Configuration of Office 365 to Detect BEC Attacks - Part 4

Posted by Gary Napotnik on Sep 25, 2019

1.0 Introduction

In Part 1 of this blog series, we introduced Business E-mail Compromise (BEC) attacks, and discussed why BEC attacks are increasing. In Part 2, we used recent BEC investigations to discuss how BEC attacks work against O365 environments. In Part 3, we discussed key Office 365 (O365) configuration settings that organizations can implement to protect against BEC attacks. Here in Part 4, we will discuss the logging and auditing capabilities in O365 that can help organizations detect BEC attacks against their environment.

The remainder of this series will focus on how employees can tell when they have been targeted by BEC (Part 5). The final post in this series will speculate about what the organizational structure of a BEC attacker might look like (Part 6).

 

2.0 Resources for Office 365 Security Configuration

This blog series is focused on Business E-mail Compromise. The recommendations provided in these blogs are BEC-focused and should not be considered to be comprehensive guidance for securing an Office 365 environment. If you are looking for broader guidance for securing Office 365, refer to the CIS Benchmark for Microsoft 365, or to Microsoft’s Secure Score. If you require a third-party review of your Office 365 environment, SecureSky delivers Office 365 assessment and MDR services that help organizations secure, monitor and respond to threats against their Office 365 environment.

 

3.0 Top Office 365 Security Configuration Settings to Detect BEC Attacks

1.Turn on Mailbox Auditing

User Impact: No Impact

Implementation Level of Effort: Moderate

Applicable Licensing Levels: All

Mailbox auditing will track users accessing and performing actions within their own mailbox. Other mailbox statistics and telemetry data are also collected. When mailbox auditing is turned on, actions performed by administrators, delegates, and mailbox owners are logged by default. Specific actions audited when this setting is enabled are listed at the following URL: https://docs.microsoft.com/en-us/microsoft-365/compliance/enable-mailbox-auditing.

 

2. Enable Office 365 Audit Log Search

User Impact: No impact

Implementation Level of Effort: Minimal

Applicable Licensing Levels: All

Audit Log Search allows for privileged personnel to search through the Office 365 audit log for 90 days of historical data. This can be used for troubleshooting or security analysis purposes.

Audit Log Search menu is presented in the following screenshot:

Audit Log Search Output

Microsoft Office 365 Audit Log Output

 

3. E-mail Flow Phishing Protection

User Impact: Moderate

Implementation Level of Effort: Moderate

Applicable Licensing Levels: All

Mail flow policies should be enforced to protect end-users from suspicious emails indicating possible phishing attempts, and can be customized for different environments.

The Mail flow rule creation menu is presented in the following screenshot:

Mail flow Rule Creation Menu

Microsoft Office 365 Mail Flow Creation Menu

The following five rules should be considered for implementation in Office 365 environments:

  • Implement a mail flow rule that provides a notification to users when messages are received from outside the company. These notifications can aid user awareness for messages that are internal vs. external.
  • Implement a rule that blocks email attachments that cannot be inspected. If alerted, a warning message should be sent to the end user.
  • Create a mail flow that blocks emails containing executable content. If alerted, a warning message should be sent to the end user.
  • Where feasible, implement a rule that notifies the email recipient of the use of key words associated with phishing and Business E-mail Compromise attacks. For instance, user warnings can be prepended to emails with attachments with filenames that include keywords “remittance”, “invoice”, “bill”, “payroll”, to ensure that the recipient is aware that these messages could potentially be phishing attacks.
  • Implement a rule that notifies the email recipient of the use of URL shorteners, which are used frequently in phishing attacks. For instance, user warnings can be prepended to emails that include URL shorteners, including “bit.ly”, “goo.gl”, and “tinyurl.com”, , to ensure that the recipient is aware that these messages could potentially be phishing attacks.

4. Enable Alert Policies

User Impact: Minimal

Implementation Level of Effort: Minimal

Applicable Licensing Levels: All

All default alert policies for the purchased licensing level (more default alerts exist at higher tiers) should be enabled in Office 365 environments, as presented in the following screenshot:

Alert Policies

Microsoft Azure Active Directory Alert Policy

 

5. Enable Risky Sign In and Risky User Detection

User Impact: Minimal

Implementation Level of Effort: Minimal

Applicable Licensing Levels: All – policy customization requires Azure Active Directory Premium

The Azure AD Identity Protection Sign-in Risk policy configures a tolerance level for how risky a login attempt can be before a security measure will be taken, such as generating an alert or forcing the user to re-authenticate using MFA.

A policy should be created for risky sign-ins in Azure Active Directory Identity Protection, as presented in the following screenshot:

Azure Active Directory Identity Protection User Risk Policy

Microsoft Azure Active Directory Identity Protection User Risk Policy

When configured, user and sign in risk policies generate alerts based on the following sign in characteristics:

  • Users with leaked credentials Offline
  • Sign-ins from anonymous IP addresses
  • Impossible travel to atypical locations
  • Sign-ins from unfamiliar locations
  • Sign-ins from infected devices
  • Sign-ins from IP addresses with suspicious activity

An example alert is presented in the following screenshot:

Microsoft Office 365 Malware Detection

 

4.0 Conclusion

To ensure the effectiveness of the auditing enabled in an Office 365 environment, logs must be reviewed on a regular basis, either by in house personnel or a third-party provider.

Additionally, organizations should monitor configuration to ensure that logging configurations do not change – changes to logging configuration can be indicative of attacks against the environment.

Topics: O365 Security, Email Compromise, business e-mail compromise, Cloud Security

Accelerating Your Cloud Security Journey! t

SecureSky delivers a complete portfolio of cloud security solutions to help organizations secure their cloud applications, services, and Infrastructure.

Remember:

  • Visit our blog often to get actionable intelligence 
  • We will cover pervasive attacks impacting all industries  
  • Subscribe now and don't miss out on compelling content 

Subscribe Here!