Example of Office 365 ATP Safe Links in action

image

The above is a very typical example of a phishing email. You’ll notice when you mouse over the link in the email it wants to re-directed you to a non-descript and malicious (non-Office 365) link.

image

Now, because I’ve configured Office 365 ATP (Advanced Threat Protection) Safe Links in my tenant, when I do click that link in the email I am taken to the above page that warns me that this is bad.

image

Because I have configured my own Office 365 ATP Safe Links to allow click past this warning just for myself, if I continue on to the ultimate destination page, I see something that looks like a very convincing default Office 365 login page, with my email address already filled in. The idea is, I type my password, thinking this is legitimate and then bingo, I’m phished.

You will also notice that the ultimate URL is also different from the one in the initial email. An attempt to hide the attack using redirection.

image

So let’s see how effective Office 365 ATP Safe Links is at detecting these kinds of attacks compared to other vendors.

If I plug the initial URL, that was contained in the email, into Virustotal.com I see the above report. None, yes that is zero, of the third party AV providers have detected this initial link to be a malicious link as yet. Not even Google Safebrowsing! Of course, Office 365 ATP did detect it as malicious if you are keeping score.

image

If I now plug in the ultimate destination URL of the attack I do see some confirmation from other vendors that the site is malicious. However, only 2 of 69 vendors (i.e. only about 3%) also rate that link as malicious.

So Office 365 ATP Safe Links was able to identify this link as malicious and potentially block user access (with appropriate configuration). Few other vendors have yet even detected it to be an issue at this stage. That makes Office 365 ATP quite pro-active.

We all know that there are no absolutes in security and no system is ever perfect. However, given the size of the signals coming into Office 365 in regards to threats, their ability to provide early warning is as good or if not better that anything else out there on the market today in my opinion. This is why I recommend Office 365 ATP as a ‘must have’ for all Office 365 tenants. If you have Microsoft 365 Business today, you already have Office 365 ATP. So make sure it is correctly configured and you should feel much more comfortable about the reduced risk you face from phishing.

Need to Know podcast–Episode 202

The Microsoft Ignite tour has been to town so Brenton and I share our thoughts on attending the event. We wrap up what we believed to be the best sessions and overall take aways from the premier Microsoft IT Professional conference in Australia for 2019. We also cover off a few of the important updates from the Microsoft Cloud to make sure that you don’t miss anything in the meantime. I also share my thoughts on using the Kaizala app during the conference with the CIAOPS Patron community which is great lead in for our interview this episode – Parveen Maloo who is the Senior Product Marketing Manager for Kaizala. Sit back and enjoy something about a product you probably never knew Microsoft had.

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-202-kaizala/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@contactbrenton

@directorcia

@praveen_maloo

CIAOPS Patron Program

BRK3610 – Layers of Office 365 communication

Sessions from Ignite The Tour – Sydney

Step 4: Set conditional access policies: top 10 actions to secure your environment

Microsoft authenticator app now sends security notifications

Windows Update for Business and the retirement of SAC-T 

Microsoft begs you to stop using Internet Explorer 

Microsoft Kaizala

Microsoft Kaizala – Tech Community

Microsoft Kaizala – Feedback

Scheduling compliance reports

image

If you go into the Microsoft 365 Security portal and locate the Reports option from the menu on the left and expand it, you should find the Dashboard option. This option, when selected, will show a range of reports like that shown above. You can get more details by simply selecting the body of the tile you wish to view. Here, I’ll select the Spam detections tile to get further information.

image

You’ll now see a more focused report but you’ll also notice that many graphs have the Create schedule in the top right hand corner as shown. Selecting this allows you to schedule a report to be delivered via email.

image

By selecting Create schedule you should see a tile appear from the right with the above options that you can configure.

image

If you scroll down to the bottom of the window you will see that there is a Customize schedule option as shown above.

image

Selecting this will give you much greater options as shown above.

image

Once you have saved your schedule, you will then receive a regular email like that show above with the report you configured. You’ll note that there is also a CSV file attached that you can use for further analysis.

image

You can adjust the schedules you have configured via the Manage schedules option as shown above.

As yet, I haven’t found an easy way to configure these using PowerShell. There is way using the Microsoft Graph but that requires some setup so I’m trying to find a way just to use a pure script. If I work that out, I’ll post an article on how to do it. Till then, you’ll just have to manually go in a select and configure the reports you wish to receive regularly.

Looks like Office 365 ATP is splitting in two

Seen some chatter here in Australia about there now being two Office 365 ATP SKUs (it appeared on a pricing sheet). Everything I could find suggested that this was not the case, however a US contact pointed out to me the following web site:

https://products.office.com/en-us/exchange/advance-threat-protection

That clearly shows 2 x Office 365 ATP SKUs.

image

There is not as yet an equivalent AU page.

The main things that Plan 2 adds according to that page are:

image

Even the services descriptions for Office 365 ATP here:

https://docs.microsoft.com/en-us/office365/servicedescriptions/office-365-advanced-threat-protection-service-description?fbclid=IwAR2FQUfHsjY3Ka03RSpcGGD9bLP8RFRI5VFc7aMUAcr936QPEYLY_-ZETLE

don’t talk about there being two plans. Thus, I (and others) are somewhat confused as to which version will be included in suites like Microsoft 365 Business. My guess is that most plans that have Office 365 ATP will get Plan 1, with Plan 2 going for higher end enterprise plans. However, that is all here say for now.

So, it looks like are going to get a new ‘advanced’ Office 365 ATP plan soon (Plan 2) but we are unsure in which suites it will be available. More as it becomes available.

Updated script to now check for Sweep

pexels-photo-1433350

The bad actors out there are clever and they’ll use any means at their disposal. Normally, when a user is successfully phished the first thing bad actors do is manipulate the email handling rules of the mailbox to hide their activity.

Unfortunately, there are quite a lot of different ways to forward email in Office 365 including via the mailbox and via Outlook client rules. It was brought to my attention that there is in fact another way that forwarding can be done, using the Sweep function. You can read more about this ability at:

Organize your inbox with Archive, Sweep and other tools in Outlook.com

Sweep rules only run once a day but do provide a potential way for bad actors to hide their activity, however as it turned out Sweep was in fact being exploited by bad actors inside a compromised mailbox.

I have therefore updated my publicly available PowerShell script at:

https://github.com/directorcia/Office365/blob/master/o365-exo-fwd-chk.ps1

That will now also check and report on any Sweep rules in finds in mailboxes as well as any other forwards configured in the tenant.

Let me know if you find any other methods that this doesn’t cover and I’ll look at incorporating those as well.

CIAOPS Techwerks whiteboard training–Brisbane 21 Brisbane

bw-car-vehicle

I’ll be hosting an all day focused, hands on, technical whiteboard training session on Microsoft Cloud technologies (Office 365, Microsoft 365, Azure, etc) in Brisbane on Thursday February the 21st 2019. The course is limited to 15 people and there are still a few places available if you wish to attend.

The content of these events is driven by the attendees. That means we cover exactly what people want to see and focus on doing hands on, real world scenarios. Attendees can vote on topics they’d like to see covered prior to the day and we continue to target exactly what the small group of attendees wants to see. Thus, this is an excellent way to get really deep into the technology and have all the questions you’ve been dying to know answered. Typically, the event produces a number of best practice take aways for each attendee. So far, the greatest votes are for deeper dives into Intune, security and PowerShell configuration and scripts, however that isn’t finalised until the day.

The CIAOPS Techwerks events are run regularly in major Australian capital cities, so if you can’t make this one or you aren’t in Brisbane on that date, stay tuned for more details and announcements soon. If you are interested in signing up please contact me via emails (director@ciaops.com) and I can let you know all the details as well as answer any questions you may have about the event.

I hope to see you there.

Need to Know podcast–Episode 201

We’ve recovered from our 200th episode and are getting back into the swing of our regular programming with some updates, information and opinions from the Microsoft Cloud. We cover some recent important updates, especially in the area of security, as well as some news around Microsoft 365 and Azure. We also dip our toes quickly into the area of certifications but we’ll need more time to do justice to the topic. So stay tuned for that episode coming real soon. For now, sit back and enjoy as we get back to what we like doing – keeping you up to date with everything that’s happening in the Microsoft Cloud.

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-201-back-to-normal/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@contactbrenton

@directorcia

CIAOPS Patron Program

Microsoft Cloud outage information

Duplicating a Microsoft Planner plan using PowerShell

GitHub and free access to private repositories

Office 365 will automatically block Flash and Silverlight

Azure AD makes sharing and collaboration seamless for any user account

Microsoft’s Cyber defense Operations Center shares best practices

Step 3 – Protect your identities. Top 10 actions to secure your environment

Get ready for the new Microsoft 365 Security Center and Microsoft 365 Compliance Center

Microsoft 365 NIST 800-53 action plan