Email message traces in Office 365

A very common need these days is to do an email message trace. This can be done the old way in the Exchange Online Admin center or the new way via Mail Flow in the Security and Compliance center.

image

You simply enter the details and then run a search.

image

and the output looks like the above, where you can also drill in and get more detail.

image

As with all things Office 365, you can achieve the exact same thing using PowerShell as I have shown above. The code to achieve this is quite straight forward but I have uploaded it to my GitHub repo to save you the trouble:

https://github.com/directorcia/Office365/blob/master/o365-msgtrace.ps1

Where PowerShell comes into its own is when you need to a variety of tasks, perhaps an investigation of a breach. Using PowerShell you can easily dump all the information to CSV for further analysis rather than having to root it out in the web interface.

Reporting mailbox logins

Before much of what is covered here is possible you need to ensure you have enabled all the logging in your Office 365 tenant. I’ve covered how to do that here:

Enabling Office 365 mailbox auditing

Enable mailbox auditing in Exchange Online

Enable activity auditing in Office 365

Once you have done that you will be able to track what’s going on in your tenant much better.

In the situation of a compromised mailbox, a bad actor has control of it using legitimate credentials. This eliminates looking for failed logins, because there won’t be any. It also makes the finding the bad actor tougher because their access is most likely mixed in with the legitimate user.

The place to start is to run an audit log search as I have detailed here:

Searching the Office 365 activity log for failed logins

image

However, as I mentioned, we can no longer search for failed logins, we need to use a different search criteria. I would suggest that you instead run a search using the attribute “User signed in to mailbox” as shown above. That will produce something like shown for all users. Problem with this is that times and dates are in UTC not local time and it is cumbersome to manipulate in a web page. You can of course manipulate by exporting the results to a spreadsheet for more control.

image

Unsurprisingly, I feel PowerShell offers a much better solution to check the logs and report as you can see above. The script to do this I have made freely available at my Github repo here:

https://github.com/directorcia/Office365/blob/master/o365-mblogin-audit.ps1

Basically, it will search the Audit log for Exchange Items that are Mailbox logins and send that output to a nice table via the Out-Grid command. As you can see, using Out-Grid you can now easily sort by time by clicking the column heading, and thanks to the script, the times are local not UTC!

By default, the script will check the last 48 hours but you can easily modify that to suit your needs by either entering the scope in hours or entering a start and end date in the variables at the top of the script.

With this output I can now look for suspect IPs that login into the mailbox and begin hunting from there. However, remember, all of this relies on you enable your auditing BEFORE you need it. So, if you haven’t enabled it, go do it now! You’ll find scripts to enable the logs also in my Office 365 repo here:

https://github.com/directorcia/office365

Monitor outbound spam as well

image

Hopefully everyone is well aware of the need to protect Office 365 email from inbound spam, however what are you doing about outbound spam?

Hopefully, no bad actor gains access to your environment BUT if they did and they started using you accounts to send spam email how would know?

image

For this reason, I suggest that it is a good idea to go into the Exchange Administration console, select Protection, then Outbound spam. Edit the default policy (that’s really your only option), then select outbound spam protection on the left hand side. Then I suggest you should enable the option to send an email when there is a suspicious outbound email to somewhere that is monitored.

That obviously, won’t stop outbound spam but it should at least give you a heads up that it is happening.

Example of Office 365 ATP Safe Links in action

image

The above is a very typical example of a phishing email. You’ll notice when you mouse over the link in the email it wants to re-directed you to a non-descript and malicious (non-Office 365) link.

image

Now, because I’ve configured Office 365 ATP (Advanced Threat Protection) Safe Links in my tenant, when I do click that link in the email I am taken to the above page that warns me that this is bad.

image

Because I have configured my own Office 365 ATP Safe Links to allow click past this warning just for myself, if I continue on to the ultimate destination page, I see something that looks like a very convincing default Office 365 login page, with my email address already filled in. The idea is, I type my password, thinking this is legitimate and then bingo, I’m phished.

You will also notice that the ultimate URL is also different from the one in the initial email. An attempt to hide the attack using redirection.

image

So let’s see how effective Office 365 ATP Safe Links is at detecting these kinds of attacks compared to other vendors.

If I plug the initial URL, that was contained in the email, into Virustotal.com I see the above report. None, yes that is zero, of the third party AV providers have detected this initial link to be a malicious link as yet. Not even Google Safebrowsing! Of course, Office 365 ATP did detect it as malicious if you are keeping score.

image

If I now plug in the ultimate destination URL of the attack I do see some confirmation from other vendors that the site is malicious. However, only 2 of 69 vendors (i.e. only about 3%) also rate that link as malicious.

So Office 365 ATP Safe Links was able to identify this link as malicious and potentially block user access (with appropriate configuration). Few other vendors have yet even detected it to be an issue at this stage. That makes Office 365 ATP quite pro-active.

We all know that there are no absolutes in security and no system is ever perfect. However, given the size of the signals coming into Office 365 in regards to threats, their ability to provide early warning is as good or if not better that anything else out there on the market today in my opinion. This is why I recommend Office 365 ATP as a ‘must have’ for all Office 365 tenants. If you have Microsoft 365 Business today, you already have Office 365 ATP. So make sure it is correctly configured and you should feel much more comfortable about the reduced risk you face from phishing.

Updated script to now check for Sweep

pexels-photo-1433350

The bad actors out there are clever and they’ll use any means at their disposal. Normally, when a user is successfully phished the first thing bad actors do is manipulate the email handling rules of the mailbox to hide their activity.

Unfortunately, there are quite a lot of different ways to forward email in Office 365 including via the mailbox and via Outlook client rules. It was brought to my attention that there is in fact another way that forwarding can be done, using the Sweep function. You can read more about this ability at:

Organize your inbox with Archive, Sweep and other tools in Outlook.com

Sweep rules only run once a day but do provide a potential way for bad actors to hide their activity, however as it turned out Sweep was in fact being exploited by bad actors inside a compromised mailbox.

I have therefore updated my publicly available PowerShell script at:

https://github.com/directorcia/Office365/blob/master/o365-exo-fwd-chk.ps1

That will now also check and report on any Sweep rules in finds in mailboxes as well as any other forwards configured in the tenant.

Let me know if you find any other methods that this doesn’t cover and I’ll look at incorporating those as well.