The document discusses security threats related to Office 365 from a hacker's perspective. It summarizes common ransomware attacks and techniques, such as using the <base> tag to bypass email link protections. It also demonstrates how illicit consent grants could be obtained by tricking users into granting permissions to malicious applications registered in their Azure Active Directory. The speaker advocates for restricting application registrations and consent to applications to help prevent this threat.
Office 365 environments are very attractive targets for attackers. So, it's never been more important to understand how its security structure works, and how to best configure it.
In this in-depth session, we'll run through real-time attack scenarios and examine common attack vectors. And then we'll explore the various defense capabilities of Office 365, the MS Graph API, and Azure AD. We'll deep-dive into external sharing, authentication options, third-party application security (what apps should and shouldn't be able to do), and even some do's and don'ts regarding Azure AD endpoints and authorization mechanisms.
You'll walk away with a solid understanding of how to use the Office 365 defense tools at your disposal, such as the Attack Simulator and Threat Intelligence, as well as how they relate to real-world attacks.
Analyzing Microsoft Teams engagement & adoption: Why, What & How?Benedek Menesi
For most organizations deploying Teams, only about 16% of employees turn out to be early adopters. That means, if you are or will be engaged in a Teams deployment, you’ve only got another 84% to get on board to ensure adoption budget isn’t wasted.
In this hybrid technical & adoption session, you will learn from real-world customer examples how usage and engagement analysis has helped others like you overcome common adoption problems.
We will go through all the available data sources such as the Teams Admin Center, Office365 Activity Reports, Microsoft Graph & PowerShell and how you can put them to work to better understand your organization's usage patterns.
You will leave with a thorough understanding of the strengths and limitations of the data available to you and how to interpret and use this data to maximize user engagement in the shortest amount of time and ensure the best possible return on your investment.
Office365 from a hacker's perspective: Real life Threats, Tactics and Remedie...Benedek Menesi
Unfortunately, SlideShare no longer supports re-uploading presentations. You can find the new, updated version of this deck here: https://www.slideshare.net/BenedekMenesi/office365-from-a-hackers-perspective-reallife-threats-tactics-and-remedies
Protecting Microsoft Teams from Cyber Security Threats - a Practical GuideBenedek Menesi
While Microsoft Teams adoption is growing incredibly fast with over 80 million active daily users in 2020, some highly regulated organizations are often hesitant to deploy Teams or limit the deployment of Teams due to information security concerns and possible cyber security threats. Supporting any platform with that many daily users you can be sure that hackers are watching closely and will do everything they can to gain a foothold in your environment.
During this presentation we will cover real-world cyber security threats as well as strategies for hardening your security configurations to protect your Teams deployment. We will also cover the available Microsoft add-on solutions to improve security, including Advanced Threat Protection (ATP), increased logging options, and Azure AD P1 licenses that improve Teams governance capabilities. Some of the topics we'll discuss:
- Credential theft campaigns
- Identity spoofing for user impersonation
- Man-in-the-middle attacks
- Locking down 3rd party application implementations
- Conditional access policies
- Permission management settings
- Information boundary configurations
- And more…
You'll learn how hackers think, and how you can gain the upper hand by preparing and training your users for the most common cyber security exploits as well as leveraging the best Microsoft tools available to mitigate both external and internal security risks.
Office365 in today's digital threats landscape: attacks & remedies from a hac...Benedek Menesi
Office 365 environments are very attractive targets for attackers. So, it's never been more important to understand how its security structure works, and how to best configure it.
In this in-depth session, we'll run through real-time attack scenarios and examine common attack vectors. And then we'll explore the various defense capabilities of Office 365, the MS Graph API, and Azure AD. We'll deep-dive into external sharing, authentication options, third-party application security (what apps should and shouldn't be able to do), and even some do's and don'ts regarding Azure AD endpoints and authorization mechanisms.
You'll walk away with a solid understanding of how to use the Office 365 defense tools at your disposal, such as the Attack Simulator and Threat Intelligence, as well as how they relate to real-world attacks.
Protecting Microsoft Teams from Cyber Security Threats - a Practical GuideBenedek Menesi
While Microsoft Teams adoption is growing incredibly fast with over 80 million active daily users in 2020, some highly regulated organizations are often hesitant to deploy Teams or limit the deployment of Teams due to information security concerns and possible cyber security threats. Supporting any platform with that many daily users you can be sure that hackers are watching closely and will do everything they can to gain a foothold in your environment.
During this presentation we will cover real-world cyber security threats as well as strategies for hardening your security configurations to protect your Teams deployment. We will also cover the available Microsoft add-on solutions to improve security, including Advanced Threat Protection (ATP), increased logging options, and Azure AD P1 licenses that improve Teams governance capabilities. Some of the topics we'll discuss:
- Credential theft campaigns
- Identity spoofing for user impersonation
- Man-in-the-middle attacks
- Locking down 3rd party application implementations
- Conditional access policies
- Permission management settings
- Information boundary configurations
- And more…
You'll learn how hackers think, and how you can gain the upper hand by preparing and training your users for the most common cyber security exploits as well as leveraging the best Microsoft tools available to mitigate both external and internal security risks.
2020-03-05 Secure IT day 2020 Abalon - comment protéger votre environnement ...Patrick Guimonet
The document outlines five key steps to secure an Office 365 environment:
1. Implement identity and access management with conditional access controls, identity protection, and secure authentication like multifactor authentication.
2. Employ threat protection with integrated and automated security services like Azure ATP.
3. Use information protection tools like Azure Information Protection to classify and protect sensitive data across apps and services.
4. Strengthen security management with insights from tools like Microsoft Secure Score and Azure Security Center.
5. Conduct end user security awareness training on best practices and risks.
Office 365 environments are very attractive targets for attackers. So, it's never been more important to understand how its security structure works, and how to best configure it.
In this in-depth session, we'll run through real-time attack scenarios and examine common attack vectors. And then we'll explore the various defense capabilities of Office 365, the MS Graph API, and Azure AD. We'll deep-dive into external sharing, authentication options, third-party application security (what apps should and shouldn't be able to do), and even some do's and don'ts regarding Azure AD endpoints and authorization mechanisms.
You'll walk away with a solid understanding of how to use the Office 365 defense tools at your disposal, such as the Attack Simulator and Threat Intelligence, as well as how they relate to real-world attacks.
Analyzing Microsoft Teams engagement & adoption: Why, What & How?Benedek Menesi
For most organizations deploying Teams, only about 16% of employees turn out to be early adopters. That means, if you are or will be engaged in a Teams deployment, you’ve only got another 84% to get on board to ensure adoption budget isn’t wasted.
In this hybrid technical & adoption session, you will learn from real-world customer examples how usage and engagement analysis has helped others like you overcome common adoption problems.
We will go through all the available data sources such as the Teams Admin Center, Office365 Activity Reports, Microsoft Graph & PowerShell and how you can put them to work to better understand your organization's usage patterns.
You will leave with a thorough understanding of the strengths and limitations of the data available to you and how to interpret and use this data to maximize user engagement in the shortest amount of time and ensure the best possible return on your investment.
Office365 from a hacker's perspective: Real life Threats, Tactics and Remedie...Benedek Menesi
Unfortunately, SlideShare no longer supports re-uploading presentations. You can find the new, updated version of this deck here: https://www.slideshare.net/BenedekMenesi/office365-from-a-hackers-perspective-reallife-threats-tactics-and-remedies
Protecting Microsoft Teams from Cyber Security Threats - a Practical GuideBenedek Menesi
While Microsoft Teams adoption is growing incredibly fast with over 80 million active daily users in 2020, some highly regulated organizations are often hesitant to deploy Teams or limit the deployment of Teams due to information security concerns and possible cyber security threats. Supporting any platform with that many daily users you can be sure that hackers are watching closely and will do everything they can to gain a foothold in your environment.
During this presentation we will cover real-world cyber security threats as well as strategies for hardening your security configurations to protect your Teams deployment. We will also cover the available Microsoft add-on solutions to improve security, including Advanced Threat Protection (ATP), increased logging options, and Azure AD P1 licenses that improve Teams governance capabilities. Some of the topics we'll discuss:
- Credential theft campaigns
- Identity spoofing for user impersonation
- Man-in-the-middle attacks
- Locking down 3rd party application implementations
- Conditional access policies
- Permission management settings
- Information boundary configurations
- And more…
You'll learn how hackers think, and how you can gain the upper hand by preparing and training your users for the most common cyber security exploits as well as leveraging the best Microsoft tools available to mitigate both external and internal security risks.
Office365 in today's digital threats landscape: attacks & remedies from a hac...Benedek Menesi
Office 365 environments are very attractive targets for attackers. So, it's never been more important to understand how its security structure works, and how to best configure it.
In this in-depth session, we'll run through real-time attack scenarios and examine common attack vectors. And then we'll explore the various defense capabilities of Office 365, the MS Graph API, and Azure AD. We'll deep-dive into external sharing, authentication options, third-party application security (what apps should and shouldn't be able to do), and even some do's and don'ts regarding Azure AD endpoints and authorization mechanisms.
You'll walk away with a solid understanding of how to use the Office 365 defense tools at your disposal, such as the Attack Simulator and Threat Intelligence, as well as how they relate to real-world attacks.
Protecting Microsoft Teams from Cyber Security Threats - a Practical GuideBenedek Menesi
While Microsoft Teams adoption is growing incredibly fast with over 80 million active daily users in 2020, some highly regulated organizations are often hesitant to deploy Teams or limit the deployment of Teams due to information security concerns and possible cyber security threats. Supporting any platform with that many daily users you can be sure that hackers are watching closely and will do everything they can to gain a foothold in your environment.
During this presentation we will cover real-world cyber security threats as well as strategies for hardening your security configurations to protect your Teams deployment. We will also cover the available Microsoft add-on solutions to improve security, including Advanced Threat Protection (ATP), increased logging options, and Azure AD P1 licenses that improve Teams governance capabilities. Some of the topics we'll discuss:
- Credential theft campaigns
- Identity spoofing for user impersonation
- Man-in-the-middle attacks
- Locking down 3rd party application implementations
- Conditional access policies
- Permission management settings
- Information boundary configurations
- And more…
You'll learn how hackers think, and how you can gain the upper hand by preparing and training your users for the most common cyber security exploits as well as leveraging the best Microsoft tools available to mitigate both external and internal security risks.
2020-03-05 Secure IT day 2020 Abalon - comment protéger votre environnement ...Patrick Guimonet
The document outlines five key steps to secure an Office 365 environment:
1. Implement identity and access management with conditional access controls, identity protection, and secure authentication like multifactor authentication.
2. Employ threat protection with integrated and automated security services like Azure ATP.
3. Use information protection tools like Azure Information Protection to classify and protect sensitive data across apps and services.
4. Strengthen security management with insights from tools like Microsoft Secure Score and Azure Security Center.
5. Conduct end user security awareness training on best practices and risks.
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...Scott Hoag
Securing Office 365 requires knowing more than your way around the Admin Center. With Office 365's heavy dependency on Azure Active Directory for authentication (and in some cases authorization) to Office 365 workloads, it is critical that you understand how users access your environment and how you can control that access.
In this session, we'll explore how you can secure your Office 365 tenant with Azure Active Directory, conditional access policies, and more.
An introduction to Office 365 Advanced Threat Protection (ATP)Robert Crane
The document describes Microsoft's security solutions for email, files, and collaboration. It discusses how email, attachments, links, and files shared in Teams, OneDrive, and SharePoint are scanned for threats. Advanced Threat Protection uses detonation chambers, reputation blocking, and heuristic clustering to identify malicious content.
Thr30117 - Securely logging to Microsoft 365Robert Crane
The document discusses security challenges facing organizations and introduces several Microsoft security products and services that can help address those challenges. It outlines threats like phishing, password spraying, and account takeovers that target identity. It then summarizes the capabilities of Azure Active Directory, Microsoft Cloud App Security, Azure Sentinel, Azure Information Protection, Microsoft Intune and other Microsoft security tools to provide comprehensive protection across devices, apps and data located on-premises and in the cloud. Resources for further information are also listed.
SPC18 - Getting Started with Office 365 Advanced Threat Protection for ShareP...jeffgellman
This is the deck from my presentation at SPC18 on Getting Started with Office 365 Advanced Threat Protection for SharePoint, OneDrive for Business and Teams.
Be A Hero: Combat Cloud Security Threats with Google Apps Unlimited & CloudLockCloudLock
According to the latest IBM X-Force Research report, the average consolidated total cost of a single data breach is $3.8 million. And with data breaches up 22% so far in 2016, across every vertical imaginable, the threat must be addressed. Watch Google and CloudLock's discussion in this hands-on exploration of how your organization can combat these ever changing security threats.
Codeless Security for the Apps You Buy & Build on AWSCloudLock
Watch this webinar to learn what codeless security looks like for the cloud apps you build. Codeless - that means baking in security capabilities to defend your custom apps against data breaches without having to write a single line of code.
How to get deeper administration insights into your tenantRobert Crane
Microsoft Cloud App Security is a powerful reporting and alerting tool that provides deep analytics into your Microsoft 365 tenant. Combined with other agents it can be a central place to bring all your reporting and alerting together and even incorporate information from endpoints, servers and firewalls. Come and learn why Microsoft Cloud App Security provides administrators power beyond their wildest dreams when it comes to managing Microsoft 365.
Community IT CTO Matthew Eshleman reviews security fundamentals in Office 365. Small and medium sized nonprofits are in a great position to take advantage of the native security tools offered in Office 365.
Securing Governing and Protecting Your Office 365 InvestmentsChris Bortlik
Microsoft continues to invest in services and capabilities to help you protect, detect, and respond to a variety of emerging security and compliance needs for Office 365. Come to this session for an interactive scenario based whiteboard and demonstration of how you can implement comprehensive controls based on a variety of dimensions across the identity of the user; their location and device; and the application, service, and content they are accessing.
The document discusses building solutions with the SharePoint Framework (SPFx) that work across SharePoint and Microsoft Teams. It provides information on SPFx extensions, building tabs using the SPFx development model, and leveraging existing solutions across platforms like Teams and SharePoint. Examples of building personal tabs in Teams using SPFx are also included.
Secure Modern Workplace With Microsoft 365 Threat ProtectionAmmar Hasayen
Join me as I walk you through alll what Microsoft 365 has to offer to protect your business and organization. I am going to cover every security feature and how it fits in the big picture. Whether you are on-premises organization or migrating to the cloud, there is something for you to look at.
Follow me on twitter @ammarhasayen and connect on Linkedined https://www.linkedin.com/in/ammarhasayen
Here is the full blog post: https://blog.ahasayen.com/secure-modern-workplace-with-microsoft-365-advanced-threat-protection/
This document provides an overview of security and compliance in Office 365. It discusses the modern workplace and security challenges in a cloud-first, mobile-first world. It then describes Office 365's defense-in-depth, multi-dimensional approach to security across physical, network, host, application, administration and data layers. Specific Office 365 security and compliance offerings are outlined, including Cloud Access Security Brokers, SIEM, MDR and CASB tools. The document concludes by discussing upcoming topics that will be covered in future parts, such as Exchange Online Protection, Advanced Threat Protection, Threat Intelligence, GDPR compliance and data governance tools.
Microsoft EMS Enterprise Mobility and Security Architecture PosterAmmar Hasayen
Microsoft Cloud Security and Mobility Architecture Deep Dive showing Azure Active Directory, EMS, Azure Information Protection AIP, device management, DLP , CASB and more.
Poster. Full blog post:
https://blog.ahasayen.com/microsoft-cloud-security-approach/
This document summarizes Wyng's user-generated content marketing platform and serverless architecture. Wyng is a digital marketing company headquartered in New York City that builds campaign platforms for brands. Their platform ingests 500k user-generated social media posts per day from hashtags and mentions, filters and searches the content, and analyzes marketing trends. Wyng implemented a serverless architecture using AWS Lambda, Kinesis, S3, Elasticsearch, and other services to scale elastically and reduce costs by 50%. The summary discusses lessons learned around security, availability, and technical limitations of the serverless approach.
Webinar: Securing Remote Workforce on the Microsoft CloudWithum
With remote work being a reality for most, users expect to be able to connect to any resource, on any device, from anywhere in the world. Let’s face it – there is a growing realization that remote work is here to stay, so let’s do it right.
There are three critical areas that should be top of mind:
- How can we do remote work better?
- How can we maintain security?
- And, how can we reduce costs?
In this presentation, we share ideas and show tools in the Microsoft cloud for better remote work, better security and opportunity to reduce costs.
This document summarizes a presentation on information barriers in Microsoft 365. It discusses how to configure information barriers by setting prerequisites and permissions, segmenting users, defining information barrier policies, applying the policies, and testing them in Microsoft Teams, SharePoint and OneDrive. Specific examples are provided around a use case involving sales, research and HR departments. Configuration steps and commands are outlined for setting up and managing information barriers.
Windows Advance Threats - BSides Amman 2019Ammar Hasayen
Learn how to hack Windows machines and reveal the password of the domain admin by hacking into the memory and Windows Services. This is Level 400 content with a lot of demos and it covers many security technologies like machine learning, post-breach defensive and pre-preach defensive controls.
I presented this session in the first BSides Security conference in Amman-Jordan and I am sharing the slides as requested by the audience.
I am also going to post the full video on my Youtube Channel: http://youtube.com/ammarhasayen , so, don't forget to subscribe.
I would like to hear your feedback on my session, so please connect with me on twitter @ammarhasayen and let me know what do you think.
About me: http://ahasayen.com
Blog: http://blog.ahasayen.com
Social Media (Twiiter, LinkedIn, Instagram): @ammarhasayen
Windows Advanced Threat and Defensive Technique
SPSNL17 - Securing Office 365 and Microsoft Azure like a rock star (or groupi...DIWUG
Securing and maintaining a trustworthy Office 365 and Microsoft Azure deployment is not an easy task. In this session we'll take a look into how you can secure and control your cloud-based servers and services, data and users using Azure Active Directory, Azure Security Center, Privileged Identity Management and Advanced Security Management. In addition we’ll also take a look at how Operations Management Suite and Microsoft Advanced Threat Analytics can be used to provide better overall security for on-premises and hybrid deployments.
Office 365 in today's digital threats landscape: attacks & remedies from a ha...panagenda
After the positive feedback of Ben Menesi's session at the 2019 SPS Ottawa, he was asked to repeat it at Salt Lake M365 Friday in February 2020.
Abstract: Office 365 environments are very attractive targets for attackers. So, it's never been more important to understand how its security structure works, and how to best configure it.
In this in-depth session, we'll run through real-time attack scenarios and examine common attack vectors. And then we'll explore the various defense capabilities of Office 365, the MS Graph API, and Azure AD. We'll deep-dive into external sharing, authentication options, third-party application security (what apps should and shouldn't be able to do), and even some do's and don'ts regarding Azure AD endpoints and authorization mechanisms.
You'll walk away with a solid understanding of how to use the Office 365 defense tools at your disposal, such as the Attack Simulator and Threat Intelligence, as well as how they relate to real-world attacks.
https://www.linkedin.com/in/benedekmenesi/
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...Scott Hoag
Securing Office 365 requires knowing more than your way around the Admin Center. With Office 365's heavy dependency on Azure Active Directory for authentication (and in some cases authorization) to Office 365 workloads, it is critical that you understand how users access your environment and how you can control that access.
In this session, we'll explore how you can secure your Office 365 tenant with Azure Active Directory, conditional access policies, and more.
An introduction to Office 365 Advanced Threat Protection (ATP)Robert Crane
The document describes Microsoft's security solutions for email, files, and collaboration. It discusses how email, attachments, links, and files shared in Teams, OneDrive, and SharePoint are scanned for threats. Advanced Threat Protection uses detonation chambers, reputation blocking, and heuristic clustering to identify malicious content.
Thr30117 - Securely logging to Microsoft 365Robert Crane
The document discusses security challenges facing organizations and introduces several Microsoft security products and services that can help address those challenges. It outlines threats like phishing, password spraying, and account takeovers that target identity. It then summarizes the capabilities of Azure Active Directory, Microsoft Cloud App Security, Azure Sentinel, Azure Information Protection, Microsoft Intune and other Microsoft security tools to provide comprehensive protection across devices, apps and data located on-premises and in the cloud. Resources for further information are also listed.
SPC18 - Getting Started with Office 365 Advanced Threat Protection for ShareP...jeffgellman
This is the deck from my presentation at SPC18 on Getting Started with Office 365 Advanced Threat Protection for SharePoint, OneDrive for Business and Teams.
Be A Hero: Combat Cloud Security Threats with Google Apps Unlimited & CloudLockCloudLock
According to the latest IBM X-Force Research report, the average consolidated total cost of a single data breach is $3.8 million. And with data breaches up 22% so far in 2016, across every vertical imaginable, the threat must be addressed. Watch Google and CloudLock's discussion in this hands-on exploration of how your organization can combat these ever changing security threats.
Codeless Security for the Apps You Buy & Build on AWSCloudLock
Watch this webinar to learn what codeless security looks like for the cloud apps you build. Codeless - that means baking in security capabilities to defend your custom apps against data breaches without having to write a single line of code.
How to get deeper administration insights into your tenantRobert Crane
Microsoft Cloud App Security is a powerful reporting and alerting tool that provides deep analytics into your Microsoft 365 tenant. Combined with other agents it can be a central place to bring all your reporting and alerting together and even incorporate information from endpoints, servers and firewalls. Come and learn why Microsoft Cloud App Security provides administrators power beyond their wildest dreams when it comes to managing Microsoft 365.
Community IT CTO Matthew Eshleman reviews security fundamentals in Office 365. Small and medium sized nonprofits are in a great position to take advantage of the native security tools offered in Office 365.
Securing Governing and Protecting Your Office 365 InvestmentsChris Bortlik
Microsoft continues to invest in services and capabilities to help you protect, detect, and respond to a variety of emerging security and compliance needs for Office 365. Come to this session for an interactive scenario based whiteboard and demonstration of how you can implement comprehensive controls based on a variety of dimensions across the identity of the user; their location and device; and the application, service, and content they are accessing.
The document discusses building solutions with the SharePoint Framework (SPFx) that work across SharePoint and Microsoft Teams. It provides information on SPFx extensions, building tabs using the SPFx development model, and leveraging existing solutions across platforms like Teams and SharePoint. Examples of building personal tabs in Teams using SPFx are also included.
Secure Modern Workplace With Microsoft 365 Threat ProtectionAmmar Hasayen
Join me as I walk you through alll what Microsoft 365 has to offer to protect your business and organization. I am going to cover every security feature and how it fits in the big picture. Whether you are on-premises organization or migrating to the cloud, there is something for you to look at.
Follow me on twitter @ammarhasayen and connect on Linkedined https://www.linkedin.com/in/ammarhasayen
Here is the full blog post: https://blog.ahasayen.com/secure-modern-workplace-with-microsoft-365-advanced-threat-protection/
This document provides an overview of security and compliance in Office 365. It discusses the modern workplace and security challenges in a cloud-first, mobile-first world. It then describes Office 365's defense-in-depth, multi-dimensional approach to security across physical, network, host, application, administration and data layers. Specific Office 365 security and compliance offerings are outlined, including Cloud Access Security Brokers, SIEM, MDR and CASB tools. The document concludes by discussing upcoming topics that will be covered in future parts, such as Exchange Online Protection, Advanced Threat Protection, Threat Intelligence, GDPR compliance and data governance tools.
Microsoft EMS Enterprise Mobility and Security Architecture PosterAmmar Hasayen
Microsoft Cloud Security and Mobility Architecture Deep Dive showing Azure Active Directory, EMS, Azure Information Protection AIP, device management, DLP , CASB and more.
Poster. Full blog post:
https://blog.ahasayen.com/microsoft-cloud-security-approach/
This document summarizes Wyng's user-generated content marketing platform and serverless architecture. Wyng is a digital marketing company headquartered in New York City that builds campaign platforms for brands. Their platform ingests 500k user-generated social media posts per day from hashtags and mentions, filters and searches the content, and analyzes marketing trends. Wyng implemented a serverless architecture using AWS Lambda, Kinesis, S3, Elasticsearch, and other services to scale elastically and reduce costs by 50%. The summary discusses lessons learned around security, availability, and technical limitations of the serverless approach.
Webinar: Securing Remote Workforce on the Microsoft CloudWithum
With remote work being a reality for most, users expect to be able to connect to any resource, on any device, from anywhere in the world. Let’s face it – there is a growing realization that remote work is here to stay, so let’s do it right.
There are three critical areas that should be top of mind:
- How can we do remote work better?
- How can we maintain security?
- And, how can we reduce costs?
In this presentation, we share ideas and show tools in the Microsoft cloud for better remote work, better security and opportunity to reduce costs.
This document summarizes a presentation on information barriers in Microsoft 365. It discusses how to configure information barriers by setting prerequisites and permissions, segmenting users, defining information barrier policies, applying the policies, and testing them in Microsoft Teams, SharePoint and OneDrive. Specific examples are provided around a use case involving sales, research and HR departments. Configuration steps and commands are outlined for setting up and managing information barriers.
Windows Advance Threats - BSides Amman 2019Ammar Hasayen
Learn how to hack Windows machines and reveal the password of the domain admin by hacking into the memory and Windows Services. This is Level 400 content with a lot of demos and it covers many security technologies like machine learning, post-breach defensive and pre-preach defensive controls.
I presented this session in the first BSides Security conference in Amman-Jordan and I am sharing the slides as requested by the audience.
I am also going to post the full video on my Youtube Channel: http://youtube.com/ammarhasayen , so, don't forget to subscribe.
I would like to hear your feedback on my session, so please connect with me on twitter @ammarhasayen and let me know what do you think.
About me: http://ahasayen.com
Blog: http://blog.ahasayen.com
Social Media (Twiiter, LinkedIn, Instagram): @ammarhasayen
Windows Advanced Threat and Defensive Technique
SPSNL17 - Securing Office 365 and Microsoft Azure like a rock star (or groupi...DIWUG
Securing and maintaining a trustworthy Office 365 and Microsoft Azure deployment is not an easy task. In this session we'll take a look into how you can secure and control your cloud-based servers and services, data and users using Azure Active Directory, Azure Security Center, Privileged Identity Management and Advanced Security Management. In addition we’ll also take a look at how Operations Management Suite and Microsoft Advanced Threat Analytics can be used to provide better overall security for on-premises and hybrid deployments.
Office 365 in today's digital threats landscape: attacks & remedies from a ha...panagenda
After the positive feedback of Ben Menesi's session at the 2019 SPS Ottawa, he was asked to repeat it at Salt Lake M365 Friday in February 2020.
Abstract: Office 365 environments are very attractive targets for attackers. So, it's never been more important to understand how its security structure works, and how to best configure it.
In this in-depth session, we'll run through real-time attack scenarios and examine common attack vectors. And then we'll explore the various defense capabilities of Office 365, the MS Graph API, and Azure AD. We'll deep-dive into external sharing, authentication options, third-party application security (what apps should and shouldn't be able to do), and even some do's and don'ts regarding Azure AD endpoints and authorization mechanisms.
You'll walk away with a solid understanding of how to use the Office 365 defense tools at your disposal, such as the Attack Simulator and Threat Intelligence, as well as how they relate to real-world attacks.
https://www.linkedin.com/in/benedekmenesi/
iSheriff provides SaaS security solutions that protect organizations from modern web and email threats. Its services include anti-spam filtering, antivirus protection, web filtering, data leakage prevention, and reporting. Traditional security methods are ineffective against evolving threats like blended email attacks and malware. iSheriff blocks these threats through real-time analysis and prevents users from accessing malicious websites.
The document discusses Security Incident and Event Management (SIEM) systems and Microsoft Sentinel. It provides an overview of what a SIEM system is and what functionality it typically includes, such as log management, alerting, visualization, and incident management. It then describes Microsoft Sentinel specifically and how it is a cloud-native SIEM system that security operations teams can use to collect security data from various sources, detect threats using machine learning and analytics, and investigate and respond to security incidents.
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...Peter Selch Dahl
Improve security posture by implementing new Azure AD Security features for better protection for M365 and Azure.
Azure AD Enterprise Application
Azure AD Application Registration
https://www.meetup.com/CoLabora/events/284462324/
Webinar Mastering Microsoft Security von BaggenstosJenniferMete1
Microsoft 365 Security und Azure Security, Einhaltung von Compliance-Anforderungen unter Berücksichtigung des neuen Schweizer Datenschutzgesetze, Best Practices bei der Einführung und dem Betrieb von Sicherheitslösungen
The document discusses McAfee Email Protection for Microsoft Office 365. It highlights that Office 365 adoption is growing rapidly, but email threats still exist in the cloud. McAfee's solution layers additional security on top of Office 365 to protect against phishing and malware. Key features include targeted attack protection, faster protection through McAfee's threat intelligence, and email continuity to ensure uptime. The document also addresses common customer objections and provides resources for sales enablement.
Top 10 Azure Security Best Practices (1).pptxHichamNiamane1
Attack services like ransomware, zero-days, exploit kits, and denial of service can be purchased at relatively low prices online. Ransomware costs $66 upfront or 30% of profits, exploit kits cost $1,400 per month, and denial of service attacks cost $766.67 per month. Other services like compromised accounts and device loads also have relatively low price points. It is important for organizations to implement security best practices like enabling threat protection, practicing secure DevOps, and using tools like Azure Security Center to monitor for attacks.
How to Keep Hackers Out of Your OrganisationIBM Danmark
This document provides an overview of how penetration testing can identify security vulnerabilities by simulating real-world hacking attacks. It discusses how the presenter's company conducted penetration tests for customers by exploiting vulnerabilities like default passwords and misconfigurations to gain access to internal systems. Case studies show how vulnerabilities in web applications and networks were found that allowed unauthorized access to sensitive data. The document emphasizes that many security incidents can be avoided through basic measures like strong passwords and patching systems. It promotes the value of penetration testing for identifying issues before exploitation and provides an action plan for remediation.
Email: still the favourite route of attackClaranet UK
The document discusses how email continues to be the primary attack vector for cybercriminals. It notes that 78% of people claim to be aware of phishing risks but still click unknown links in emails. Various statistics are presented about increases in spear phishing attacks, ransomware attacks, and losses to business email compromise scams. The document advocates for implementing cloud-based email security solutions to help block these evolving threats through features like advanced threat protection, malware and spam filtering, sandboxing, and encryption. It outlines options for layered protection ranging from basic email filtering to more comprehensive advanced threat protection.
The document outlines various attack techniques for compromising Office 365 environments, including reconnaissance, credential harvesting, persistence, and data exfiltration. It provides references to tools that can be used to enumerate users, conduct password spraying, bypass two-factor authentication through phishing, search mailboxes for sensitive information, and establish backdoors on endpoints. The goal of the techniques appears to be gaining and maintaining unauthorized access to Office 365 accounts and data.
Data Protection & Privacy During the Coronavirus PandemicUlf Mattsson
Remote work is quickly becoming the new normal and criminals are taking advantage of this chaotic situation.
The EU Agency for Cybersecurity's providing guidance for the huge increases in the number of people working remotely, using tele-health it is vital that we also take care of our cyber hygiene.
Viewers will learn more about:
- How to use encryption, controlling new storage of regulated data and data sharing in this new situation.
- Anonymization leaves personal data open to re-identification, which exposes firms to GDPR non-compliance risks.
- How are the HIPAA rules changing in this situation?
- GDPR prescribing pseudonymization and how is that work.
- How is CCPA changing the rules?
- How to secure wi-fi connections preventing snooping of your traffic and fully updated anti-virus and security software, also on mobile phones.
- How important files can be backed up remote or locally. In a worst case scenario, staff could fall foul of ransomware for instance.
- What apps are secure to use in this new era?
- Should we use MFA, PW managers or local PW management?
We will also discuss how to use the CERT-EU News Monitor to stay updated on the latest threats and check the following basics.
Hiroshima University Information Security & Compliance 2018imc-isec-comp
1. The document provides an overview of information security best practices including threats like phishing scams and viruses, and measures to mitigate risks.
2. It discusses routine security measures like using antivirus software, keeping all software updated, using strong unique passwords, making regular backups, and staying informed of the latest threats.
3. Additional recommendations include using a password manager, cloud services for sharing data securely, multi-factor authentication, sharing security information with others, and being careful when posting personal information online.
Hiroshima University Information Security & Compliance 2018imc-isec-comp
The document outlines important information for improving information security, including recent threats like phishing scams and virus infections, important routine measures such as using antivirus software and strong passwords, and additional good behaviors like using password management tools and cloud services. It emphasizes practicing 5 countermeasures like keeping software updated and 5 behaviors like not clicking suspicious links to help protect against security breaches.
Hiroshima University Information Security & Compliance 2018imc-isec-comp
This document provides a summary of an information security training course. It discusses recent threats like phishing scams and virus infections. It emphasizes the importance of taking routine security measures such as using antivirus software, keeping software updated, using strong passwords, making regular backups, and staying informed of the latest threats. Additional good security behaviors include using a password manager, cloud services for sharing data securely, multi-factor authentication, only sharing information with known contacts, promptly reporting problems, and avoiding information leaks on social media. The document stresses practicing key countermeasures and behaviors to protect against security breaches.
July’s call, hosted by Kim Brandl and Doug Mahugh, featured the following presenters and topics:
• Doug Mahugh, Senior Dev Writer, presented an overview of the Office Add-ins platform.
• Sohail Zafar, Senior Program Manager, covered what’s new in the Outlook JavaScript APIs.
• Yu Kaijun, Senior Program Manager, and Ruoying Liang, Senior Program Manager, talked about what’s new in the Excel JavaScript APIs.
• Anand Menon, Principal Program Manager Lead, presented about Microsoft 365 App Certification.
• Daniel Fylstra, President @ Frontline Systems Inc., presented about the Analytic Solver add-in for Excel, a complex and powerful analytics modeling tool that they’ve ported from a COM add-in to a JavaScript add-in.
October 2022 CIAOPS Need to Know WebinarRobert Crane
Recording of monthly Need to Know webinar for October 2022 that focused on providing a deep dive into Microsoft 365 security. The session also includes Microsoft Cloud news and updates along with an open Q and A session around Microsoft 365. Video recording is available at www.ciaopsacademy.com
The top two attack vectors for malware are email and web browsers. Watering-hole attacks conceal malware on member-based sites and phishing scams can target individuals with personal details. This PPT describes a different security approach to protect against these threats while achieving business growth, efficiency and lowered expenses. The presentation features Cisco Email, Web and Cloud Web Security and covers basic features, offers, benefits, newest features and product integrations. Watch the webinar: http://cs.co/9004BGqvy
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Crescat
Crescat is industry-trusted event management software, built by event professionals for event professionals. Founded in 2017, we have three key products tailored for the live event industry.
Crescat Event for concert promoters and event agencies. Crescat Venue for music venues, conference centers, wedding venues, concert halls and more. And Crescat Festival for festivals, conferences and complex events.
With a wide range of popular features such as event scheduling, shift management, volunteer and crew coordination, artist booking and much more, Crescat is designed for customisation and ease-of-use.
Over 125,000 events have been planned in Crescat and with hundreds of customers of all shapes and sizes, from boutique event agencies through to international concert promoters, Crescat is rigged for success. What's more, we highly value feedback from our users and we are constantly improving our software with updates, new features and improvements.
If you plan events, run a venue or produce festivals and you're looking for ways to make your life easier, then we have a solution for you. Try our software for free or schedule a no-obligation demo with one of our product specialists today at crescat.io
Unveiling the Advantages of Agile Software Development.pdfbrainerhub1
Learn about Agile Software Development's advantages. Simplify your workflow to spur quicker innovation. Jump right in! We have also discussed the advantages.
Most important New features of Oracle 23c for DBAs and Developers. You can get more idea from my youtube channel video from https://youtu.be/XvL5WtaC20A
Artificia Intellicence and XPath Extension FunctionsOctavian Nadolu
The purpose of this presentation is to provide an overview of how you can use AI from XSLT, XQuery, Schematron, or XML Refactoring operations, the potential benefits of using AI, and some of the challenges we face.
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesQuickdice ERP
Explore the seamless transition to e-invoicing with this comprehensive guide tailored for Saudi Arabian businesses. Navigate the process effortlessly with step-by-step instructions designed to streamline implementation and enhance efficiency.
UI5con 2024 - Bring Your Own Design SystemPeter Muessig
How do you combine the OpenUI5/SAPUI5 programming model with a design system that makes its controls available as Web Components? Since OpenUI5/SAPUI5 1.120, the framework supports the integration of any Web Components. This makes it possible, for example, to natively embed own Web Components of your design system which are created with Stencil. The integration embeds the Web Components in a way that they can be used naturally in XMLViews, like with standard UI5 controls, and can be bound with data binding. Learn how you can also make use of the Web Components base class in OpenUI5/SAPUI5 to also integrate your Web Components and get inspired by the solution to generate a custom UI5 library providing the Web Components control wrappers for the native ones.
SOCRadar's Aviation Industry Q1 Incident Report is out now!
The aviation industry has always been a prime target for cybercriminals due to its critical infrastructure and high stakes. In the first quarter of 2024, the sector faced an alarming surge in cybersecurity threats, revealing its vulnerabilities and the relentless sophistication of cyber attackers.
SOCRadar’s Aviation Industry, Quarterly Incident Report, provides an in-depth analysis of these threats, detected and examined through our extensive monitoring of hacker forums, Telegram channels, and dark web platforms.
Measures in SQL (SIGMOD 2024, Santiago, Chile)Julian Hyde
SQL has attained widespread adoption, but Business Intelligence tools still use their own higher level languages based upon a multidimensional paradigm. Composable calculations are what is missing from SQL, and we propose a new kind of column, called a measure, that attaches a calculation to a table. Like regular tables, tables with measures are composable and closed when used in queries.
SQL-with-measures has the power, conciseness and reusability of multidimensional languages but retains SQL semantics. Measure invocations can be expanded in place to simple, clear SQL.
To define the evaluation semantics for measures, we introduce context-sensitive expressions (a way to evaluate multidimensional expressions that is consistent with existing SQL semantics), a concept called evaluation context, and several operations for setting and modifying the evaluation context.
A talk at SIGMOD, June 9–15, 2024, Santiago, Chile
Authors: Julian Hyde (Google) and John Fremlin (Google)
https://doi.org/10.1145/3626246.3653374
Software Engineering, Software Consulting, Tech Lead, Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Transaction, Spring MVC, OpenShift Cloud Platform, Kafka, REST, SOAP, LLD & HLD.
What is Master Data Management by PiLog Groupaymanquadri279
PiLog Group's Master Data Record Manager (MDRM) is a sophisticated enterprise solution designed to ensure data accuracy, consistency, and governance across various business functions. MDRM integrates advanced data management technologies to cleanse, classify, and standardize master data, thereby enhancing data quality and operational efficiency.
Flutter is a popular open source, cross-platform framework developed by Google. In this webinar we'll explore Flutter and its architecture, delve into the Flutter Embedder and Flutter’s Dart language, discover how to leverage Flutter for embedded device development, learn about Automotive Grade Linux (AGL) and its consortium and understand the rationale behind AGL's choice of Flutter for next-gen IVI systems. Don’t miss this opportunity to discover whether Flutter is right for your project.
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeAftab Hussain
Understanding variable roles in code has been found to be helpful by students
in learning programming -- could variable roles help deep neural models in
performing coding tasks? We do an exploratory study.
- These are slides of the talk given at InteNSE'23: The 1st International Workshop on Interpretability and Robustness in Neural Software Engineering, co-located with the 45th International Conference on Software Engineering, ICSE 2023, Melbourne Australia
Atelier - Innover avec l’IA Générative et les graphes de connaissancesNeo4j
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Allez au-delà du battage médiatique autour de l’IA et découvrez des techniques pratiques pour utiliser l’IA de manière responsable à travers les données de votre organisation. Explorez comment utiliser les graphes de connaissances pour augmenter la précision, la transparence et la capacité d’explication dans les systèmes d’IA générative. Vous partirez avec une expérience pratique combinant les relations entre les données et les LLM pour apporter du contexte spécifique à votre domaine et améliorer votre raisonnement.
Amenez votre ordinateur portable et nous vous guiderons sur la mise en place de votre propre pile d’IA générative, en vous fournissant des exemples pratiques et codés pour démarrer en quelques minutes.
Fundamentals of Programming and Language Processors
Office365 from a hacker's perspective: Real-life Threats, Tactics and Remedies
1. Office365 from a
Hacker’s perspective
Real life threats, tactics and remedies
Twitter: @BenMenesi
http://www.ytria.com/sapio365
2. Speaker
Head of Products at Ytria
Started out in the IBM world (Admin & Developer)
SharePoint & Exchange Admin and Developer
Certified Ethical Hacker v9 and current OSCP student
Enjoys breaking things
Speaker at IT events around the globe on all things
collaboration and security (SPS Toronto, Calgary, Geneva,
Cambridge, Chicago etc…)
Ben Menesi
@BenMenesi
Twitter: @BenMenesi
http://www.ytria.com/sapio365
3. Ytria
Founded in ‘99 in Montreal, Canada
Started in the IBM Software World
500+ customers, 3k orgs, 165 countries
Sapio365 GA Summer of 2018
Who we are
Twitter: @BenMenesi
http://www.ytria.com/sapio365
4. Ytria
Locally installed Administration Client for O365: Users, Groups, Teams, OneDrive & more
PowerShell-less reporting, bulk updates, unparalleled security monitoring.
Free for <50 users, 3 month key for anyone at Omaha SP UG: https://ytria.com/sapio365
What we do: sapio365
Twitter: @BenMenesi
http://www.ytria.com/sapio365
6. Statistics
Some numbers from the field
Verizon’s 2017 & 2018 Data Breach Investigations Report:
https://www.verizondigitalmedia.com/blog/2017/07/2017-verizon-data-
breach-investigations-report/: 53000 incidents & 2216 data breaches
58% Victims are businesses with < 1000 employees (62% in 2017)
92%
68% Breaches took months(!!!) to discover
Twitter: @BenMenesi
http://www.ytria.com/sapio365
Malware vectors: Email. (6.3% Web, 1.3% other)
7. On-Prem. vs. Cloud security
Benefits of your data in the cloud
Broader scope of threat intelligence
Larger and more specialized security muscle than most SMBs
Fast and instant delivery (no manual patching required)
Twitter: @BenMenesi
http://www.ytria.com/sapio365
8. On-Prem. vs. Cloud security
Disadvantages of using cloud services
Vulnerability mitigation out of your control
Your organization is part of a larger attack surface
Less wiggle-room to tailor defenses to your needs
Twitter: @BenMenesi
http://www.ytria.com/sapio365
9. Ransomware
Basestriker attack: gets around Microsoft’s ATP SafeLinks by leveraging the
<base> URL tag.
Practical example
Twitter: @BenMenesi
http://www.ytria.com/sapio365
Traditional way to embed URLs in a phishing email:
Using the <base> tag:
11. Ransomware
A more recent attack: MFA bypass via IMAP
https://www.proofpoint.com/us/threat-insight/post/threat-actors-leverage-
credential-dumps-phishing-and-legacy-email-protocols
Highlights (details discussed later)
100,000 unauthorised login attempts analyzed (December 2018 – onwards)
72% tenants were targeted at least once
40% tenants had at least 1 compromised account
15 of 10,000 active user accounts breached
13. Ransomware attacks
DOJ Statistics: 1000 attacks / day in 2015, 4000 attacks / day in 2017
WannaCry: 150 countries, estimated at $4B
NotPetya: $250-300M for Maersk alone, $1.2B in total revenue
54% of companies experienced one or more successful attacks
Total cost of a successful cyber attack is over $5M or $301 / employee
Why are they so important?
Twitter: @BenMenesi
http://www.ytria.com/sapio365
14. How do they spread?
Ransomware Protection
60% of ransomware attacks come from infected emails BUT:
Also, vulnerable (application) servers
Example: city of Atlanta hit by SamSam (originally discovered in 2016) in 2018
Malware infection likely through SMBv1 open on a web server
Aftermath: $2.6M cost
Conclusion: Update, patch, pay attention
to cyber hygiene!
Twitter: @BenMenesi
http://www.ytria.com/sapio365
15. Cautionary tale: Herrington & Company gets ransomwared
Engages Data Recovery company to retrieve data
DR company quotes $6000 to recover data
Data recovery is WAY too fast
FBI confirms that PDR indeed paid ransom to decrypt victim’s files
https://pbs.twimg.com/media/DbfP0G7WAAEWQIa.jpg:large
How do we prevent ransomware?
Decrypting Ransomware
Ransomware Protection
Twitter: @BenMenesi
http://www.ytria.com/sapio365
16. Microsoft introduced Files Restore
OneDrive
Allows to restore entire OneDrive
account to a previous point in
time within 30 days
Monitors file assets notifies if an
attack is detected
Office365 Ransomware Protection
Ransomware Protection
Twitter: @BenMenesi
http://www.ytria.com/sapio365
17. Careful!
Real time notification might not be as accurate as we think
AXCrypt encryption on OneDrive flies easily under the radar.
Ransomware prevention: have users store important data in OneDrive
Office365 Ransomware Protection
Ransomware Protection
Twitter: @BenMenesi
http://www.ytria.com/sapio365
19. Email Encryption: End-to end
encryption
Prevent Forwarding: Restrict email
recipients from forwarding or copying
emails you send (plus: MS Office docs.
Attached are encrypted even after
downloading)
What happens if the recipient is
outside your organization:
New(ish) advanced email protection options
Email encryption
Twitter: @BenMenesi
http://www.ytria.com/sapio365
21. OME Viewer App. – Now deprecated
iOS mail app didn’t support decrypting messages protected by OME.
Rights restrictions become void (even though if using an Office365 mail
server, forwarding such a mail is still not allowed)
To toggle this: Set-ActiveSyncOrganizationSettings –AllowRMSSupportForUnenlightenedApps <$true|$false>
Note: previously encrypted messages won’t be viewable on IOS
Review what’s new in OME: https://docs.microsoft.com/en-
us/office365/securitycompliance/set-up-new-message-encryption-capabilities
Tip: customize your OME message look and feel: https://support.office.com/en-
us/article/add-your-organizations-brand-to-your-encrypted-messages-
7a29260d-2959-42aa-8916-feceff6ee51d
New advanced email protection options
Email encryption
Twitter: @BenMenesi
http://www.ytria.com/sapio365
22. This one is thanks to Al Hoitingh: https://alberthoitingh.com/2018/12/20/ome-
message-revocation/
Encrypted status means: email & content didn’t leave the perimeter.
You can use Message Trace to locate the outgoing mail and then use powershell
to:
Query the OME status: Get-OMEMessageStatus -MessageID “message id”
Set message as revoked: Set-OMEMessageRevocation -Revoke $true -
MessageID “message id”
Revoking Encrypted Messages
Email encryption
Twitter: @BenMenesi
http://www.ytria.com/sapio365
23. Revoking Encrypted Messages
Email encryption
Twitter: @BenMenesi
http://www.ytria.com/sapio365
Because the data never left perimeter, it’s the ‘link’ that’s broken at the moment of
revocation and recipient will get this:
25. Azure AD applications
In the light of the Facebook Cambridge Analytica scandal, we should take a
look at Azure AD registered applications
Phishing campaigns could trick users into granting access to applications
https://blogs.technet.microsoft.com/office365security/defending-
against-illicit-consent-grants/
Exploit first demonstrated by Kevin Mitnick
Illicit Consent Grants
Twitter: @BenMenesi
http://www.ytria.com/sapio365
26. Azure AD applications
Demo
Infrastructure:
Exploit Scenario
Twitter: @BenMenesi
http://www.ytria.com/sapio365
User Apache Web
Server
Hacker
27. Azure AD applications
Infrastructure – bit more detail (Thanks to Albert Hoitingh)
Exploit Scenario
29. Azure AD applications
User receives a legit
looking email:
Exploit Scenario
Twitter: @BenMenesi
http://www.ytria.com/sapio365
30. Azure AD applications
Picks account to authenticate
Exploit Scenario
Twitter: @BenMenesi
http://www.ytria.com/sapio365
31. Azure AD applications
Presented with permissions that need
consent (and they make sense)
Exploit Scenario
Twitter: @BenMenesi
http://www.ytria.com/sapio365
32. Azure AD applications
All mails encrypted
… and this is just one of many outcome possibilities
Exploit Scenario
Twitter: @BenMenesi
http://www.ytria.com/sapio365
33. Azure AD applications
Why build integrated applications?
Using various APIs, you can grant apps access to your tenant data:
Mail, calendars, contacts, conversations
Users, groups, files and folders
SharePoint sites, lists, list items
OneDrive items, permissions and more
Integration: Azure AD provides secure sign-in and authorization
Developer registers the application with Azure AD
Assign permissions to the application
Tenant administrator / user must consent to permissions
Introduction – Digital #metoo era: Consent is key!
Twitter: @BenMenesi
http://www.ytria.com/sapio365
34. Azure AD applications
Who can register applications in your tenant?
By default: any member! This can be a security issue
Keep in mind: there is a record of what data was shared with which
application. Also: when user adds / allows application to access
their data, event can be audited (Audit reports)
See more: https://docs.microsoft.com/en-us/azure/active-
directory/develop/active-directory-how-applications-are-added#who-
has-permission-to-add-applications-to-my-azure-ad-instance
Registering the application
Twitter: @BenMenesi
http://www.ytria.com/sapio365
35. Azure AD applications
Endpoint v1: Azure AD Admin center (aad.portal.azure.com) > Enterprise
Applications > New Application
Azure AD Endpoints: Endpoint 1
Twitter: @BenMenesi
http://www.ytria.com/sapio365
36. Azure AD applications
Endpoint v1 properties
Only supports 1 platform / application
Supports ALL
APIs
Static permissions
Azure AD Endpoints: Endpoint 1
Twitter: @BenMenesi
http://www.ytria.com/sapio365
37. Azure AD applications
Endpoint v2 properties (apps.dev.Microsoft.com)
Supports multiple platforms
Only supports Graph API
Scopes vs. Resources (dynamic
permissions)
Strategic new direction for Microsoft
Gotcha: v1 and v2 aren’t compatible!
Azure AD Endpoints: Endpoint 2
Twitter: @BenMenesi
http://www.ytria.com/sapio365
38. Azure AD applications
What you’ll need
Application Name
Registering the application
Twitter: @BenMenesi
http://www.ytria.com/sapio365
39. Azure AD applications
What you’ll need
Application Name
Application password
Registering the application
Twitter: @BenMenesi
http://www.ytria.com/sapio365
40. Azure AD applications
What you’ll need
Application Name
Application password
Platform
Redirect URL(s)
Registering the application
Twitter: @BenMenesi
http://www.ytria.com/sapio365
41. Azure AD applications
What you’ll need
Application Name
Application password
Platform
Redirect URL(s)
Owner(s)
Permissions
Delegated
Application
Registering the application
Twitter: @BenMenesi
http://www.ytria.com/sapio365
42. Azure AD applications
Azure AD v1. endpoint permissions (delegated only): 87
Azure AD v2. endpoint permissions
Delegated: 77
Application: 39
Permissions
Twitter: @BenMenesi
http://www.ytria.com/sapio365
43. Azure AD applications
Application will access and do stuff on your behalf: consent required
Two types of consent:
User can consent (limited scope actions, delegated permissions only)
Admin must consent (larger scope actions, some delegated, all
application permissions)
Consent
Twitter: @BenMenesi
http://www.ytria.com/sapio365
45. Azure AD applications
How does it work?
User consents to permissions required by the app
Application asks for authorization from the Azure AD
Azure AD makes the user sign in and returns code to application
Application uses code to retrieve JWT bearer token to use resource
(Microsoft Graph API)
Keep in mind: JWT doesn’t authenticate, only authorizes!
Hijacking the JWT token is extremely dangerous
Authorization flow
Twitter: @BenMenesi
http://www.ytria.com/sapio365
46. Azure AD applications
How do you prevent illicit consent grants
Application Registration & consent restrictions
Regular application & permission enumeration
Cloud App Security
Educate users
Twitter: @BenMenesi
http://www.ytria.com/sapio365
47. Azure AD applications
Azure Portal > Azure Active Directory > User settings
Remedy: Restricting app registrations
Twitter: @BenMenesi
http://www.ytria.com/sapio365
48. Azure AD applications
Azure Portal > Azure Active Directory > User settings
Remedy: Restricting consent grants
Twitter: @BenMenesi
http://www.ytria.com/sapio365
49. Azure AD applications
While we’re at it…
Simple users are by default allowed to access the Azure AD
Administration portal allowing them to view:
All users’ group memberships
All users’ assigned licenses and enabled services
All users’ directory roles (find global administrator accounts)
Best to disable this: Azure Active Directory > User Settings >
Administration Portal
Remedy: Restricting consent & app registrations
Twitter: @BenMenesi
http://www.ytria.com/sapio365
50. Azure AD applications
Enumerating applications using PowerShell:
Install the AzureAD PowerShell module
Launch PowerShell ISE as an Administrator and:
Install-Module AzureAD
Connect to Azure AD:
Connect-AzureAD
Use PowerShell script:
https://gist.github.com/psignoret/41793f8c6211d2df5051d77ca3728c09
Example:
.Get-AzureADPSPermissions.ps1 | Export-Csv -Path "permissions.csv" -
NoTypeInformation
Remedy: Enumerating apps and permissions
Twitter: @BenMenesi
http://www.ytria.com/sapio365
51. Azure AD applications
What you get:
Remedy: Enumerating apps and permissions
Twitter: @BenMenesi
http://www.ytria.com/sapio365
52. Azure AD applications
Gotcha: won’t show redirect URLs!
To get Apps and Redirect URLs: Get-AzureRmADApplication
Requires AzureRM.Resources and Connect-AzureRMADAccount:
Remedy: Enumerating apps and permissions
Twitter: @BenMenesi
http://www.ytria.com/sapio365
53. Azure AD applications
Use “consent” string to filter:
Remedy: Searching your Audit Logs
Twitter: @BenMenesi
http://www.ytria.com/sapio365
54. Azure AD applications
Create an OAUTH App Security Policy
Remedy: Cloud App Security
Twitter: @BenMenesi
http://www.ytria.com/sapio365
58. Brute force attacks
In the news in August 2017: sophisticated and coordinated attack against 48
Office365 customers
Brute Force attack unique: targeting multiple cloud providers
100,000 failed login attempts from 67 Ips and 12 networks over 7 months
Slow and low to avoid intrusion detection
Users see unsuccessful login attempts using name up to 17 name variations
Passwords likely the same (password spray attack)
https://www.tripwire.com/state-of-security/featured/new-type-brute-force-attack-
office-365-accounts/
Brute forcing office365 logins
Twitter: @BenMenesi
http://www.ytria.com/sapio365
59. Brute force attacks
Demo
How hard is it to acquire the right login names?
Twitter: @BenMenesi
http://www.ytria.com/sapio365
60. Brute force attacks
Before this Tuesday (02/04/2019):
10 unsuccessful attempts: captcha
Another 10: lockout (10 mins)
In reality: 10 tries = lockout
No customization allowed
Account Lockout in Office365
Twitter: @BenMenesi
http://www.ytria.com/sapio365
61. Brute force attacks
As of Tuesday 02/04/2019 – WOOHOO!
https://techcommunity.microsoft.com/t5/Azure-Active-Directory-
Identity/Azure-AD-Password-Protection-is-now-generally-available/ba-
p/377487#.XKYVYnSP8eU.twitter
Account Lockout in Office365
Twitter: @BenMenesi
http://www.ytria.com/sapio365
62. Authentication
Multi Factor Authentication
Focus: cloud only -> Azure Active Directory MFA
Grants access to users with a password / PIN / Security Token / Device /
DNA information.
Free support for MFA on Office365 apps.
Interesting story:
What could’ve stopped all this? MFA
Twitter: @BenMenesi
http://www.ytria.com/sapio365
63. Authentication
MFA: true story
I’ll just put this here…
Thanks to @RachelTobac for this gem:
https://goo.gl/CFcA5t
Twitter: @BenMenesi
http://www.ytria.com/sapio365
64. Authentication
MFA – true story
Good news: management through
the app is better
Twitter: @BenMenesi
http://www.ytria.com/sapio365
65. Authentication
MFA – the elephant in the room
2 serious outages in 2018 alone.
Twitter: @BenMenesi
http://www.ytria.com/sapio365
66. Authentication
MFA – in case of emergencies
Consider implementing a break glass account (via Exclusions from Baseline
MFA policy): https://practical365.com/security/multi-factor-authentication-
default-for-admins/
Azure AD Portal > Conditional Access
Twitter: @BenMenesi
http://www.ytria.com/sapio365
67. Authentication
The way around MFA
Recent breaches discovered by Proofpoint
https://www.proofpoint.com/us/threat-insight/post/threat-actors-
leverage-credential-dumps-phishing-and-legacy-email-protocols
Essentially: Using IMAP to get around MFA by mimicking legacy email clients
Twitter: @BenMenesi
http://www.ytria.com/sapio365
68. Authentication
The way around MFA
Microsoft’s response: https://docs.microsoft.com/en-us/microsoft-
365/enterprise/secure-email-recommended-policies
Require MFA
Block clients that don’t support modern auth.
App Passwords
Twitter: @BenMenesi
http://www.ytria.com/sapio365
69. Attack Simulation
Available as part of Threat Intelligence (available in Office365 Enterprise E5)
Follows logical penetration testing steps
You must be a global administrator or member of the Security Admin group in
the Security & Compliance Center AND have MFA enabled on your account.
What does it allow you to do?
Requirements
Multi Factor Authentication must be enabled
Attack simulations must be set up
The all new Office365 Attack Simulator
Spear Phishing Campaigns
Password Brute-Force
Attacks
Password Spray Attacks
Twitter: @BenMenesi
http://www.ytria.com/sapio365
70. Attack Simulation
Where to find it: protection.office.com / Threat Management
The all new Office365 Attack Simulator
Twitter: @BenMenesi
http://www.ytria.com/sapio365
71. Attack Simulation
Only works for individual users (no groups for now)
Tip: target users identified as top targeted in the Threat Management
dashboard
Tip2: You’ll need to enable Office Analytics
Spear Phishing campaigns
Twitter: @BenMenesi
http://www.ytria.com/sapio365
72. Attack Simulation
User tries logs in to phishing site
Redirected to awareness page
Spear Phishing campaigns
Twitter: @BenMenesi
http://www.ytria.com/sapio365
73. Attack Simulation
Tip: best to use your own phishing sites, google already flagged most of them.
Spear Phishing campaigns
Twitter: @BenMenesi
http://www.ytria.com/sapio365
74. Attack Simulation
Use a pre-set word list against one or multiple user accounts
Uses the same method an attacker would
I mean literally: watch out! Currently this locks out the user
account.
Only supports very limited password lists (Internal server error at 10k
passwords)
Best online resources for common credentials:
https://github.com/danielmiessler/SecLists/tree/master/Passwords/Com
mon-Credentials
Brute Force Password
Twitter: @BenMenesi
http://www.ytria.com/sapio365
75. Attack Simulation
Tries one or a few passwords against all accounts
Story: known password against two accounts
Both accounts DID have that password
Why?
Gotcha: second user had MFA enabled, which doesn’t appear to be
supported.
Password Spray Attack
Twitter: @BenMenesi
http://www.ytria.com/sapio365
76. Threat Tracker
Tracks major malware campaigns (WannaCry, Petya, etc)
Let’s you track the impact of these campaigns in your tenant
Generally available in office365 – Security & Complicance
Twitter: @BenMenesi
http://www.ytria.com/sapio365
77. Office365 passwords
Current (4th April 2019) password format isn’t hard to guess:
Tip: make sure to have users modify their passwords on first login
About generating random passwords
Twitter: @BenMenesi
http://www.ytria.com/sapio365
79. Office365 passwords
Pretty easy to create a password list for brute-force:
Using crunch: crunch 8 8 aeiou BCDFGHJKLMNPQRSTVWXYZ
0123456789 bcdfghjklmnpqrstvwxyz –t ,@^%%%%%
File size: only ~ 1GB
Guessing random passwords
Twitter: @BenMenesi
http://www.ytria.com/sapio365
80. Office365 passwords
Simulate attacks against your own environment
Keep an eye out for more attack simulation tools
Use your own phishing tactics and word lists
Educate users on strong passwords
Conclusion
Twitter: @BenMenesi
http://www.ytria.com/sapio365
81. Check out sapio365
Twitter: @BenMenesi
http://www.ytria.com/sapio365
Download sapio365 (free for 3 months): www.ytria.com/sapio365
And let’s see what that last point means via an example
… for cloud security weaknesses
Normally using MS ATP: goes to a safe Ms domain url
https://www.avanan.com/resources/basestriker-vulnerability-office-365
… for cloud security weaknesses
To research: is this really not fixed yet?
https://www.avanan.com/resources/basestriker-vulnerability-office-365
Took 14 days
… for cloud security weaknesses
To research: is this really not fixed yet?
https://www.avanan.com/resources/basestriker-vulnerability-office-365
Took 14 days
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
https://www.scmagazine.com/microsoft-adds-ransomware-protection-recovery-tools-to-office-365/article/756577/
To look into: Versioning?
Try axcrypt on my data! Does o365 notice this?
Keep in mind: ransomware won’t jus tencrypt onedrive but everything else, too!
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
https://www.microsoft.com/en-us/microsoft-365/blog/2018/04/05/defend-yourself-from-cybercrime-with-new-office-365-capabilities/
This needs to be enabled!
https://support.office.com/en-us/article/set-up-new-office-365-message-encryption-capabilities-built-on-top-of-azure-information-protection-7ff0c040-b25c-4378-9904-b1b50210d00e
https://support.office.com/en-us/article/office-365-message-encryption-ome-f87cb016-7876-4317-ae3c-9169b311ff8aMention: OneDrive sharing
https://support.office.com/en-us/article/manage-office-365-message-encryption-09f6737e-f03f-4bc8-8281-e46d24ee2a74
However it works in the outlook app?
https://support.office.com/en-us/article/manage-office-365-message-encryption-09f6737e-f03f-4bc8-8281-e46d24ee2a74
However it works in the outlook app?
https://support.office.com/en-us/article/manage-office-365-message-encryption-09f6737e-f03f-4bc8-8281-e46d24ee2a74
However it works in the outlook app?
[Needs more work]: Mail flow rules https://support.office.com/en-us/article/define-mail-flow-rules-to-encrypt-email-messages-in-office-365-9b7daf19-d5f2-415b-bc43-a0f5f4a585e8
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
We feel pretty good about o365 applications right? We’re not facebook. Wrong!
Set guilbon to listen Copy code from consent post and show guilbon get token in postmanhttps://graph.microsoft.com/v1.0/sites?search=*https://graph.microsoft.com/v1.0/users
Set guilbon to listen Copy code from consent post and show guilbon get token in postmanhttps://graph.microsoft.com/v1.0/sites?search=*https://graph.microsoft.com/v1.0/users
Set guilbon to listen Copy code from consent post and show guilbon get token in postmanhttps://graph.microsoft.com/v1.0/sites?search=*https://graph.microsoft.com/v1.0/users
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Let’s first understand Azure AD Applications. They are cool.
Historically this is an improvement:
Applications have been able to leverage Windows Server Active Directory for user authentication for many years without requiring the application to be registered or recorded in the directory.Now, admins aren’t needed necessarily which removed workload. - Permissions: some require admin. But still, simple user consentible stuff is very powerful!
Redirect URL: where the authentication response is sent.
Needed for authentication
Platforms:
Let’s talk about permissions
Historically this is an improvement:
Applications have been able to leverage Windows Server Active Directory for user authentication for many years without requiring the application to be registered or recorded in the directory.Now, admins aren’t needed necessarily which removed workload. - Permissions: some require admin. But still, simple user consentible stuff is very powerful!
Consent Link + more research on service principal and how this stuff really works
Consent Link + more research on service principal and how this stuff really works
Consent Link + more research on service principal and how this stuff really works
Consent Link + more research on service principal and how this stuff really works
Consent Link + more research on service principal and how this stuff really works
Do I want this slide?
Demo on phishing email. Plus what they could do.
Historically this is an improvement:
Applications have been able to leverage Windows Server Active Directory for user authentication for many years without requiring the application to be registered or recorded in the directory.Now, admins aren’t needed necessarily which removed workload. - Permissions: some require admin. But still, simple user consentible stuff is very powerful!
Historically this is an improvement:
Applications have been able to leverage Windows Server Active Directory for user authentication for many years without requiring the application to be registered or recorded in the directory.Now, admins aren’t needed necessarily which removed workload. - Permissions: some require admin. But still, simple user consentible stuff is very powerful!
- To look into: prevent users from consenting?
Historically this is an improvement:
Applications have been able to leverage Windows Server Active Directory for user authentication for many years without requiring the application to be registered or recorded in the directory.Now, admins aren’t needed necessarily which removed workload. - Permissions: some require admin. But still, simple user consentible stuff is very powerful!
- To look into: prevent users from consenting?
AAD portal: need to know (aad.portal.azure.com)
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Need graphics for what happened
Need graphics for what happened
Need graphics for what happened
Need graphics for what happened
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Theharvester –d ytria.com –b google
Theharvester –d ytria.com –b linkedin and then |cut –d”-” –f1 > emplyees.txt
Maybe work on the login names from –b linkedin to create a list of stuff matching email format from –b google?
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Have you set up MFA yet? I’m not going to spend a LOT of time on this but let’s be sure to cover it
Have you set up MFA yet? I’m not going to spend a LOT of time on this but let’s be sure to cover it
- To see if I have the time for a cool pic / story on this
Have you set up MFA yet? I’m not going to spend a LOT of time on this but let’s be sure to cover it
- To see if I have the time for a cool pic / story on this
Have you set up MFA yet? I’m not going to spend a LOT of time on this but let’s be sure to cover it
- To see if I have the time for a cool pic / story on this
Have you set up MFA yet? I’m not going to spend a LOT of time on this but let’s be sure to cover it
- To see if I have the time for a cool pic / story on this
Have you set up MFA yet? I’m not going to spend a LOT of time on this but let’s be sure to cover it
- To see if I have the time for a cool pic / story on this
Have you set up MFA yet? I’m not going to spend a LOT of time on this but let’s be sure to cover it
- To see if I have the time for a cool pic / story on this
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
To add: Screnshots AND where is this stuff? (Threat management)
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
To add: Screnshots AND where is this stuff? (Threat management)
Only a matter of time: payroll stuff has already been flagged by google.
If I was really a malicious actor, I’d take a closer look at those sites..
Do I maybe talk about more here? Slide needs more meat
Have you set up MFA yet?
While password wasn’t accepted, MFA wasn’t triggered. Means that the method they use to do this uses the same method to log in through AAD but does not support MFA
https://rcpmag.com/articles/2018/06/01/microsoft-threat-tracker-office-365-security.aspx
To add screenshot and more explanation
Have you set up MFA yet?
First letter always caps, second and third always lowercase.
First letter always caps, second and third always lowercase.
First letter always caps, second and third always lowercase.
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/
Ransomware protection: https://thehackernews.com/2018/04/microsoft-office-ransomware.html
Ransomweare and office365: https://spanning.com/blog/need-know-ransomware-attacks-office-365/