Auditing Exchange Online From an Incident Responder's View
Business Email Compromise (BEC) within the Microsoft 365 environment is becoming a more common attack vector. In case you’re unfamiliar with what exactly BEC entails, it’s when an attacker or unauthorized user gains access to a business email account via social engineering. Most commonly, an attacker compromises an account, intercepts email conversation(s), and uses this account to send illegitimate communication. This usually involves changing bank account or payment information from legitimate account to accounts managed by hackers.
While investigating many of of these attacks, TrustedSec has identified a series of baseline recommendations that will help harden your Microsoft 365 environment and ensure the right data is available to facilitate Incident Response activities in the event of a breach.
Understand Licensing
Microsoft 365 licensing alone could be the subject of an entire training class. While we won’t deep-dive into the different tiers, it’s important to understand and highlight the major differences between the tiers to understand what licensing you may need for specific employees, employee groups, or high value targets. In Incident Response, data is key. It is important to understand that only E3+ or E5 licenses offer advanced auditing, which includes an audit log of mail items accessed. The absence of this data makes it impossible to discern what exactly the attackers accessed in your environment. Additionally, E3+ and E5 licensing both offer a longer retention policy than lower tiers, so it’s important to act quickly when an incident is believed to have happened so that an event doesn’t fall out of the retention window.
Enable Audit Logs
All license tiers offer some form of audit logging, but depending on when your Microsoft 365 was setup, audit logging may not be enabled by default. It is highly recommended to validate that your environment has audit logging enabled. Enabling audit logging is not retrospective and will only start logging events going forward. In the event of a breach, this means you risk losing or not capturing valuable artifacts. Reactively enabling audit logs won’t assist with an ongoing incident, so it’s important to proactively enable this.
Enforce Multi-Factor Authentication (MFA)
MFA is perhaps the best way to prevent BEC. MFA requires a user to enter the password plus an additional factor, whether that is an SMS code, a push notification, or an authentication application supplied code.
Disable Legacy Applications
Legacy applications, specifically IMAP and POP3, are enabled by default within the Microsoft 365 environment. Unless there is a legitimate business need that warrants leaving legacy applications enabled, all should be disabled, especially because leaving them enabled could negate the account protections offered by MFA. If you have MFA enabled, but still have legacy applications enabled, an attacker can use legacy protocols and bypass the MFA restrictions.
Security Defaults in Azure Active Directory
Microsoft offers security defaults designed for organizations that want a secure environment but don’t know where to start. Security defaults enforce the following security policies within the environment:
- Require all users to register for MFA
- Require administrators to use MFA
- Block legacy applications
- Protect privileged activities, like access to the Azure portal
Final Thoughts
While using Microsoft 365 may be easier to maintain than the on-premises counterpart, there are some additional steps that should be taken to ensure that it is secure and that appropriate auditing and logging policies are in place in the event an of an incident.