November 15, 2018
Holiday Phishing: Office 365
Written by
Scott Nusbaum
Incident Response
Incident Response & Forensics
Office 365 Security Assessment
Security Testing & Analysis
Social Engineering


- O365 gives you access to not only your email, but to online versions of Word, Excel, and PowerPoint from anywhere. This is really great for those road warriors who might be traveling all the time, or for those who are sitting at their kids’ soccer practice and need to get a little more work done.
- There is no special software to download, all you need is a web browser. Really, who wants to spend the time downloading, installing, and maintaining the updates for that many different pieces of software, let alone the precious drive space they take up? This is made even more difficult since normal users shouldn’t have Administrator rights
- It is guaranteed to be online since Microsoft has the resources to have multiple redundancies and failover procedures in place (like we all should have).
- Similar to the first point, all Office Documents are now available to you anywhere at any time. Documents are stored in the Cloud and collaboration is made easy with a simple click of a button.
- O365 has the ability to configure Multi-Factor Authentication (MFA). When attempting to log in to an account, a one-time key is sent to the registered user which is then required to log in to the system. If you did not try to log in, do not just blindly approve or give this key to others.
- This option is cheaper than hosting your own server for each Office product. Microsoft has priced its Cloud services in such a way that it is a no brainer to shift from hosting the services yourself to the Cloud.
- O365 gives you access to not only your email but to the online version of Word, Excel, and PowerPoint from anywhere. It is harder to secure when it is outside of your network. You now have limited control and all that money spent on hardening and monitoring your network are useless for O365.
- No physical control of your data. Microsoft has it all unless you do your own backups.
- Reduced Logs. O365 keeps 90 days of log information. There are multiple ways to pull these logs from O365, which we will discuss later in this blog. Oh, did you know that Microsoft truncates the audit logs for you?
- Multi-Factor Authentication (MFA) is not required by default. We all have strong passwords and they are never compromised, right?
- Reduced visibility. Logs are stored in the Cloud and extra features such as network logging are not available.
- Access from anywhere! Not just you and your employees can access your O365 account, anyone from anywhere can try to access it too.
- Hackers - if you can access it anywhere, so can they. If you are not monitoring and using MFA, they can attack until they get in.
- Security is reduced to the strength of the individual user’s password. Passwords are the weakest point in most organizations' security.
- You need to be able to remember them, so complexity is reduced.
- You have to type them in every time you log in, so longer passwords are a pain for bad typers.
- You need a unique password for every site and computer. Password reuse is very common, so if someone gets someone else's O365 password, they might have access to that account owner's computer.
- You are forced to frequently change the password. This means that users tend to use incremental schemes to remember the passwords or write them down.
- Misconfigured accounts. Normal users should not have administrative rights. If an account is compromised and has administrative rights, the attacker now has access to everyone’s accounts. They can set forwarding rules to send all email to themselves and can send and receive email as anyone.
- All data is available to a compromised account.
- Multiple failed attempts from varying IP addresses, short span of time, or consistent over a longer period of time. These are normally a sign of brute-force attempts.
- Multiple successful attempts from different geographical locations. Unless the user developed teleportation (or a TARDIS), this could be a sign of compromise. It is possible the user used a VPN, which can record the user logging in from different locations.
- Logins out of a user’s normal routine. I like to develop a timeline and identify the normal usage activity of the users. If the user always logs in at 7:30AM and logs out at 5:30PM for three months, then starting two weeks ago there are logins at 8:00PM, this is an indicator that should be reviewed.
- Creation of Mailbox Rules. Creation of a rule to forward all incoming emails to and external email address is a key indicator of malicious activity. There might be a legitimate usage for this but in the vast majority of the times this is malicious.
- Pull the Audit logs and parse them
- Search for common attacks, such as, unknown IP addresses attempting to access
- Search for the creation or modification of mailbox rules
- Search for a large number of failed login attempts
- Send an alert or an email to notify a security analyst to perform a further analysis.
- Automate Detections of common attack methods
- Setting rules to forwards, delete, etc.
- Large number of failed attempts
- Generate warning messages to security team or IT staff
- Periodic Manual review of logs
- Employ a third-party security SOC to monitor systems and O365
- Implement MFA
- Never have password reuse
- Mandatory password change every 30 days (frowned on by Microsoft, but I still think its applicable since Microsoft assumes that all their suggestion will be implemented. If MFA is not implemented, then this is dangerous)
- Least privilege policy - only have the permission’s you need to complete your job
- Enable Audit logging on each users account
- Six month retention of Audit Logs. Microsoft charges to have more than 90 days so download Audit Logs and store them locally
- Enable Email Audit logs
- Alert Policies
- VPN (with MFA). This can allow the company to lock O365 to a single IP address
- Allows users to work from Open WiFi’s with reduced risk.
- Client and server authentication