CIAOPS Need to Know Microsoft 365 Webinar – July

laptop-eyes-technology-computer

Last months attempt at using Microsoft Teams Webinars went well and I’ll be continuing to use this going forward. Registration for this month is here:

https://bit.ly/n2k2107

Shortly after this you should receive an automated email from Microsoft Teams confirming your registration, including all the event details as well as a calendar invite!

This month we’ll dive into email security with Microsoft 365, particularly the best practice configurations for Exchange Online. So please join us for this and all the latest news from the Microsoft Cloud.

You can register for the regular monthly webinar here:

July Webinar Registrations

The details are:

CIAOPS Need to Know Webinar – July 2021
Friday 30th of July 2021
11.00am – 12.00am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

Exchange user best practices script

image

I’ve created a new Exchange user best practices summary script which you can find at:

https://github.com/directorcia/Office365/blob/master/o365-mx-usr-all.ps1

The idea with this script is to give you a quick visual summary of your user mailboxes to ensure they conform to best practices.

When you run the script without any command line options you will see the above output. Each row is a user with their name at the end of the line. The entries on the right provide you an indication of settings status. A green dot is for good and a red X is for bad. You will see this creates a matrix of settings for each mailbox. These settings are designated by a letter (currently a through p). These letters correspond to the following settings:

a = Mailbox type: S = Shared, R = Resource, U = User
b = Enabled
c = Inactive
d = Remote PowerShell Enabled
e = Retain Deleted Items for at least 30 days
f = Deliver to Mailbox and Forward
g = Litigation Hold Enabled
h = Archive Mailbox Status
i = Auto-expanding Archive Enabled
j = Hidden From Address Lists Enabled
k = POP Enabled
l = IMAP Enabled
m = EWS Enabled
n = EWS Allow Outlook
o = EWS Allow Mac Outlook
p = Mailbox Audit Enabled

image

If you use the –verbose command line option, you’ll get additional information about the script operation as you see above.

If you use the –debug command line option, a log file of the script process will be created in the parent directory.

If you use the –prompt command line option, the script will wait after each user for you to press ENTER.

If you use the –select command line option, the script will prompt you to select the users you wish to display.

If you also specify any letter from, currently, a through p on the command line, those settings will not be checked by the script. Thus, specifying dhl on the command line will not check or display Remote PowerShell Enabled (setting = d), Archive Mailbox Status (setting = h) or IMAP enabled (setting = l).

Thus:

.\o365-mx-usr-all.ps1 dhl

will display:

image

(note: no d, h or l in the output)

and

.\o365-mx-usr-all.ps1 dhl –select

will display:

image

no d, h or l settings as well as prompting for selection of users to check and display.

The script requires that you are connected to Exchange Online first via PowerShell prior and this can be done using my script:

https://github.com/directorcia/Office365/blob/master/o365-connect-exo.ps1

In summary then, this script when run without any command line options is designed to give you a quick reference to your user mailboxes and whether they have best practice settings enabled. You can also run the script with number of different command line options to create a log, individually select users and settings to test as well as pause after each user if desired.

I’ll continue to update and improve this script over time so make sure you follow my Office 365 GitHub repository, which you can find here:.

https://github.com/directorcia/Office365/

Prevent alerts from DiscoverySearchMailbox

image

When you set up bulk alerting for mailboxes you may end up enabling alerts for system mailboxes like DiscoverySearchMailbox as shown above. This will mean receiving regular alerts about changes to that mailbox by the system. This basically means Exchange Online is performing some expected administrative process on a mailbox, which triggers a configured alert.

To reduce the noise caused by these alerts you can do the following to disable it:

image

Firstly connect to Exchange Online using PowerShell. My script for that is here:

https://github.com/directorcia/Office365/blob/master/o365-connect-exo.ps1

next run the command to find any DiscoverySearchMailbox

get-mailbox -ResultSize unlimited | Where-Object {$_.name -MATCH “Discovery”} | Select-Object alias, displayname, auditenabled

which should give you a result like shown above.

$dsm = get-mailbox -ResultSize unlimited | Where-Object {$_.name -MATCH “Discovery”}

Run the above command to save the mailbox details to a variable. Then run:

set-mailbox -identity $dsm.alias -AuditEnabled $false

to disable auditing for that mailbox.

image

if you now re-run

get-mailbox -ResultSize unlimited | Where-Object {$_.name -MATCH “Discovery”} | Select-Object alias, displayname, auditenabled

you should find that the auditing is now disabled for that mailbox as shown above.

Email filtering reports

image

There are some real nice and helpful email report in your Microsoft 365 Security console if you haven’t taken a look recently. You can pull them up by visiting:

https://security.microsoft.com/securityreports

as shown above. Then selecting Email & collaboration reports on the right.

image

The one I really like is the Mailflow status summary which you can drill into further by clicking on the heading or selecting the View details button.

image

If you then select the Funnel option across the top as shown, you get an idea of the number of bad emails that are being caught by each stage of the filtering process, from top (total in) to bottom (remaining out).

SNAGHTMLc4b85a0

However, the report I love is the one you get when you select the Tech view as shown above. Why? Because this one even shows you results from DMARC as highlighted.

image

Many also allow you to Create schedule as shown above,

image

that allows you to email the reports regularly.

Keep an eye on the reporting areas of your tenant, as they are rapidly improving and expanding!

Exchange Online AV engines

image

I have found that many don’t appreciate that Exchange Online uses anti virus engines from multiple providers, apart from Microsoft.

“We have partnerships with multiple anti-malware technology providers, so messages are scanned with the Microsoft anti-malware engines, two added signature based engines, plus URL and file reputation scans from multiple sources. Our partners are subject to change, but EOP always uses anti-malware protection from multiple partners. You can’t choose one anti-malware engine over another.:

per – How many anti-malware partners do you have? Can I choose which malware engines we use?

So email will be scanned by three (3) engines in total. One from Microsoft and another two from third parties.

Native external sender notifications in Exchange Online

image

I’ve never been a big fan of setting up rules to add a HTML banner to inbound emails, as shown above, that “warn” a user about an external email source. I dislike this solution for a number of reasons, including that it is something that an attacker can replicate, it creates a certain amount of complacency for the receiver and it ends up embedded in every reply to the email going forward.

i do however understand what is trying to be achieved here due to a lack of something provided by Exchange Online. That is, until now! A native approach is now available.

image

image

You can now get the External tag, as shown above, to appear in all versions of Outlook (desktop, web and mobile) to help understand the origin of email messages. I like this solution much better because it is built into the platform and appears in an area that an attack would find really hard to replicate. Having such labelling as a native part of Exchange Online is a much better approach I feel.

image

image

You also get the above when you view the email item.

You can enable this on new inbound messages received (only from the point you enable it going forward) using PowerShell.

image

You’ll need to firstly ensure that you have the latest version of the Exchange Online V2 PowerShell module. The minimum version required is 2.0.4. To verify this, and to ensure all the Microsoft 365 PowerShell modules are current in your environment, I encourage you to use my script:

https://github.com/directorcia/Office365/blob/master/o365-update.ps1

that will verify and update if necessary. Just remember to run the PowerShell environment as an administrator prior to running my update script.

Now connect to Exchange Online using PowerShell. Again, you can use my script at:

https://github.com/directorcia/Office365/blob/master/o365-connect-exo.ps1

to do this. In fact, using that script will also ensure that you have the latest version of the Exchange Online PowerShell V2 module installed.

Once connected to Exchange Online as an administrator running the command:

Set-externalinoutlook -enabled $true

The best documentation is currently here:

https://github.com/MicrosoftDocs/office-docs-powershell/blob/master/exchange/exchange-ps/exchange/Set-ExternalInOutlook.md

as this is still a new command at this point in time. You’ll also note that the command also has an Identity and AllowList option that you can further customise your settings.

Once the command has been run it will take a few hours for the External label to start appearing on emails from outside the organisation.

I would expect to see further configuration options become available as well as improvements to the label display. However, a very handy option that will improve the security in your environment and I’d encourage you enable it today!