Impact of a password spray attack

Basically, when someone launches a password spray attack on one of your accounts, they are basically using automated processes to guess your password and brute force their way into the account. These attacks typically happen via legacy protocols that should be disabled in your Microsoft 365 tenant as i have mentioned before:

Disable basic auth to improve Office 365 security

This can be tricker than you think because many legacy applications require basic authentication to operate. Therein lies the challenge.

I have purposely left legacy authentication enabled on some accounts to track what happens during brute force attempts. Experience is the best teacher as they say. Thanks to Cloud App Security:

A great security add on for Microsoft 365

I have configured it to alert me when there is failed login from outside my corporate locations:

Tracking failed logins using Cloud App Security

image

I would occasionally get the odd failed alert but nothing sustained. That was until today!

image

As you can see from my inbox, all of sudden I started to get massive volumes of alerts from Cloud App Security. The spray was on!

image

I jumped across to Azure AD sign-ins for the account and filtered the location down to be largely from China (i.e. CN is the location filter in the above results).

image

Due to the intensity of attack I started to get login failures and reported locks outs as shown above. So how does Azure AD handle lockouts? You’ll find that information here:

Azure Active Directory smart lockout

which says:

By default, smart lockout locks the account from sign-in attempts for one minute after 10 failed attempts. The account locks again after each subsequent failed sign-in attempt, for one minute at first and longer in subsequent attempts.

Smart lockout tracks the last three bad password hashes to avoid incrementing the lockout counter for the same password. If someone enters the same bad password multiple times, this behavior will not cause the account to lockout.

Smart lockout is always on for all Azure AD customers with these default settings that offer the right mix of security and usability. Customization of the smart lockout settings, with values specific to your organization, requires paid Azure AD licenses for your users.

In this case, the tenant didn’t have a premium version of Azure AD so the standard defaults were in effect.

image

The next application to feel the strain was the OneDrive for Business sync client which started requiring re-authentication.

image

Then the Azure portal began to struggle under the weight of so many failed login attempts.

image

Then the Microsoft Teams desktop application also started to have authentication issues.

image

Next, it was OneNote’s turn to start requiring re-authentication.

The attacks came in waves, typically separated by a few minutes (as happens with spray attacks) and then it was back again.

image

So what can you do if an account is subject to a spray attack and you are effectively getting denial of service thanks to that? Microsoft has provided every tenant with a number of free Baseline Conditional Access policies. The most appropriate one in this case is Block legacy authentication.

image

Enabling this policy will basically prevent legacy protocols like IMAP, POP and SMTP BUT it will do this across the WHOLE tenant! That is, for ALL users. That may be an issue if you have other accounts that depend on these older protocols for operation. However, this is certainly the quickest and easiest way to block spray attacks if you need to.

image

A more refined approach is to use PowerShell and create a new authentication policy as shown above. This creates a policy that disables the legacy protocols.

image

image

With the policy in place you can now apply it to just the user in question. Most authentication policies can take up to twenty four hors to take effect, however you can force an immediate refresh using the –STSRefreshTokenValidFrom option as shown above.

image

image

After doing all this, it is advisable to check to ensure the user has this authentication policy enabled as shown above.

image

When you dive into the Azure AD logs you’ll see that the brute force attempts have happened via SMTP, confirming a spray attack against the account.

image

Another service that may be affected by these attacks is Flow as seen above.

image

You may need to go into the Flow and re-authenticate as with the other affected apps. The issue may not be come evident until the next time your Flow actually runs.

So what my ten take aways?

1. Spray attacks are easy to automate and initiate. That means they will continue because they have a great ROI for attackers.

2. Implementing MFA on accounts is going to protect against an account breech from these spray attacks.

3. Spray attacks are facilitated via basic authentication which is enabled on all tenants by default for legacy support and has to be manually disabled! Enabling MFA DOES NOT automatically disable basic authentication since it allows support for static app passwords for applications that don’t support MFA out of the box. Disabling legacy authentication can cause issues with older applications that don’t support modern authentication. Disabling legacy authentication across the whole tenant needs to be done with caution. A user by user approach may be a better approach initially.

4. If your applications are complaining about failed authentication, check to see whether your account is not in fact the subject of a spray attack. Azure AD is trying to protect the account by locking itself out for a time period which affects good and bad attempts.

5. Use Cloud App Security and you’ll get a heads up on this sort of thing early on. Knowing what is happening makes it much easier to deal with and there really isn’t a better way than using Cloud App Security.

6. Use conditional access to restrict who can attempt to login to your tenant. Every one gets some free basic baseline policies from Microsoft but it is worth paying for Azure AD P1 to get the ability to be more granular. Don’t forget that Microsoft 365 Business comes with this granular Conditional Access ability out of the box now!

7. Consider having a ‘break glass’ emergency administrator account that you can call on to make admin changes if your only other existing administration account comes under attack and access becomes denied. This account doesn’t need a licence, it just needs permissions. It is hard to make changes to a tenant as an administrator if that account is subject to denial of service by a spray attack!

8. Even if you have MFA enabled, if you leave legacy authentication enabled, then even though attackers can’t correctly guess the password, their continued attempts could effectively result in a denial of service. This is very hard to mitigate, so look to eliminate all your legacy apps and protocols to prevent becoming collateral damage.

9. Review:

Azure AD and ADFS best practices: Defending against password spray attacks

as a good refence for the steps to protect your tenant against spray attacks. Remember, security is a journey and requires eternal vigilance and education.

10. Documentation before, during and after any incident is critical to knowing, understand and mitigating attacks. This all starts with preparation and knowing your situation and what can and needs to be done in a logical manner using tools like checklists. Your information is too important and valuable to leave to chance. Have a plan, your attacker does.

The more hardened your environment, the more likely attackers will simply move on to easier targets. Leaving legacy settings enabled is going to ensure they keep coming back to test your defences and potentially impacting your productivity as a side effect. In this case, once legacy authentication was disabled for the account the attacks ceased.

Sharing an Azure Information Protected file

image

Let’s say that we have a super secret text file with the contents shown above that we want to share with an external contact outside our Microsoft 365 tenant. We want to ensure that the document is encrypted and only viewable by those we have deemed to have permissions. We also want to restrict external users to have read only access to the file. How can we achieve that? With Azure Information Protection (AIP).

image

The first step in the process is to define an Azure Information Protection label with the permissions desired. You can see in the above that access for this label is defined for a Gmail account and the permissions for this account are set to “Viewer” (i.e. read only).

This label then needs to be added to a policy and pushed out to those Microsoft 365 users who will be creating documents, so it is available on their machines.

image

Users should already have the Microsoft Azure Information Protection Clients for Windows client installed on their machines. Doing so will add an Azure Information Protection banner to their Office desktop applications as well as an extension to Windows Explorer when they right mouse click on a file as shown above.

You typically use this Windows Explorer extension when you want to protect non-Office documents. You do this by selecting Classify and Protect as shown above.

image

This will launch the AIP client and allow you to apply the protection label that was created previously in the Azure portal. To apply that specific label to protect the document simply select the label name as shown above. You should then see the Sensitivity set to that level in the top left. Don’t forget to select the Apply button in the bottom right to actually protect the file!

SNAGHTML128bdeb6

You should now see that the file is a “Protected Text File” and that it has a new icon. You will also notice that the extension here is now .PTXT for protected text file.

image

That file can now be uploaded to OneDrive for Business and appears as shown.

image

If that protected file is now sent outside the organisation, using any method,  and is opened with the native viewer, here Notepad, you’ll note the message saying that the file is protected and to view it you must download the Microsoft’s protected file viewer. This is actually exactly the same client that was used earlier – Microsoft Azure Information Protection Clients for Windows client. So, this will need to be downloaded and installed on the destination machine to allow viewing/access of the file.

image

Once the Microsoft Azure Information Protection Clients for Windows client has been installed, when you open the file it should open automatically in the Azure Information Protection Viewer. If it doesn’t just launch the Azure Information Protection Viewer first, and then use it to open the protected document.

image

Because the document is protected the user will now be asked to enter their credentials as shown. This will be their email address.

image

In this case, the email address with permissions is a Gmail account which isn’t an Azure AD account like say an Office 365 account. Access will therefore be granted in a very similar way to the way OneDrive for Business does it’s sharing. This means, that after entering a non-Azure AD account, the account will be sent a verification code that needs to be entered as shown above.

image

Checking back in the Gmail account, the user sees the Account verification code and enters that at the prompt. You’ll also notice that this code is good for 30 minutes. Access outside that will require re-authorisation and a new code.

image

With the code entered, the user can view the document as shown above. You’ll notice that both the Print and Save As are greyed out.

image

Upon selecting the View Permissions option for the file, the user can see which permissions they are allowed. Here, as expected, the only permissions available are View.

Now there are some restrictions around the file types supported for classification, labelling and protection. You can read more about those here:

Admin Guide: File types supported by AIP unified labelling client

However, you should be able to protect just about any file and allow the Save As upon delivery to protect the file contents during transmission.

Azure Information Protection basically allows you to apply unique permissions to an individual document. This ensures that the permissions travel with, and are obeyed, no matter where or to whom the document is sent. That is a very powerful way to protection your information and as you can see, once you have configured the label it is very easy to apply to any document directly using Windows Explorer.

Azure Information Protection in some form is included in most Office 365 Enterprise SKUs but is also importantly included in Microsoft 365 Business. You cab also purchase it as a stand alone offering. Have a look at:

Requirements for Azure Information Protection

for more details.

Upload Bitlocker keys to Azure AD

Bitlocker is the Microsoft technology that allows you to full encrypt your Windows PC hard disk. This is a good thing as it provides additional security and protection for that device, especially if that device ever gets lost or stolen. Typically, Bitlocker will use the Trusted Platform Module (TPM) chip on your PC to provide the encryption key for BitLocker. This means that the user doesn’t have to type in a password to unlock their drive for use. Now having an automatically managed key raises a question, what happens if you actually need that key? If everything is automated and I never see the key how can I get access to it if needed? If, say, the original PC died and I wanted to recover the original encrypted drive how would I recover? To do that, you’d need the encryption key.

You can manually backup you BitLocker Recovery key to a file or USB drive however, if your device is Azure AD joined then that Recovery Key should be saved directly into Azure AD. Here’s how you check this.

SNAGHTML1d8570c5

If you are using something Microsoft 365 Business and Intune navigate to Intune inside the Azure portal. Select Devices.

image

Select All Devices.

image

Select the PC in question from the list.

image

Now select the Recovery keys option.

image

On the right you should see the Recovery keys listed. You’ll note here that I don’t see the expected BitLocker Key.

image

If you don’t see the Recovery Key for your device go to that device and open BitLocker management on your PC. Select the option to Back up your recovery key as shown.

image

Then select the option to Save to your cloud account as shown. This should then upload the Recovery Key to Azure AD, provided you have an Azure AD joined machine first of course.

image

If you return to the device in Intune and refresh the display, you should now see the Recovery key for you device as shown above.

image

If you do not have access to the Intune portal, perhaps because you are not an administrator, simply navigate to:

https://account.activedirectory.windowsazure.com

and login with your Microsoft 365/Office 365 credentials and view your profile. You should then see any registered device plus the option to get the BitLocker keys as shown. Remember BitLocker is for Windows devices, not iOS or Android.

Even though Azure AD joined machines should save BitLocker keys automatically, I’d suggest you go and have a look and make sure that they are indeed actually there! Best be sure I say.

Tracking failed logins using Cloud App Security

Previously, I have said that Office365/Microsoft Cloud App Security is

A great security add on for Microsoft 365

I’ve also detailed the differences in the plans here:

Cloud App Discovery/Security

What many people want to know more information about is failed logins to their tenant, so Cloud App Security to the rescue!

image

Start by navigating to the Cloud App Security Activity log as shown above. Then select the Advanced option in the top right as shown.

image

Doing so should reveal the ability to define filters as show above.

I’d also recommend that you go and define a “safe” range of IP addresses like I have detailed here:

Define an IP range in Cloud App Security

In my case I have defined some known safe IP’s as “Corporate”.

image

So the first line of my query basically excludes any of these known IP addresses in the results. That is, I’m looking for failed logins outside my corporate environment. This will generally exclude average users failing to login to their accounts inside my environment, which happens a lot. The idea with this is simply to reduce the noise of lots of alerts, but if you want to know about all failed logins to your tenant, just exclude this condition.

image

The second part of the filter is to show activities that equal ‘Failed log on’ as shown. You can customise this further if you want to make it more granular, but for now let’s track any failed login to the tenant.

image

So the final query should look like the above.

image

You should be not surprised to see the number of results you get as shown above. In my case, there are failed logins from the US, China, Russia, Italy, etc.

Now of course, I can drill into each item for more details but what I really want is a way for me to be alerted about these when they happen. Cloud App Security to the rescue again.

image

At the top of the results you should find a button as shown that says New policy from search, which you should select.

image

You should now see a page like shown above where you can define your policy. You’ll need to give it a name and description. You may want to increase the severity or change the category to suit. You can also select between single or repeated activity.

image

Now if you want an email alert then you’ll need to select the option Send alert as email and put in your email address as shown above. You may also want to change the Daily alert limit to suit your needs.

When you have completed the configuration, scroll to the bottom of the page and select the Create button.

image

You should now see that policy in the list in your tenant as shown above.

Cloud App Security is a really powerful tool that I believe is a must have for every Microsoft 365 tenant, because not only can you create your own custom queries but you can also convert those into alerts as I have shown.

Key skills for an IT Professional

accuracy-action-active-433077

If you are an IT professional working in with Microsoft 365 then I would suggest the following are the top five skills that you need to have to be successful going forward. My pick, in order is:

1. PowerShell

2. Azure AD

3. Security

4. Intune

5. SharePoint

and here’s why:

PowerShell

PowerShell gives you the ability to script commands for both cloud and on premises Microsoft services. There are many things you can also only do using PowerShell, however more importantly, you can begin to automate what you do. This reduces the time it takes to complete processes as well as giving more consistent results. It also means that you can potentially offload these tasks to others who only need to know how to run the scripts you have created not understand what they entail.

I also find that understanding the PowerShell side of a process gives you a a much deeper understanding of that process and what is possible. I also think that having to do a bit of coding is a benefit to everyone. It helps you to think more logically, plan and structure what you want to achieve. You however don’t need to become a developer, it is easy to CTL-C and CTRL-V good scripts from various places and integrate them into your processes while making a few changes along the way. You can go as deep as you wish and create really amazing scripts that really make life in IT so much easier, while allowing you to do your job faster.

Remember, software will eat the world.

Azure AD

Identity is key to our modern world. You don’t get access to “stuff” until you prove who you are. Importantly, Azure AD is not the same a traditional on premises Active Directory. It is a subset, where the additional options can be added as needed. However, you need a good understanding of where a user’s primary identity is and how it is managed and secured in the cloud. Without this fundamental knowledge you are really going to struggle to understand things like modern device management and security.

All Microsoft services are underpinned by identity and Microsoft cloud services are underpinned by Azure AD. Thus, to administer, configure, troubleshoot these you need a good understanding of Azure AD.

Security

With so much of our assets now being digital, protecting them is paramount. We need to do this in a way that doesn’t inhibit productivity and that is a real challenge. Poor security to me indicates a fundamental lack of knowledge about the products in question. It also demonstrates a lack of discipline and consistency which are the hallmarks of your adversaries out there trying to gain access to systems you protect.

Security will never be an absolute and that makes it hard for many “IT types” to deal with who like to have a tangible end goal. There is not a finite end point with security, there is simply an ongoing challenge to stay one step ahead of the bad actors. Some see that as a burden while the true security professional sees it as a challenge. The protection of our future lies with good security and the challenges that brings. It therefore, will be a skill that will be in continuing high demand.

Intune

As mentioned, Azure AD doesn’t contain the same resources that on premises Active Directory did. The best example of this is probably Group Policy, which is something that Azure AD does not incorporate. To a large extent, that is now handled by Intune and this why it is such an important skill going forward for IT Professionals to become skilled with. It can also be implemented using things like PowerShell, which again goes to the point of how important this list of skills is across all Microsoft services today.

A key factor with Intune is its ability to configure mobile devices. This is something traditionally IT Professionals have not been able to do. However, with the growing numbers of mobile devices in use and their criticality to businesses of every size, it is now more important than ever to be able to easily configure and secure them directly from the Internet.

SharePoint

Most IT Professionals have some skill or familiarity with Exchange and emails which easily translates to services like Exchange Online. However, when it comes to files and folders in the cloud the service of choice is going to be SharePoint, for which there are a decided lack of skills even though SharePoint has been with us for many years now. As I have spoken about many, many time here, SharePoint is more than just simple storage, it is a collaboration system and needs to be approached in that manner to get the most from it. Not doing so results in lots of pain for both administrators and end users.


So there you have it. If I had to pick five skills in order that characterise a modern IT Professional, these would be they. You don’t need to be an elite ninja in each but likewise you can’t remain ignorant of them. if you work with Microsoft cloud technologies you should be familiar and comfortable with them all. If not, then you need to start investing some time and learning them because they will serve you well now and into the future.

Cloud App Discovery/Security

Microsoft has a range of security options available, delivered in a variety of ways from the cloud. I’m going to focus on three items that tend to get lumped together and with which I see much confusion. These services are:

1. Azure AD Cloud App Discovery

2. Office 365 Cloud App Security

3. Microsoft Cloud App Security

Here’s a summary of the differences between the products:

image

1. Azure AD Cloud App Discovery

This is the most basic of the three services and is only available when you purchase and license Azure AD P1, there is no stand alone version of just Azure AD Cloud App Discovery. This is a description of the product:

Azure Active Directory Premium P1 includes Azure Active Directory Cloud App Discovery at no additional cost. This feature is based on the Microsoft Cloud App Security Cloud Discovery capabilities that provide deeper visibility into cloud app usage in your organizations. Upgrade to Microsoft Cloud App Security to receive the full suite of Cloud App Security Broker (CASB) capabilities offered by Microsoft Cloud App Security.

Thus you receive Azure AD Cloud App Discovery when you purchase the following:

– Azure AD Premium P1 (stand alone)

– Azure AD premium p2 (stand alone)

– Microsoft 365 E3 (which includes Azure AD P1)

– Enterprise and Mobility Suite (EMS) E3 (which includes Azure AD P1)

When you visit the portal you will see:

image

Firstly, note that the banner reads Cloud App Security like so:

image

2. Office 365 Cloud App Security

This is available as a stand alone purchase for existing Office 365 / Microsoft 365 tenants.

clip_image001

You can also get Office 365 Cloud App Security as part of:

– Office 365 E5

You’ll see Office 365 Cloud App Security in the top left of the portal like so:

image

The biggest advantage I believe of Office 365 Cloud App Security over Azure AD Cloud App Discovery is the Activity policies like so:

image

These activities includes built in anomaly detection for things like Impossible travel like so:

image

You also get a number of default activity policies like Logon from a risky IP address:

image

as well as the ability to create your own unique activity policies and alerting.

3. Microsoft Cloud App Security

This again, is available as a stand alone add-on to any Office 365 / Microsoft 365 tenant, being a tad more expensive that office 365 Cloud App Security:

clip_image001[4]

It is also available when you purchase:

– Microsoft 365 E5

– Microsoft 365 E5 Security

– Enterprise and Mobility Suite (EMS) E5

As you can see from the table at the top of this article, Microsoft Cloud App Security includes everything (plus more) that is in Azure AD Cloud App Discover and Office 365 Cloud App Security. Thus, think of Microsoft Cloud App Security as Azure AD Cloud App Discovery + Office 365 Cloud App Security.

This is what you see when login to Dashboard:

image

You’ll see it look very different even though the top left says “Cloud App Security” again. You get far more options that with either of the other two including more options under Investigate like so:

image

Summary

Not everything is quite as simple as I have outlined here. Deeper detail about the licensing can be found here:

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2NXYO

or on:

Microsoft Cloud App Security

In my opinion Azure AD P1 is a must have for all tenants to get features like conditional access and trusted IP’s. That will give you Azure AD Cloud App Discovery. However, I’d also recommend also adding Office 365 Cloud App Security as a minimum to get access to the Activity alerts. if you want even more power then add Microsoft Cloud App Security instead.

The final question I get is whether you require a license for all users in your tenant? For that I will leave you with the official word from Microsoft on that topic which is:

“Each user must be licensed for Microsoft Cloud App Security to use or benefit from it. For customers who license a subset of users, services enforced at the tenant level are not licensed for the other users. They are not entitled to use or benefit from the service, regardless of whether the service is technically accessible.”

Need to Know podcast–Episode 206

A short sharp episode focusing on the latest news and updates from Microsoft Build. Brenton and I cover off all the Microsoft Cloud news, good and bad as there is unfortunately some bad news to report in recent experiences with Azure. However, there is also lots of good news about updates to your favourite services. Tune in and give us your feedback.

This episode was recorded using Microsoft Teams

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-206-ghost-in-the-machine/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@contactbrenton

@directoria

CIAOPS Patron program

Azure cheat sheet

Azure global outage

What’s new in Microsoft 365 user management

New people centered experiences in Microsoft 365

Microsoft Edge – All the news from Build

Minimize distractions and stay focused with AI powered updates in Microsoft 365