Office 365 environments are very attractive targets for attackers. So, it's never been more important to understand how its security structure works, and how to best configure it.
In this in-depth session, we'll run through real-time attack scenarios and examine common attack vectors. And then we'll explore the various defense capabilities of Office 365, the MS Graph API, and Azure AD. We'll deep-dive into external sharing, authentication options, third-party application security (what apps should and shouldn't be able to do), and even some do's and don'ts regarding Azure AD endpoints and authorization mechanisms.
You'll walk away with a solid understanding of how to use the Office 365 defense tools at your disposal, such as the Attack Simulator and Threat Intelligence, as well as how they relate to real-world attacks.
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Microsoft365 from a Hacker's Perspective
1. Make Your Data Work For You
Office365 from a Hacker‘s
perspective
Real life threats, tactics and remedies
Ben Menesi
New York, NY
27th 07 2019
2. Speaker
• Ben Menesi
– VP Products & Innovation at panagenda
– Started out in the IBM world
– SharePoint & Exchange Admin & Dev
– Certified Ethical Hacker v9 and OSCP student
– Enjoys breaking things
– Speaker at IT events around the globe (SPS
Toronto, Calgary, Geneva, Cambridge)
– Owns a bar (recently) @BenMenesi
3. panagenda
• Who we are
– HQ in Vienna, Austria
– Offices in Boston, Austria, Germany, The Netherlands and Australia
– >1M user licenses across over 80 countries
4. panagenda
• What we do: OfficeExpert
• Quality of Service monitoring using bots
• Teams Analytics
9. Statistics
• Some numbers from the field
– Verizon’s 2017 & 2018 Data Breach Investigations Report: 53000 incidents & 2216 data
breaches
58% Victims are businesses with < 1000 employees (62% in 2017)
92%
68% Breaches took months(!!!) to discover
Malware vectors: Email. (6.3% Web, 1.3% other)
10. On-Prem. Vs. Cloud Security
• Benefits of your data in the cloud
Broader scope of threat intelligence
Larger and more specialized security muscle than most SMBs
Fast and instant delivery (no manual patching required)
11. On-Prem. Vs. Cloud Security
• Disadvantages of using cloud services
Vulnerability / Risk Mitigation is out of our control
Part of a larger, very attractive attack surface
Less flexibility in customizing defenses
12. Vulnerability Mitigation
• Practical example
– Basestriker attack: gets around Microsoft’s ATP SafeLinks by leveraging the
<base> tag:
Traditional way to embed URLs in a phishing email:
Using the <base> tag:
13. Vulnerability Mitigation
• Vulnerability Lifecycle
02.05.2018
Microsoft alerted
alerted by
Avanan
02.05.2018
Proofpoint
alerted by
Avanan
16.05.2018
Microsoft fixes
fixes
vulnerability
14 days
15. Ransomware Attacks
Why are they so important?
DOJ Statistics: 1000 attacks / day in 2015, 4000 attacks / day in 2017
WannaCry: 150 countries, estimated at $4B
NotPetya: $250-300M for Maersk alone, $1.2B in total revenue
54% of companies experienced one or more successful attacks
Total cost of a successful cyber attack is over $5M or $301 / employee
16. Ransomware Attacks
How do they spread?
60% of ransomware attacks come from infected emails BUT:
Also, vulnerable (application) servers
Example: city of Atlanta hit by SamSam (originally discovered in 2016) in 2018
Malware infection likely through SMBv1 open on a web server
Aftermath: $2.6M cost
17. Decrypting Ransomware
Cautionary tale: Herrington & Company gets ransomwared
Engages Data Recovery company to retrieve data
DR company quotes $6000 to recover data
Data recovery is WAY too fast
FBI confirms that PDR indeed paid ransom to decrypt victim’s files
https://pbs.twimg.com/media/DbfP0G7WAAEWQIa.jpg:large
How do we prevent ransomware?
18. Ransomware Protection
Microsoft introduced Files Restore OneDrive
Allows to restore entire OneDrive account to a previous point in time within 30
days
Monitors file assets notifies if an
attack is detected
19. Ransomware Protection
Careful!
Real time notification might not be as accurate as we think
AxCrypt encryption on OneDrive files stays under the radar
Ransomware prevention: have users store important data in OneDrive
21. Email Encryption: End-to end encryption
Prevent Forwarding: Restrict email recipients
from forwarding or copying emails you send
(plus: MS Office docs. Attached are encrypted
even after downloading)
What happens if the recipient is outside your
organization:
Email Encryption
23. Revoking Encrypted Messages
This one is thanks to Al Hoitingh: https://alberthoitingh.com/2018/12/20/ome-
message-revocation/
Encrypted status means: email & content didn’t leave the perimeter.
You can use Message Trace to locate the outgoing mail and then use powershell to:
Query the OME status: Get-OMEMessageStatus -MessageID “message id”
Set message as revoked: Set-OMEMessageRevocation -Revoke $true -MessageID “message id”
Email Encryption
24. Revoking Encrypted Messages
Because the data never left the perimeter, it’s the ‘link’ that’s broken
at the moment of revocation and recipient will get this:
Email Encryption
26. In the light of the Facebook Cambridge Analytica scandal, we should
take a look at Azure AD registered applications
Phishing campaigns could trick users into granting access to applications
https://blogs.technet.microsoft.com/office365security/defending-against-illicit-
consent-grants/
Exploit first demonstrated by Kevin Mitnick
Illicit Consent Grants
27. Exploit Scenario
Demo
Infrastructure
Illicit Consent Grants
User Apache Web
Server
Hacker
35. Consent is key
Why build integrated applications?
Using various APIs, you can grant apps access to your tenant data:
Mail, calendars, contacts, conversations
Users, groups, files and folders
SharePoint sites, lists, list items
OneDrive items, permissions and more
Integration: Azure AD provides secure sign-in and authorization
Developer registers the application with Azure AD
Assign permissions to the application
Tenant administrator / user must consent to permissions
Digital #metoo era
36. Registering the application
Who can register applications in your tenant?
By default: any member! This can be a security issue
Keep in mind: there is a record of what data was shared with which application.
Also: when user adds / allows application to access their data, event can be
audited (Audit reports)
See more: https://docs.microsoft.com/en-us/azure/active-
directory/develop/active-directory-how-applications-are-added#who-has-
permission-to-add-applications-to-my-azure-ad-instance
Azure AD Applications
38. Authorization flow: let’s simplify
User consents to permissions required by the app
Application asks for authorization from the Azure AD
Azure AD makes the user sign in and returns code to application
Application uses code to retrieve JWT bearer token to use resource (Microsoft
Graph API)
Keep in mind: JWT doesn’t authenticate, only authorizes!
Azure AD Applications
40. Remedy: Restricting app registrations
Azure Portal > Azure Active Directory > User Settings
Azure AD Applications
41. Remedy: Restricting consent grants
Azure Portal > Azure Active Directory > User Settings
Watch out! This means that all application consent will be REQUIRED to be
done by Global Admins
Azure AD Applications
42. Remedy: Enumerating apps and permissions
Enumeration using PowerShell:
Install the AzureAD PowerShell module
Launch PowerShell ISE as an Administrator and:
Install-Module AzureAD
Connect to Azure AD:
Connect-AzureAD
Use PowerShell script:
https://gist.github.com/psignoret/41793f8c6211d2df5051d77ca3728c09
Example:
.Get-AzureADPSPermissions.ps1 | Export-Csv -Path "permissions.csv" -
NoTypeInformation
Azure AD Applications
50. Brute forcing office365 logins
In the news in August 2017: sophisticated and coordinated attack against 48
Office365 customers
Brute Force attack unique: targeting multiple cloud providers
100,000 failed login attempts from 67 Ips and 12 networks over 7 months
Slow and low to avoid intrusion detection
Users see unsuccessful login attempts using name up to 17 name variations
Passwords likely the same (password spray attack)
https://www.tripwire.com/state-of-security/featured/new-type-brute-force-attack-office-
365-accounts/
Brute Force Attacks
51. How hard is it to acquire the right login names?
Demo
Brute Force Attacks
52. Account Lockout in Office365
Before 02/04/2019:
10 unsuccessful attempts: captcha
Another 10: lockout (10 mins)
In reality: 10 tries = lockout
No customization allowed
Brute Force Attacks
53. Account Lockout in Office365
As of 02/04/2019: WOOHOO
Brute Force Attacks
54. What could’ve stopped all this?
MFA
Interesting story about MFA:
https://goo.gl/CFcA5t
Brute Force Attacks
55. Good news: management through
the app is better
Brute Force Attacks
56. MFA – the elephant in the room
2 serious outages in 2018 alone
Brute Force Attacks
57. MFA – in case of emergencies
Consider implementing a break glass account (via Exclusions from Baseline
MFA Policy): https://practical365.com/security/multi-factor-authentication-default-
for-admins/
Azure AD Portal > Conditional Access
Brute Force Attacks
58. The way around MFA
Recent breaches discovered by Proofpoint:
https://www.proofpoint.com/us/threat-insight/post/threat-actors-leverage-
credential-dumps-phishing-and-legacy-email-protocols
Essentially: using IMAP to get around MFA by mimicking legacy email clients
Brute Force Attacks
59. MFA exploit
Highlights
100,000 unauthorised login attempts analyzed (December 2018 – onwards)
72% tenants were targeted at least once
40% tenants had at least 1 compromised account
15 of 10,000 active user accounts breached
60. Microsoft’s response: https://docs.microsoft.com/en-us/microsoft-
365/enterprise/secure-email-recommended-policies
Require MFA
Block clients that don’t support modern auth.
App Passwords
Brute Force Attacks
61. Available as part of Threat Intelligence (available in Office365
Enterprise E5)
You must be a global administrator or member of the Security Admin group in the
Security & Compliance Center AND have MFA enabled
Attack Simulator
Spear Phishing Campaigns
Password Brute-Force
Attacks
Password Spray Attacks
62. Where do you find it: protection.office.com > Threat Management
Attack Simulator
63. Spear Phishing campaigns
Tip: target users identified as top targeted in the Threat Management dashboard
Tip2: You’ll need to enable Office Analytics
Attack Simulator
64. Spear Phishing campaigns
User tries to log in to phishing
site
Redirected to awareness
page
Attack Simulator
65. Spear Phishing campaigns
Tip: best to use your own phishing landing site ;)
Attack Simulator
66. Brute Force Password
Use a pre-set word list against one or multiple user accounts
Uses the same method an attacker would
I mean literally: watch out! Currently this locks out the user account.
Only supports very limited password lists (Internal server error at 10k
passwords)
Best online resources for common credentials:
https://github.com/danielmiessler/SecLists/tree/master/Passwords/Common-
Credentials
Attack Simulator
67. Password Spray Attack
Tries one or a few passwords against all accounts
Story: known password against two accounts
Both accounts DID have that password
Why?
Why?
Gotcha: second user had MFA enabled, which doesn’t appear to be supported.
Attack Simulator
68. Generally available in office365 – Security & Compliance
Tracks major malware campaigns (WannaCry, Petya, etc)
Let’s you track the impact of these campaigns in your tenant
Threat Tracker
69. About generating random passwords
Current password format isn’t hard to guess:
Tip: make sure to have users modify their passwords on first login
Office365 passwords
71. Guessing random passwords
Pretty easy to create a password list for brute-force:
Using crunch: crunch 8 8 aeiou BCDFGHJKLMNPQRSTVWXYZ 0123456789
bcdfghjklmnpqrstvwxyz –t ,@^%%%%%
File size: only ~ 1GB
Office365 passwords
72. Simulate attacks against your own environment
Keep an eye out for more attack simulation tools
Use your own phishing tactics and word lists
Educate users on strong passwords
Conclusion
73. OfficeExpert
You can sign up for our sandbox (14 days trial – immediately):
https://www.panagenda.com/officeexpert-sandbox
If you’re an MVP, you get a free license from us:
https://www.panagenda.com/exclusive-mvp-offer
74. Thank You
Questions & Feedback: LOVE IT
Get in touch: ben.menesi@panagenda.com
Presentation online: slideshare.net/benedek.Menesi
@BenMenesi
Linkedin.ca/in/benedekmenesi