Need to Know Podcast–Episode 175

Brenton and I talk about the importance of data compliance in light of recent legislation updates in both Australia and overseas. This means that it is very important to firstly understand what your obligations are when it comes to personal data but to also ensure you own systems are compliant. Technology is not the only solution required here, you’ll need policy as well as training to help people better understand what their responsibility is. We cover off all the major highlights as well as give you some suggestions of how you should be approaching this with your Office 365 tenants.

Take a listen and let us know what you think –feedback@needtoknow.cloud

You can listen directly to this episode at

https://ciaops.podbean.com/e/episode-175-compliance/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@contactbrenton

@directorcia

Non Azure AD accounts can now join Microsoft Teams

Azure AD Connect: Version release history

How Office 365 protects your organisation from modern phishing campaigns

Azure migrate is now generally available

Introducing Azure Advanced Protection

Check those Office 365 forwards

Extending Exchange Online Deleted Items retention period

Many people are unaware of the fact that ALL (yes, I said ALL) Exchange Online plans are configured by default, to ONLY retain deleted items for 14 days. Yes, I said ALL Exchange Online plans, and I quote:

“How long deleted items are kept in the Deletions folder depends on the deleted item retention period that is set for the mailbox. An Exchange Online mailbox keeps deleted items for 14 days, by default. Use the Exchange Management Shell, as shown above, to change this setting, to increase the period up to a maximum of 30 days.”

this is from:

https://technet.microsoft.com/en-us/library/dn163584(v=exchg.160).aspx

You will also note that you can extend this to a maximum of 30 days using PowerShell, which is exactly what you should do IMMEDIATLY you add a user account I would suggest.

To do this you firstly need to connect to Exchange Online using PowerShell. Then to view the current retention periods run the following:

that should then display something like:

As you can see from the above, all the mailboxes listed are currently only set to a MAXIMUM of 14 days for retention (which is the default).

To extend this to the maximum of 30 days for ALL plans, execute the following command:

Now when you re-examine all the deletion period for all mailboxes you should see:

they have all been extended to the maximum of 30 days, which should make everyone much happier and provide you the ability to recovered deleted email data out to the maximum period of 30 days for ALL plans. After 30 days however, the deleted data will still be purged and unrecoverable.

If you wish to retain deleted email data beyond the maximum 30 days that can be provisioned generally you’ll need to add the legal hold service to the mailbox and ENABLE it! The legal hold service is available on Exchange Online Plan 2 mailboxes, E3 and E5 suites typically.

To my way of thinking, extending the deleted item retention period of all mailboxes in a tenant is something that should be done immediately and using the above PowerShell commands it is really easy to do. So there should be NO excuse!

Improved security is a shared responsibility

The Internet has ensured that everyone who is connected is connected together. Everyone being connected together has some massive advantages but it also makes us vulnerable to those who wish to exploit this fact. The reason we all get so much spam is because it is so easy and so cheap to send. However, after all these years, why is the dominate email traffic source always spam? It’s because it morphs and evolves to avoid detection. The same applies for other threats such as phishing.

Technology provides some great tools to deal with spam and phishing but they can’t remove 100% of the threats that are out there. Many also rely on people reporting attacks and suspect item in their inbox to security vendors so they can analyse the results and improve their own detection.

The problem with reporting incidents you come across in your own inbox has been a challenge. Who or where do you send your reports to? Now Microsoft has a free add in for Outlook that allows you to quickly and easily report spam and phishing directly to them.

To do this visit:

https://appsource.microsoft.com/en-us/product/office/WA104381180?src=office

and install the Report Message add in for Outlook to your environment.

Then when a suspect email is detected you can easily report it via a few clicks.

For more information about installing and configuring the Report Message add-in across your Office 365 environment see:

Enable the Report Message add-in

Don’t just sit there and ignore spam and phishing attacks. Report them and potentially help save someone else from becoming a victim! When you connect to the Internet you become part of a global community. Help the community fight back again those seeking to take advantage of others. The more we all report attacks the less there will be.

Join me in the fight to take back the Internet!

Check those Office 365 email forwards

One of the most common tasks that hackers perform after they have compromised accounts in Office 365 (usually via a poor password or phishing attack) is to set up an email forwarding rule on mailboxes so they receive a copy of emails to that user.

Thus, it is good security practice to ensure that you are aware of all the email forwarding configurations that are enabled on your tenant. To do this you simply need to run the following PowerShell command once you have connected to Exchange Online:

Get-Mailbox | select UserPrincipalName,ForwardingSmtpAddress,DeliverToMailboxAndForward

This will produce a result like:

which tells you whether forwarding has been enabled and to which address emails are being sent. Obviously, if you don;t recognise any of these you should investigate further.

There are plenty of ways to run this script on a regular basis but I’m not going to cover that here.

Email Message Header Analyzer for Office 365

Much of the diagnostic detail relating to emails is buried in locations that you can’t see. If you have the need to examine email messages for troubleshooting or security this can be a challenge.

A great tool you can add to your arsenal is the free Message Header Analyzer which you can find here:

https://appsource.microsoft.com/en-us/product/office/WA104005406

Once installed you will find an additional button in your OWA:

That when selected will give you a range of options you can use to dive deep into the technical information surrounding the email in question.

I especially like the ability to dig into the SPF and DKIM style details.

If you need in to do any troubleshooting or email analysis on a regular basis I’d highly recommend you add this to your inbox.

Double check those links

Unfortunately, as services like Office 365 become more prevalent so too do the attacks against them. These attacks are going to target people who are the least IT savvy.

The above is the first example of an email I received this morning. Being close to Valentine’s Day it would be easy for an ordinary user to click on the link provided inside to download the PDF of their order.

However, if you mouse over that link, you see that it actually re-directs you to a malicious web site, but of course a user isn’t going to know that.

I gotta say that the malicious web site really does look an Office 365 login page doesn’t it? The only obvious give away is the URL at the top of the page.

Upon closer inspection you see that it is in fact not going to the Office 365 login URL which is:

You’ll also note that the email address is already in the dialog box so all a user would need to do is press enter as they normally would.

At the next page they are prompted for their email address. again, very, very authentic looking Office 365 login page.

Typically, the user would enter their password and hit enter. At this point their login details have been sent to the bad guys and the user is redirected to correct Office 365 login page. The user of course, thinks they entered something wrong and go through the process again. However, their account has now been compromised, pretty much without them realising.

Here is the next phishing email that I received moments after getting the first. This one appears to be directly from Microsoft request an update to the security of the Office 365 account.

This prays on the underlying fear most users have of technology in order to get them to click the link.

If they do so, they are again taken to another ‘official’ looking Office 365 login page as you see above.

Again, this one has a non Office 365 login URL as shown above. Like the previous case, this site has it’s own certificate (HTTPS) making it appear even more legitimate.

So if you come across these sites, first course of action is to report them to Microsoft.

Submit spam, non-spam and phishing scam messages to Microsoft for Analysis

Because these types of attacks are new into the wild they are typically not picked up by reputation based systems. Eventually they picked up, like in the browser here:

but until they are, there really isn’t much that can be done.

I’ve said this before, security is tough:

The bad guys keep winning

and technology can’t be used to solve every issue. We need to couple that with education to help people ask the right question before potentially doing the wrong thing.

if something in your inbox doesn’t seem right, chances are it isn’t. So treat it with caution.

Enable activity auditing in Office 365

Here’s something I suggest you ensure is enabled in all Office 365 tenants.

Visit the Office 365 Security and Compliance center as an administrator. From the menu on left, select the Search & investigation heading. From the items that appear select Audit log search.

If your audit logging hasn’t been enable you see a hyperlink on the right that says Start recording user and admin activity. If that link is visible, then select it as shown above.

You will then receive the above confirmation. Select Turn on.

You’ll be taken back to the Audit log search page where you’ll see a message telling you that logging is being enabled.

When that process is complete return to the Audit log search and select the Activities drop down.

You’ll now be able to audit a huge range of activities and produce a report, like this –

Here, I’ve run a report to display any files that have been accessed. From the results I can see the user, IP address and the file that was accessed.

You can now also set up an alert on any of these activities.

To do this, select the Alerts option on the left in the Security & Compliance center. From the items that appear select Manage alerts.

On the right select the + New alert policy button.

Set the Alert Type to Custom.

Select the Send this alert when… option and again choose the activity for the alert. The available options should be pretty much the same as you saw before with the audit logs.

Then choose which users you wish the alert to apply to as well as an email address to send the alert to.

As with all alert settings ensure that you don’t make these too general because you’ll end up getting too many alerts and end up spamming yourself.

The important thing here is that auditing is no enabled by default. The best practice recommendation is therefore to go and turn it on so you can audit activity in your tenant.

Create a Safe Attachment policy with Office 365 ATP

When you have Office 365 Advanced Threat Protection (ATP) you should ensure that you actually go in a create a Safe Attachments policy because I don’t believe one is created by default.

You’ll need to login to your Office 365 portal as an appropriate administrator and then navigate to the Security and Compliance portal as shown above.

From the menu on the left select Threat management. This should reveal a number of additional options. From those that appear, select Policy.

You should now see a number of options on the right hand side as shown above. Locate and select the ATP safe attachments option.

You should now be in the Safe attachments area as shown above.

Starting at the top of the page, ensure you have the Turn on ATP for SharePoint OneDrive and Microsoft Teams checked as shown.

In the lower area you will see that no policies exist. To create a policy select the + (plus) icon.

Give the new policy a name and select the action that will be taken from the options below. In this case I have selected the Replace option.

You can enable redirection if you wish.

You now need to create the rules for this policy. if you want everything checked select the option The recipient domain is and then all the domains you have in your Office 365 tenant.

Save the configuration by using the button at the bottom of the screen.

The update will be processed and applied.

When you look at the Safe attachments page now you should the policy as shown in place.

To read more about safe attachments in Office 365 Advanced Threat Protection see:

Office 365 ATP safe attachments