Enumeration using PowerShell:
 Install the AzureAD PowerShell module
 Launch PowerShell ISE as an Administrator and:
Install-Module AzureAD
 Connect to Azure AD:
Connect-AzureAD
 Use PowerShell script:
https://gist.github.com/psignoret/41793f8c6211d2df5051d77ca3728c09
 Example:
.Get-AzureADPSPermissions.ps1 | Export-Csv -Path "permissions.csv" -
NoTypeInformation
Azure AD Applications

43.  Remedy: Enumerating apps and permissions
 What you get:
Azure AD Applications

44.  Remedy: Enumerating apps and permissions
 Gotcha: won’t show redirect URLs!
 Requires AzureRM.Resources and Connect-AzureRMADAccount:
Azure AD Applications

45.  Remedy: Searching your Audit Logs
 Use the ‘consent’ string to filter
Azure AD Applications

46.  Remedy: Cloud App Security
 Create an OAUTH App Security Policy
Azure AD Applications

47.  Remedy: Cloud App
Security
 Create an OAUTH
App Security Policy
Azure AD Applications

48.  What you get with CAS from our attack scenario
Azure AD Applications

49. Password Attacks

50.  Brute forcing office365 logins
 In the news in August 2017: sophisticated and coordinated attack against 48
Office365 customers
 Brute Force attack unique: targeting multiple cloud providers
 100,000 failed login attempts from 67 Ips and 12 networks over 7 months
 Slow and low to avoid intrusion detection
 Users see unsuccessful login attempts using name up to 17 name variations
 Passwords likely the same (password spray attack)
 https://www.tripwire.com/state-of-security/featured/new-type-brute-force-attack-office-
365-accounts/
Brute Force Attacks

51.  How hard is it to acquire the right login names?
 Demo
Brute Force Attacks

52.  Account Lockout in Office365
 Before 02/04/2019:
 10 unsuccessful attempts: captcha
 Another 10: lockout (10 mins)
 In reality: 10 tries = lockout
 No customization allowed
Brute Force Attacks

53.  Account Lockout in Office365
 As of 02/04/2019: WOOHOO 
Brute Force Attacks

54.  What could’ve stopped all this?
MFA
 Interesting story about MFA:
https://goo.gl/CFcA5t
Brute Force Attacks

55.  Good news: management through
the app is better
Brute Force Attacks

56.  MFA – the elephant in the room
 2 serious outages in 2018 alone
Brute Force Attacks

57.  MFA – in case of emergencies
 Consider implementing a break glass account (via Exclusions from Baseline
MFA Policy): https://practical365.com/security/multi-factor-authentication-default-
for-admins/
 Azure AD Portal > Conditional Access
Brute Force Attacks

58.  The way around MFA
 Recent breaches discovered by Proofpoint:
https://www.proofpoint.com/us/threat-insight/post/threat-actors-leverage-
credential-dumps-phishing-and-legacy-email-protocols
 Essentially: using IMAP to get around MFA by mimicking legacy email clients
Brute Force Attacks

59. MFA exploit
Highlights
 100,000 unauthorised login attempts analyzed (December 2018 – onwards)
 72% tenants were targeted at least once
 40% tenants had at least 1 compromised account
 15 of 10,000 active user accounts breached

60.  Microsoft’s response: https://docs.microsoft.com/en-us/microsoft-
365/enterprise/secure-email-recommended-policies
 Require MFA
 Block clients that don’t support modern auth.
 App Passwords
Brute Force Attacks

61.  Available as part of Threat Intelligence (available in Office365
Enterprise E5)
 You must be a global administrator or member of the Security Admin group in the
Security & Compliance Center AND have MFA enabled
Attack Simulator
Spear Phishing Campaigns
Password Brute-Force
Attacks
Password Spray Attacks

62.  Where do you find it: protection.office.com > Threat Management
Attack Simulator

63.  Spear Phishing campaigns
 Tip: target users identified as top targeted in the Threat Management dashboard
 Tip2: You’ll need to enable Office Analytics
Attack Simulator

64.  Spear Phishing campaigns
 User tries to log in to phishing
site
 Redirected to awareness
page
Attack Simulator

65.  Spear Phishing campaigns
 Tip: best to use your own phishing landing site ;)
Attack Simulator

66.  Brute Force Password
 Use a pre-set word list against one or multiple user accounts
 Uses the same method an attacker would
 I mean literally: watch out! Currently this locks out the user account.
 Only supports very limited password lists (Internal server error at 10k
passwords)
 Best online resources for common credentials:
https://github.com/danielmiessler/SecLists/tree/master/Passwords/Common-
Credentials
Attack Simulator

67.  Password Spray Attack
 Tries one or a few passwords against all accounts
 Story: known password against two accounts
 Both accounts DID have that password
 Why?
 Why?
 Gotcha: second user had MFA enabled, which doesn’t appear to be supported.
Attack Simulator

68.  Generally available in office365 – Security & Compliance
 Tracks major malware campaigns (WannaCry, Petya, etc)
 Let’s you track the impact of these campaigns in your tenant
Threat Tracker

69.  About generating random passwords
 Current password format isn’t hard to guess:
 Tip: make sure to have users modify their passwords on first login
Office365 passwords

70.  Guessing random passwords
 Always 8 characters
 Starts with 3 letters
 Ends in 5 numbers
Office365 passwords
ConsonantConsonants
21 21
Vowel
5
Numbers
10 10 10 10 10
220,500,000

71.  Guessing random passwords
 Pretty easy to create a password list for brute-force:
 Using crunch: crunch 8 8 aeiou BCDFGHJKLMNPQRSTVWXYZ 0123456789
bcdfghjklmnpqrstvwxyz –t ,@^%%%%%
 File size: only ~ 1GB
Office365 passwords

72.  Simulate attacks against your own environment
 Keep an eye out for more attack simulation tools
 Use your own phishing tactics and word lists
 Educate users on strong passwords
Conclusion

73. OfficeExpert
You can sign up for our sandbox (14 days trial – immediately):
https://www.panagenda.com/officeexpert-sandbox
If you’re an MVP, you get a free license from us:
https://www.panagenda.com/exclusive-mvp-offer

74. Thank You
Questions & Feedback: LOVE IT
Get in touch: ben.menesi@panagenda.com
Presentation online: slideshare.net/benedek.Menesi
@BenMenesi
Linkedin.ca/in/benedekmenesi