April 24, 2020 | ISSUE NO. 4
The Roundup is a bit-sized security newsletter designed to be read during boring meetings while providing you with material to share during your next sales lunch.
We have all started using hosted email and other cloud based applications in the IT realm. With Office365 there are a few things to consider doing to help harden and better secure your Office365 platform.
1. Turn off PowerShell access for all users except admins/allowed users.
This one is pretty straight forward. By default, O365 allows all users to have PowerShell access to the O365 API. This can be very dangerous because hackers can use this to create mailbox rules, send phishing emails, bypass 2-factor authentication, and forward emails to external addresses. This is not turning off PowerShell on the end user’s computer, it’s turning off the ability to access their O365 mailbox via PowerShell. Follow this guide by Microsoft on how to accomplish this: https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/disable-access-to-exchange-online-powershell?view=exchange-ps
2. Turn off IMAP and POP3 if they are not used in your environment.
POP3 and IMAP are older email protocols and can be used to connect to Exchange mailboxes. The monitoring you get with O365 can show you events that happen in all of your user’s mailboxes. However, if an attacker sets up an email client and uses POP3 or IMAP then logging capabilities are reduced. This can help the hackers remain anonymous after they’ve compromised an account. https://blogs.technet.microsoft.com/praveenkumar/2017/06/09/how-to-diable-popimap-protocol-for-all-users-by-default-in-office-365/
3. Enforce modern authentication for all users
Turning on “modern authentication” can assist you with Single Sign On (SSO/SAML) and 2-factor capabilities. Here’s the how-to from Microsoft: https://support.office.com/en-us/article/enable-or-disable-modern-authentication-in-exchange-online-58018196-f918-49cd-8238-56f57f38d662
4. Disable OWA for users that don’t need access to it
Malicious hackers use OWA after they’ve compromised an account in some cases. This allows them to do anything the compromised user can do in their mailbox. Create new emails, reply to emails, forward, setup signatures, and create rules are some of the most common things used by attackers. Disabling OWA for any user that doesn’t need it forces the hacker to setup the compromised account in Outlook or another email client to get access. Here’s the how-to: https://docs.microsoft.com/en-us/exchange/recipients-in-exchange-online/manage-user-mailboxes/enable-or-disable-outlook-web-app
5. Only allow inbound mail from your spam filter
Typically your MX records (mail record in DNS) are setup to deliver all emails to your spam filter’s IP address or domain name. If you don’t have an external spam filter then this doesn’t apply to you. If you have an external spam filter make sure to configure your mail flow rules to only allow email to be delivered from your spam filter’s IP address. Hackers can try to bypass your filter and send directly to Microsoft’s O365 cloud. If you have your spam filter setup as the only inbound mail connector and mail flow rules to do the same you can help mitigate this threat. Here’s how to create a connector: https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-to-route-mail
6. Block logins from foreign countries
Creating Geo-Blocking rules is also a great tactic for account compromise mitigation. If the hacker compromises an account and is out of the country when they try to login, they will be blocked. Obviously the attacker can use a VPN or proxy to the US or whatever country you’re based in. At least this mitigation will slow them down a little more, helping you have a few extra minutes to fix the compromised account. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
7. Restrict O365/Azure API access to only allow connections from specific IP addresses
APIs have been getting hacked a bunch here lately. Be sure to check the settings on all of your APIs to ensure they’re not accepting connections from everyone on the internet. These should only allow connections from specific IP addresses that you specify. https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions
8. Block inbound emails to the “onmicrosoft.com” domain
By default, every new user in Office365 is given a secondary email address with onmicrosoft.com appended to the end. For example “user@yourdomain.onmicrosoft.com”. The problem here is that you can’t control the onmicrosoft.com domain’s MX records to tell the email to go through the spam filter first. This allows hackers to completely bypass your spam filter and deliver phishing emails directly to your O365 environment. Block these inbound emails with a Mail Flow Rule configured in the Exchange Admin Console. Once in the console navigate to Mail Flow Rules. Create a new rule and add it to the top of the rule list. The single biggest thing to set when configuring this rule is the “To” Header Matches, yourdomain.onmicrosoft.com and yourdomain.mail.onmicrosoft.com. Wildcards don’t work unfortunately. Do this for each domain you have going into your O365 environment. A screenshot of these settings is below.
Microsoft also came up with a guide for fixing compromised accounts. You can read more from that guide at the link below: https://blogs.technet.microsoft.com/office365security/how-to-fix-a-compromised-hacked-microsoft-office-365-account/
These are just some of the most overlooked mitigations you can do in O365. Of course, you want to have a spam filter, good password practices, 2-factor authentication, and other basic controls; However, additional hardening steps can help create the most secure O365 environment possible. I’m sure there are other techniques that I’ve overlooked as well, but we’re always looking for new ways to lock it down. I’ll update this blog if I find any other mitigations.
About the Author: Eric English is a Client Program Manager with Zyston. He is a cybersecurity expert who serves as a liason between our SOC and his assigned IPaaS client, a large commercial real estate firm.