Configuration of Office 365 to Protect Against BEC Attacks - Part 3

Posted by Gary Napotnik on Sep 4, 2019

In Part 1 of this blog series, we introduced Business E-mail Compromise (BEC) attacks, and discussed why BEC attacks are increasing. In Part 2, we used recent BEC investigations to discuss how BEC attacks work against O365 environments. In this third entry, we will discuss a number of key Office 365 configuration settings that organizations can implement to protect against BEC attacks. 

 The remainder of this series will focus on logging and auditing capabilities in Microsoft Office 365 that are indicative of BEC attacks and compromise (Part 4) and how employees can tell when they have been targeted by BEC (Part 5).  The final post in this series will speculate about what a BEC organizational structure might look like (Part 6). 

 

1.0 Resources for Office 365 Security Configuration 

This blog series is focused on Business E-mail Compromise. The recommendations provided in these blogs are BEC-focused, and should not be considered to be comprehensive guidance for securing an Office 365 environment. If you are looking for broader guidance for securing Office 365, refer to the CIS Benchmark for Microsoft 365, or to Microsoft’s Secure Score. If you require a third-party review of your Office 365 environment, SecureSky delivers Office 365 assessment and MDR services that help organizations secure, monitor and response to threats against their Office 365 environment. 

 

2.0 Top Office 365 Security Configuration Settings to Defend Against BEC Attacks 

 

Multifactor authentication (MFA) is a security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction.

Virtually all Business Email Compromise attacks begin with an account compromise, and the best way to protect against account compromised is to enforce multi-factor authentication for all users in your environment. 

Multi Factor authentication (MFA) requires multiple types of authentication (e.g., something you know plus something you have) to establish user identity. The most common Office 365 MFA combination is (1) a user password and (2) confirmation of access to a specific mobile device.  

If you cannot enable MFA for all users, at a minimum it should be enabled for all Azure Active Directory privileged roles. A breach of a privileged role account could lead to a complete compromise of the Office 365 environment.  

The following PowerShell can be used to confirm if MFA is implemented in your environment: 

PowerShell script to confirm MFA status 

Get-MsolRole | Where-Object {$_.Name -like "*Admin*"} | ForEach-Object { Get-MsolRoleMember -RoleObjectId $_.ObjectId } | Select-Object EmailAddress, @{N="MFA Status"; e={$_.StrongAuthenticationRequirements.state}} -Unique |convertto-json 

 

 

Disallow Forwards #2

It is common for BEC attackers to set up mail forwarding rules to auto-forward messages to an external mailbox, as presented in the following screenshot:

Forwarding enabled on user account in Office 365 Shut off Email Forwarding in Microsoft Office 365

The intent of this forwarding is to ensure that the attacker can see and archive inbound emails to compromised accounts including any potential responses to phishing emails the attacker sends. 

Because of this risk, users should not be permitted to create auto-forwarding rules to inboxes that are not located within the organization. 

To confirm that no current rules exist that forward emails to external domains, log in to Microsoft 365 Admin Center, select Exchange, and Mail Flow. From the Mail Flow menu, confirm that no unauthorized rules exist that permit forwarding to external domains. 

PowerShell script to confirm finding status: 

get-transportrule |where-object {$_.senttoscope -eq "notinorganization"} |select-object senttoscope, fromscope, messagetypematches, actions |convertto-json 

 

 

MailTips are informative messages displayed to users in the InfoBar in Outlook

 Exchange MailTips are messages that are displayed to users as they are composing messages in Outlook. MailTips are intended to provide warnings to users when potentially inappropriate or insecure emails are being sent. 

 The different Exchange MailTips policies, descriptions, and best practice settings are presented in the following table: 

Exchange MailTips Configuration Settings 

Configuration Attribute 

Description 

Best Practice Setting 

MailTipsAllTipsEnabled 

Confirms that MailTips is enabled. 

True 

MailTipsExternalRecipientsTipsEnabled 

Displays a warning when an email recipient is outside of the sender’s organization. 

True

MailTipsGroupMetricsEnabled 

Enables MailTips to use Exchange GroupMetrics data, which maintains member counts of all distribution groups in the organization. 

True 

MailTipsLargeAudienceThreshold 

Establishes the number of recipients considered a “Large Audience” by MailTips 

25 or other appropriate value 

MailTipsMailboxSourcedTipsEnabled 

Enables MailTips to notify the sender if the recipient has a full mailbox or has Out of Office notifications enabled. 

True 

 The MailTips setting most relevant to security is “MailTipsExternalRecipientsTipsEnabled.” This setting can alert a user responding to a phishing email that the email is being sent to an external domain. This setting can also assist in situations where an email address may have been mistyped. 

The following PowerShell can be used to confirm Exchange MailTips Settings in your environment. 

PowerShell script to confirm Exchange MailTips setting status: 

get-organizationconfig |select-object *tip* |convertto-json 

 

 

ATP Safe Links, a feature of Office 365 Advanced Threat Protection (ATP), can help protect your organization from malicious links used in phishing and other attacks.

Office 365 Advanced Threat Protection (ATP) Safe Links for Office Applications expands phishing protection to Office 365 applications and provides time-of-click verification of URLs within Office applications for safe access. 

Use of this functionality requires separate ATP licensing, or to purchase a licensing level that includes ATP. This is the only setting in this guidance that requires additional licensing. 

Configuration Attribute 

Description 

Best Practice Setting 

EnableSafeLinksForClients 

Specifies whether Safe Links is enabled for clients 

True 

AllowClickThrough 

Specifies whether to allow users to click through to the original blocked URL 

False 

TrackClicks 

Specifies whether to track user clicks related to blocked URLs 

False 

EnableATPForSPOTeamsODB 

Specifies whether ATP will provide time-of-click verification of URLs within SharePoint, OneDrive, and Microsoft Teams for safe access. 

True 

 

 Modern Authentication is a method of identity management that offers more secure user authentication and authorization.

Office 365 can be configured in a hybrid environment. As a result, it includes functionality to enable backward compatibility with older versions of Outlook and other Office applications. In some situations, this legacy compatibility can allow users to bypass more modern controls like Multifactor Authentication. Wherever possible, this backwards compatibility should be disabled. 

To confirm that modern authentication for Exchange is enabled, use the following PowerShell:

Get-OrganizationConfig |select-object Name, OAuth2ClientProfileEnabled |convertto-json 

 

To confirm that legacy authentication for SharePoint is disabled, use the following PowerShell: 

Get-SPOTenant | select-object LegacyAuthProtocolsEnabled |convertto-json 

 

Let us know if you need more information on Microsoft Office 365 Configuration, we would be happy to share to our experience.  Get More Info    

 

Topics: O365 Security, BEC, Email Compromise, business e-mail compromise, Cloud Security

Accelerating Your Cloud Security Journey!

SecureSky delivers a complete portfolio of cloud security solutions to help organizations secure their cloud applications, services, and Infrastructure.

Remember:

  • Visit our blog often to get actionable intelligence 
  • We will cover pervasive attacks impacting all industries  
  • Subscribe now and do miss out on compelling content 

Subscribe Here!