Need to Know podcast–Episode 342

Join me for this episode with all the latest news and update from Microsoft as well as my take on the importance of logging as a security basic that many overlook. Plenty of security news in this episode especially around the latest exploits of MSHTA.EXE that you should be prepared for. Listen for all the information.

Brought to you by www.ciaopspatron.com

you can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-342-logs/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

or Spotify:

https://open.spotify.com/show/7ejj00cOuw8977GnnE2lPb

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show.

Resources

@directorcia

Join my shared channel

CIAOPS merch store

Become a CIAOPS Patron

Comparing Copilot Chat included with Microsoft 365 to a paid Copilot license

Adobe and Microsoft Empower Marketers with AI Agents in Microsoft 365 Copilot

Introducing Copilot in the Microsoft 365 admin centers

Jailbreaking is (mostly) simpler than you think

Level up your defense: protect against attacks using stale user accounts

Defender XDR – Monthly news – March 2025

AI innovation requires AI security: Hear what’s new at Microsoft Secure

Microsoft Technical Takeoff: Windows + Intune

Continuing with Microsoft Entra: Advanced Identity Management

Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware

Take Flight with Microsoft Security Copilot Flight School

Securing Your Nonprofit Environment (Part 1) – Enabling Security Defaults

Securing Your Nonprofit Environment (Part 2): Best Practices to Secure Your Admin Accounts

How to infect your PC in three easy steps

ASD Configuration policy templates for Intune

The Australian Signals Directorate (ASD) has produced a number of recommended configuration policies for Intune as part of their Secure Cloud initiative. You can find them here:

ASD Configuration policies

Edge hardening guidelines

All Macros disabled

Macros enabled for trusted publishers

Office Hardening guidelines

Windows hardening guidelines

User rights assignments

Theses policies are in TXT format but are effectively just JSON files.

I have therefore takes these TXT files, renamed to JSON files and uploaded into my best practices repository here:

CIAOPS Best Practice Repo – ASD recommended policies

It would have been good if the ASD had placed in their own repo so they could easily be monitored for updates. Alas, maybe in the future.

So for now you can import these files directly from my repo into your Intune and I’ll try and do my best to keep them current with what the ASD does.

PowerShell script to check Office macro settings

Here’s a script I wrote that you can run to check the operation of Office macro’s on a device:

https://github.com/directorcia/Office365/blob/master/office-macro-get.ps1

For the script to execute you’ll need to run it as an administrator and have the Microsoft Graph module installed so the tenant wide addins can be checked.

A better KQL Query to report failed login by country

The above is an improved version of a KQL query you can use to report on failed logins to Entra ID over the past 30 days. It also excludes a country (here Australia) if desired.

The country codes are here:

https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2

Note: if you copy and paste directly from here you will probably have the change the “ when you paste into your own environment as the wrong “ gets taken across!

Need to Know podcast–Episode 340

I take a look at something many overlook when it comes to security in their Microsoft 365 environment – Exposure score. In essence it is like a targeted Secure Score for a particular threat like Business Email Compromise. There is also news and updates from the Microsoft Cloud so listen along and review the show notes for more information.

Brought to you by www.ciaopspatron.com

you can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-340-exposure-management/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

or Spotify:

https://open.spotify.com/show/7ejj00cOuw8977GnnE2lPb

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show.

Resources

@directorcia

Join my shared channel

CIAOPS merch store

Become a CIAOPS Patron

The way to control EWS usage in Exchange Online is changing

New Microsoft-managed policies to raise your identity security posture

Storm-2372 conducts device code phishing campaign

Block malicious command lines with Microsoft Defender for Endpoint

Clipchamp: Elevating work communication with seamless video creation in Copilot

Sharing with Microsoft Whiteboard

AI agents at work: The new frontier in business automation

Copilot learning hub

New Certification for Microsoft information security administrators

What is Security Exposure Managenet?

Updated Windows for Endpoint Security Baseline

Microsoft has updated the Windows Security Baseline for Endpoint Security in Intune to 24H2 as shown above. Baselines are an easy way to set a vast array of best practice settings across your Windows devices in a single policy, already pre-configured by Microsoft.

I have extracted the policy to a JSON file and made it available at:

https://github.com/directorcia/bp/blob/main/Intune/Policies/Endpoint/Baselines/win.json

and the previous one is here:

https://github.com/directorcia/bp/blob/main/Intune/Policies/Endpoint/Baselines/Archive/win.json

You can now simply import that directly into your environment programmatically using something like PowerShell.

I will note that when I initially exported the templated and tried to import it back I got the error:

Invalid Reference id found in Policy

after a lot of troubleshooting (and I mean a LOT) I tracked down the issue to be related to id 241:

{
   “id”: “241”,
   “settingInstance”: {
     “choiceSettingValue”: {
       “value”: “device_vendor_msft_policy_config_deviceguard_machineidentityisolation_0”,
       “children”: [],
       “settingValueTemplateReference”: {
         “useTemplateDefault”: false,
         “settingValueTemplateId”: “6a208e4b-0e34-4d12-a821-3173e99f3ce0”
       }
     },
     “@odata.type”: “#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance”,
     “settingDefinitionId”: “device_vendor_msft_policy_config_deviceguard_machineidentityisolation”,
     “settingInstanceTemplateReference”: {
       “settingInstanceTemplateId”: “1fa97457-2a1f-4e33-b3c2-9a4c8930510d”
     }
   }
}

removing that from teh template allowed the rest of the template to import. I’ll have to spend some more time working out the exact settings and hopefully by then Microsoft fixes the issue and I’ll update the JSON in my Best Practices repository. However, for now the JSON at the URL can be imported.

Checking your environment for oversharing

Microsoft now provides the ability to check yoru environment for oversharing my running a data assessment report which you’ll find in DSPM for AI inside Microsoft Purview.

Here’s my video to get you started:

https://www.youtube.com/watch?v=aVUQ6PGnMmE

some documentation to help is here:

Get started with Data Security Posture Management

Hopefully, the reporting will become more details and allow you to take direct action on individual items that are reported. However, for now, it is a handy report to have in your bag of tricks.

New mailbox logging settings

CISA released a Microsoft Expanded Cloud Logs Implementation Playbook that I recommend Microsoft 365 administrators take a look at.

“This playbook provides an overview of the newly introduced logs in Microsoft Purview Audit (Standard), which enable organizations to conduct forensic and compliance investigations by accessing critical events, such as mail items accessed, mail items sent, and user searches in SharePoint Online and Exchange Online. In addition, the playbook also discusses significant events in other M365 services such as Teams. Lastly, administration/enabling actions and ingestion of these logs to Microsoft Sentinel and Splunk Security Information and Event Management (SIEM) systems are covered in detail.”

“Default enablement is defined at a license level. For example, Auditing (Standard or Premium) is enabled by default for E3/E5/G3/G5 licenses. Some licenses, such as M365 Business Basic, M365 Business Standard, M365 Business Premium, and trial license accounts do provide access to Audit but do not currently have auditing enabled by default. These licenses will have Audit enabled by default in the future. If you are leveraging one of these license types, the steps below can be utilized to ensure that all audit features are enabled.”

Thus, if you are using ANY Microsoft 365 license in my books you want to ensure all the logging available to you is enabled for all user, regardless of Microsoft does.

The playbook will take you what needs to be done. Most of it relates to:

Mailbox actions for user mailboxes and shared mailboxes

with the most important being around the MailItemsAccessed setting, but there are others.

The most important thing to remember is that most of these settings cannot be set in the web portal and can only be set using PowerShell commands like:

Set-Mailbox – @{Add=“SearchQueryInitiated”}

Apart from these settings the playbook has lots of additional handy information that will help with the security of your Microsoft 365 environment and this makes it a recommended read for all administrators.