PowerShell script to check Outlook mail rules

image

After I finished the recent PowerShell script to check for Exchange style mailbox forwards I received some motivate from Robert Pearman to develop a script to also go and check what the Outlook rules are doing for Office 365 mailboxes.

Taking what Robert provided I decided to extend my initial script to report on what I consider suspect Outlook mail rules. Here’s my thinking:

– Firstly there are going to potentially be lots and lots of Outlook rules when you look across all mailboxes in Office 365, so I decided to focus on actions that one could deem to more suspicious than others. I settled on the following rule actions as ones to check: forward to, redirect to, copy to folder, delete message, forward as attachment to and send text message notification to.

–  Turns out you can create an Outlook rule that forwards, redirects and fowards as an attachment messages to alternate email addresses. A bad party could set this up to send themselves emails from a compromised mailbox.

– If a rule copies rather than moves a message then that to me is also suspicious. Why would you want two copies of the same email message in different locations in your inbox unless you aren’t in full full control of the inbox and someone is squirrelling away messages to a location the owner never created?

– If a rule deletes a message then there is a chance that a bad actor is trying to prevent the mailbox owner from seeing something.

– If a rule notifies someone via SMS that may be the fingerprint of a bad actor trying to keep tabs on a mailbox.

I will also admit, that there are plenty of situations where the above situations are the results of legitimately configured inbox rules. However, for the reasons I have indicated, I believe the actions to warrant the most inspection.

As you can see from the above image, the script will do what it did before and check the mailbox rules to see if there are any forwardings as before but now the script will also dig through each mailbox and throw up warnings when a suspect rule is enabled or disabled for a user.

Once you have located any suspect rules, you can then start digging further to see whether there is a business justification for such. If not, then you may have a compromised mailbox on your hands.

You’ll find the updated script at:

https://github.com/directorcia/Office365/blob/master/o365-exo-fwd-chk.ps1

and remember to keep coming back as I’ll continue to update and extend it over time. if you have any feedback on this script of suggestion for things you’d like to see please let me know so I can look at developing them. Thanks again to Robert Pearman for this input on this.

Turn an Office 365 user ‘off’ with PowerShell

image

A common situation in the field is when a user or a business discovers a user account has been compromised or they no longer wish that user to have access to Office 365.

Of course they can go into the Office 365 Admin Center and block the user’s sign-in but the user may still have access via mobile devices and active browser sessions. So, fully suspending a user’s account as soon as possible requires more than just disabling the login.

Anything that requires a sequence of steps is better completed using a script and this is what you’ll find I have created at:

https://github.com/directorcia/Office365/blob/master/o365-user-off.ps1

The script requires you to already be connected to Azure AD, Exchange Online and SharePoint Online. It then goes through the following:

– block user login to Office 365

– invalidates refresh tokens for applications

– disables Exchange features like OWA, POP, IMAP, etc

Importantly, it doesn’t change the users password because this script is designed to be reversible. That is, suspicious activity has been detected on the account and you want to suspend access to do some checking. Hopefully, everything is good and you can simply re-enable when checking is complete. If not, further action can be taken.

Importantly, access to all Office 365 information is not immediately revoked even using this script. By default, mobile applications use a token for authentication that generally lasts one hour before it is renewed. So the worst case is that the token is renewed just before you suspend the account using the script. It will take a further one hour until the token renewal is required and the lock out is enforced. That means the account could still be active on a mobile device for up to one hour after suspension.

Now you can change this one hour time period but that requires using a preview version of the Azure AD PowerShell modules and I’ll leave that to you if you want to go down that route. You can find out more here:

Configurable token lifetimes in Azure AD (Public preview)

There are some other device management commands I have come across that may also be handy here but for now the script should do the job.

Remember to continue to check on my GitHub repo to see when I update and improve this script. of course, any feedback is welcome on how the script can be improved or if you find any errors.

PowerShell script to check email forwards

A while ago I wrote an article about how important it is to check the email forwards that all your mailboxes have in Office 365. Why? Because, the first things most bad actors set up after successfully phishing a user’s credentials is to forward all email to their own account. This effectively mirrors everything a users receives. Doing so allows the bad actors to gather intelligence about the user and the organisation and potentially impersonate that user.

If you look at the configured email forwards for your tenant, as I detailed here:

Check those Office 365 email forwards

are much more likely to detect something that could be an issue and take action.

As the article details, the easiest way to do this is to use a PowerShell command. However, an even easier way to use the script that I have just made available for free in my GitHib repo here:

https://github.com/directorcia/Office365/blob/master/o365-exo-fwd-chk.ps1

You’ll need to connect to Exchange Online prior to running this script.

image

The script will report back on all mailboxes and show you any forwards configured. It will show those in place but disabled (in yellow) and those in place and enabled (in red). The enabled ones are the ones you really should check to ensure that they are required and not implemented by some bad actors.

I’ve also uploaded many more scripts to my GitHub repo to allow you to connect to Office 365 services directly or using multi factor authentication. I’ll keep adding scripts and updating existing ones regularly, so ensure you check back there regularly.

Need to Know podcast–Episode 184

This week Brenton flies solo again and speaks with Corch about cyber security. Corch bring a wealth of enterprise knowledge around cyber security to the mid market and SMB space with a focus on ensuring that customers understand how important good IT security is in this day and age.

Of course we also give you an update on everything that’s happening in the Microsoft Cloud, with new and updates around Office 365 and Azure. Don’t forget to send us your feedback and questions.

Take a listen and let us know what you think –feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-184-corch/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

Corch

Shogun Security

@contactbrenton

@directorcia

Office 365 Roadmap

Microsoft Fasttrack

Microsoft Fasttrack Branding kit

Office 365 updates

Migrate your files to OneDrive easily with known folder move

New updates to Planner comment and notification settings

What’s new with Teams

OneDrive updates

Modernize your SharePoint Team Sites by connecting them to new Office 365 Groups

Centralized deployment for Outlook add ins

Microsoft to deliver intelligent cloud from Norway datacenters

Baseline policy for Azure AD admin accounts in public preview

How we rebuilt Intune

CIAOPS GitHub Repositories

GitHub-Mark

I have now created 2 GitHub repos for Office 365 and Azure content. You can find these at:

https://github.com/directorcia/Office365

and

https://github.com/directorcia/Azure

At the moment they mostly contain basic connection PowerShell scripts but I am looking to grow the content over time and include other information that people can use. For example, in the Azure repo you’ll find my Azure bucket spreadsheet which is a basic way of pricing and bundling Azure services.

Much of the content is under development but using GitHub allows me to easily work on the content across different machines and have a development environment to work with (i.e. versions, branches, etc).

Using GitHub I also see as a way for me to gain experience with the technology given the recent Microsoft purchase of GitHub as well as the general move to a DevOps world.

So, take a look at what is there, hopefully you’ll find some handy PowerShell scripts and don’t forget to check back regularly for new and updated content. As always you can send me feedback directly or in GitHub for each project.

MVP for 2018-19

MVP_Logo_Horizontal_Preferred_Cyan300_RGB_300ppi

It is with a great deal of humility and pride that I can report that Microsoft has once again recognised my community contributions with its Most Valuable Professional (MVP) award for 2018 in the Office Servers and Services category.

This is now my seventh consecutive award and just as special as the first. This recognition is however not possible without the support of so people who follow and support what I do, especially those that take the time to read this blog. To each and every one of you I say thanks again.

I’ll be sure to work hard again to bring you more information about Office 365 and Azure. Some additional stuff coming real soon! However, all of that wouldn’t be possible without Microsoft making such great products and making them available to people like me. I look forward eagerly to what they’ll be bringing out in 2018-19. It is going to be another very exciting year for Microsoft and being in the Microsoft ecosystem.

Being an MVP is great and unique honour. Being part of a community of really smart and passionate technology people who are also MVPs is truly inspiring and I hope to live up to their dedication and enthusiasm. I congratulate all those who where also awarded the same MVP recognition today.

But again, I thank Microsoft for this honour and will work hard to live up top the expectations it sets again for 2018-19.

Create Office 365 Activity Alerts using PowerShell

In a previous article:

Create Office 365 Alerts

I detailed how to create Office 365 Activity alerts using the browser. I will point out how important it is to have appropriate alerts set for your tenant, especially when you generally don’t get many configured . your tenant by default.

Of course doing administration tasks via a browser is the slow way to get things done. A much better approach is to use PowerShell and let the script do the heavy lifting.

The first step in this process is to take a look at the following article:

Search the audit log in the Office 365 Security and Compliance center

and locate the heading – Auditing activities which contains a list of the actions that will trigger an alert. There are plenty of things here so pick those that make the most sense and remember that lots and lots of alerts generally doesn’t improve security, it simply creates information overload.

The alert I’ll chose to illustrate is FileMalwareDetected.

Next step is connect to the Office 365 Security and Compliance Center with PowerShell. I’m not going to show you how to do that here as it is easily located elsewhere like here:

Connect to Office 365 Security & Compliance Center PowerShell

With that done, you can now execute the actual commands to configure activity alerts with PowerShell.

$fileandpagepolicyparams = @{
“Name” = “File and Page Alert”;
“operation” = “Filemalwaredetected”;
“notifyuser” = $notifyusers;
“userid” = $userids;
“Description” = “SharePoint anti-virus engine detects malware in a file.”;
}

$result=New-ActivityAlert @fileandpagepolicyparams

Basically, what I’m doing here is creating an array called $fileandpagepolicyparams that contains all the options required for the command that will set the alert. Doing it this way makes it easier to what’s going on and make any additions if needed in my opinion.

The New-ActivityAlert command takes all those array parameters as inputs when an alert is now created.

The $notifyusers are the users you want to receive emails when alerts occurs. The $userids are the users you wish to trigger alerts. If you leave $userids empty it will apply the alert to all users in the tenant.

image

You can see the result above once that command is run.

Now the idea is to build a script that configures all the activity alerts you desire and then apply them to a tenant.

image

As you can see above, I generally create about a dozen or so alert policies this way that monitor for a range of activities I believe should have alerts configured for. However, you need to decide what makes sense for you.

Now be very, very careful when you configure activity alerts via PowerShell. Ensure you get all the parameters 100% correct and you check the alert policies in the web interface when you are testing your script, because errors in the script don’t get reported and you end configuring an activity alert that does nothing all because you got a parameter wrong!