New mailbox logging settings

CISA released a Microsoft Expanded Cloud Logs Implementation Playbook that I recommend Microsoft 365 administrators take a look at.

“This playbook provides an overview of the newly introduced logs in Microsoft Purview Audit (Standard), which enable organizations to conduct forensic and compliance investigations by accessing critical events, such as mail items accessed, mail items sent, and user searches in SharePoint Online and Exchange Online. In addition, the playbook also discusses significant events in other M365 services such as Teams. Lastly, administration/enabling actions and ingestion of these logs to Microsoft Sentinel and Splunk Security Information and Event Management (SIEM) systems are covered in detail.”

“Default enablement is defined at a license level. For example, Auditing (Standard or Premium) is enabled by default for E3/E5/G3/G5 licenses. Some licenses, such as M365 Business Basic, M365 Business Standard, M365 Business Premium, and trial license accounts do provide access to Audit but do not currently have auditing enabled by default. These licenses will have Audit enabled by default in the future. If you are leveraging one of these license types, the steps below can be utilized to ensure that all audit features are enabled.”

Thus, if you are using ANY Microsoft 365 license in my books you want to ensure all the logging available to you is enabled for all user, regardless of Microsoft does.

The playbook will take you what needs to be done. Most of it relates to:

Mailbox actions for user mailboxes and shared mailboxes

with the most important being around the MailItemsAccessed setting, but there are others.

The most important thing to remember is that most of these settings cannot be set in the web portal and can only be set using PowerShell commands like:

Set-Mailbox – @{Add=“SearchQueryInitiated”}

Apart from these settings the playbook has lots of additional handy information that will help with the security of your Microsoft 365 environment and this makes it a recommended read for all administrators.

Bulk senders insight in Exchange Online

If you navigate to

https://security.microsoft.com/senderinsights

you should see the above Bulk senders insight console. You can also get to this if you select an Exchange Online anti spam policy like so:

and scrolling down the dialog that appears on the right and selecting Edit spam threshold and properties as shown above.

and then scroll up to the top of the dialog as shown above.

You can read more about this capability here:

https://learn.microsoft.com/en-us/defender-office-365/anti-spam-bulk-senders-insight

You can adjust the sliders on the left and then select the Simulate button to report on the emails that would be caught by this new level before actually applying to the policy. The list below will also show those that have been caught so you know exactly which emails would be caught if this change was made to the BCL level in a spam policy setting.

This now a handy way to fine tune the BCL settings inside Exchange Online antispam policies.

Disable Linkedin integrations in Microsoft 365

The first place to disable Linkedin integration in Microsoft 365 is inside the Azure portal.

Navigate to Microsoft Entra ID, then select Users as shown above.

Select User settings on the left and set the Linkedin account connections to No.

Remember to Save your settings before existing this page.

Now navigate to the Exchange Online administration portal. Expand the Roles option on the left and then select Outlook Web Apps policies.

Typically, there will only be one OWA policy as shown above. If there are more, then you will need to repeat this process with each.

Select the policy name, here OwaMailboxPolicy-Default..

From the window that appears on the right select Manage features as shown above.

Ensure Linkedin contact sync is unselected as shown above.

Save your settings before you exit.

Defender for Office 365 Anti-phishing policies can protect externals as well!

My experience with most Microsoft 365 environments I see is that they fail to make use of all the features that are provided. None more so when it comes to security. For example, most people don’t seem to appreciate that the Defender for Office 365 (which is part of Business Premium) provides impersonation protection for internal AND external email addresses! It just needs to be configured. The details are here:

Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365

and as it says there:

You can use protected users to add internal and external sender email addresses to protect from impersonation.

but it is important to note:

User impersonation protection does not work if the sender and recipient have previously communicated via email. If the sender and recipient have never communicated via email, the message can be identified as an impersonation attempt.

This means, you want to get the configuration of important external email addresses in place as soon as possible so any impersonation against those users can be evaluated. It is too late to do after an internal user is communicating with a scam (impersonated) domain.

You will also see that you can also configure protection for external domains, rather than just specific email addresses, for impersonation evaluation.This means that if the users inside the tenant deal with an important business that has its own email email, that is NOT part of that tenant, you can enter that domain in here. Makes a lot sense when you are working with a business regularly that is doing stuff like invoicing, e-commerce or the like (honestly anything at all really).

Let’s say that I work with a business who’s domain is ciaops.com. By enabling this impersonation protection early, if users in the tenant receive email from c1aops.com then it is far more likely to be detected because the system is looking of for spoofing of that custom external domain I entered in the policy.

Thus, if you have Microsoft Defender for Office 365 in your environment (and you do if you have Microsoft 365 Business Premium), then you can provide an extra level of protection by configuring the Anti-Phishing policy for impersonation settings for both your important internal AND external usera and domains (i.e. people and businesses you work with regularly). You should do that as early as possible to provide the maximum protection the policy can provide. They key is that someone has to add in the unique email addresses or domains into the policy, they are not added automatically, even internal email address. They ALL have to be added to the policy.

You can protect up to 350 unique email addresses and 50 unique domains, which is probably more that enough to cover everything a smaller business would need for internal and external users. Unfortunately, I rarely see this great capability enabled. It’s available if you have Microsoft Defender for Office 365 so go configure it and reduce the risk to the users in the tenant. Easy!

CIAOPS Need to Know Microsoft 365 Webinar – May

laptop-eyes-technology-computer

Join me for the free monthly CIAOPS Need to Know webinar. Along with all the Microsoft Cloud news we’ll be taking a look at Exchange Online protection.

Shortly after registering you should receive an automated email from Microsoft Teams confirming your registration, including all the event details as well as a calendar invite.

You can register for the regular monthly webinar here:

May Webinar Registrations

(If you are having issues with the above link copy and paste – https://bit.ly/n2k2305

The details are:

CIAOPS Need to Know Webinar – May 2023
Friday 26th of May 2023
11.00am – 12.00am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

Exchange Online Malware Filters

The first video in this series is:

Exchange Online Spam Filters

This video looks at the configuration of Exchange Online Malware filters. You can find the Microsoft documentation for these policies here:

Configure anti-malware policies in EOP

A direct link to this video can be found at:

https://www.youtube.com/watch?v=zILBf4M0JHA

Exchange Online Spam Filters

This video provides an introduction to Exchange Online Spam policies. particularly Inbound and Outbound policies plus Connect Filter Policies. You’ll see how to view the existing policies, make changes to these policies as well as create new ones using the Microsoft 365 Security Administration console.