<img src="https://ws.zoominfo.com/pixel/JV60JGR5LG4sEWlH3Xte" width="1" height="1" style="display: none;">

Welcome back to our series on safeguarding against Business Email Compromise (BEC) within Office 365. Previously, we've explored the rise of BEC attacks, their operational tactics, and essential configuration settings for protection. In this fourth installment, we delve into Office 365's logging and auditing capabilities, crucial for detecting BEC threats. Upcoming posts will guide employees on recognizing BEC targeting (Part 5) and speculate on the structure of BEC attackers (Part 6).

Office 365 Security Configuration Resources

This series zeroes in on BEC, offering targeted recommendations. For comprehensive Office 365 security guidance, refer to the CIS Benchmark for Microsoft 365 or Microsoft’s Secure Score. SecureSky provides Office 365 assessments and MDR services to bolster your security posture against threats.

Essential Office 365 Security Settings for BEC Detection

1. Mailbox Auditing: Activate mailbox auditing to log mailbox access and actions, providing visibility into unauthorized activities. Enable Mailbox Auditing.


2. Office 365 Audit Log Search: Utilize Audit Log Search for a 90-day historical analysis by privileged personnel, aiding in security investigations. Audit Log Search menu is presented in the following screenshot:

Audit Log Search Output

Microsoft Office 365 Audit Log Output bec detection

 

3. Email Flow Phishing Protection: Customize mail flow rules to shield users from phishing, including notifications for external emails, blocking unscannable attachments, and flagging emails with suspicious content or URL shorteners. 


The following five email rules should be considered for implementation in Office 365 environments:

  • Implement a mail flow rule that provides a notification to users when messages are received from outside the company. These notifications can aid user awareness for messages that are internal vs. external.
  • Implement a rule that blocks email attachments that cannot be inspected. If alerted, a warning message should be sent to the end user.
  • Create a mail flow that blocks emails containing executable content. If alerted, a warning message should be sent to the end user.
  • Where feasible, implement a rule that notifies the email recipient of the use of keywords associated with phishing and Business E-mail Compromise attacks. For instance, user warnings can be prepended to emails with attachments with filenames that include keywords “remittance”, “invoice”, “bill”, “payroll”, to ensure that the recipient is aware that these messages could potentially be phishing attacks.
  • Implement a rule that notifies the email recipient of the use of URL shorteners, which are used frequently in phishing attacks. For instance, user warnings can be prepended to emails that include URL shorteners, including “bit.ly”, “goo.gl”, and “tinyurl.com”, , to ensure that the recipient is aware that these messages could potentially be phishing attacks.

The Mail flow rule creation menu is presented in the following screenshot:

Mail flow Rule Creation Menu

Microsoft Office 365 Mail Flow Creation Menu



4. Alert Policies: Activate all default alert policies appropriate to your licensing level to monitor for unusual activities indicative of security breaches.


All default alert policies for the purchased licensing level (more default alerts exist at higher tiers) should be enabled in Office 365 environments, as presented in the following screenshot:

Alert Policies

Microsoft Azure Active Directory Alert Policy bec detection

 

5. Risky Sign-In and User Detection: Implement Azure AD Identity Protection policies to evaluate sign-in risks and enforce security measures like MFA for suspicious login attempts.


A policy should be created for risky sign-ins in Azure Active Directory Identity Protection, as presented in the following screenshot:

Azure Active Directory Identity Protection User Risk Policy

Microsoft Azure Active Directory Identity Protection User Risk Policy bec detection

When configured, user and sign in risk policies generate alerts based on the following sign in characteristics:

  • Users with leaked credentials Offline
  • Sign-ins from anonymous IP addresses
  • Impossible travel to atypical locations
  • Sign-ins from unfamiliar locations
  • Sign-ins from infected devices
  • Sign-ins from IP addresses with suspicious activity

An example alert is presented in the following screenshot:

Microsoft Office 365 Malware Detection

 

Effective BEC detection in Office 365 necessitates regular log reviews and vigilant monitoring of configuration settings. Whether managed internally or by an MDR provider, maintaining these practices is vital for identifying and responding to potential BEC incidents promptly.

Business Email Compromise Series

 

 Frequently Asked Questions 

How can Office 365 help detect Business Email Compromise (BEC) attacks?
 Office 365 can help detect BEC attacks through mailbox auditing, audit log searches, alert policies, and Azure AD Identity Protection. These tools provide visibility into suspicious account activity, unauthorized mailbox access, and potential phishing attempts. 
Why is mailbox auditing important for BEC detection in Office 365?
 Mailbox auditing records mailbox access and user actions, helping security teams identify unauthorized activity, investigate incidents, and detect signs of account compromise before significant damage occurs. 
What role do mail flow rules play in preventing phishing attacks?
Mail flow rules help identify and block potentially malicious emails by flagging external messages, blocking risky attachments, detecting phishing-related keywords, and warning users about suspicious links or URL shorteners commonly used in phishing campaigns. 
How do alert policies improve Office 365 security monitoring?
Alert policies automatically notify administrators about unusual activities, such as suspicious sign-ins, mailbox changes, or security events. These alerts help organizations respond quickly to potential threats and reduce the impact of BEC attacks. 
What is Azure AD Identity Protection and how does it detect risky sign-ins?
Azure AD Identity Protection analyzes sign-in behavior and identifies risks such as leaked credentials, anonymous IP addresses, impossible travel activity, unfamiliar locations, infected devices, and suspicious IP addresses. It can trigger alerts and enforce security controls like multi-factor authentication.