![Page 1: Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections o Exchange ... Intelligence o Advanced Data Governance o Azure Active Directory](https://reader033.vdocument.in/reader033/viewer/2022051605/601608731b8f884f0c583e0d/html5/thumbnails/1.jpg)
How Attackers Exploit Office 365 Vulnerabilities
Hacker Explains
Liam ClearyCEO/OwnerSharePlicity
Russell McDermottSystems EngineerNetwrix Corporation
![Page 2: Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections o Exchange ... Intelligence o Advanced Data Governance o Azure Active Directory](https://reader033.vdocument.in/reader033/viewer/2022051605/601608731b8f884f0c583e0d/html5/thumbnails/2.jpg)
Agenda
• Office 365 Hacked
• Office 365 Attacks
• Netwrix Auditor Solutions
• Q&A Session
![Page 3: Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections o Exchange ... Intelligence o Advanced Data Governance o Azure Active Directory](https://reader033.vdocument.in/reader033/viewer/2022051605/601608731b8f884f0c583e0d/html5/thumbnails/3.jpg)
Steps
AttackSimulationExploitation Protection
![Page 4: Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections o Exchange ... Intelligence o Advanced Data Governance o Azure Active Directory](https://reader033.vdocument.in/reader033/viewer/2022051605/601608731b8f884f0c583e0d/html5/thumbnails/4.jpg)
Is Office 365 Vulnerable?
Yes No
![Page 5: Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections o Exchange ... Intelligence o Advanced Data Governance o Azure Active Directory](https://reader033.vdocument.in/reader033/viewer/2022051605/601608731b8f884f0c583e0d/html5/thumbnails/5.jpg)
Has Office 365 Been Hacked?
• Office 365 OWA Security Vulnerability – January 2018
– https://community.spiceworks.com/topic/2105786-office-365-owa-security-vulnerability
• Widespread, Brute-Force, Cloud-to-Cloud Attacks Hit Office 365 Users – July 2017
– https://www.skyhighnetworks.com/cloud-security-blog/skyhigh-discovers-a-targeted-brute-force-attack-on-enterprise-customers/
• Microsoft Office 365 hit with massive Cerber ransomware attack – June 2016
– https://www.scmagazine.com/microsoft-office-365-hit-with-massive-cerber-ransomware-attack-report/article/529295/
![Page 6: Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections o Exchange ... Intelligence o Advanced Data Governance o Azure Active Directory](https://reader033.vdocument.in/reader033/viewer/2022051605/601608731b8f884f0c583e0d/html5/thumbnails/6.jpg)
Office 365 Breach Flow
Login & Access Service AccessFile
DownloadsSite Traversal
Mail AccessMail RulesCreate / Read
/ Update / Delete
API Access
![Page 7: Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections o Exchange ... Intelligence o Advanced Data Governance o Azure Active Directory](https://reader033.vdocument.in/reader033/viewer/2022051605/601608731b8f884f0c583e0d/html5/thumbnails/7.jpg)
Exploitation
![Page 8: Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections o Exchange ... Intelligence o Advanced Data Governance o Azure Active Directory](https://reader033.vdocument.in/reader033/viewer/2022051605/601608731b8f884f0c583e0d/html5/thumbnails/8.jpg)
Exploiting Office 365
Phishing Brute-forcePassword
MaliciousURLs
*MFA bypass
* https://twitter.com/rkalember/status/1017082306853392384
![Page 9: Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections o Exchange ... Intelligence o Advanced Data Governance o Azure Active Directory](https://reader033.vdocument.in/reader033/viewer/2022051605/601608731b8f884f0c583e0d/html5/thumbnails/9.jpg)
Brute-force Password
Identify web formparameters
Intercept trafficusing Proxy
Retrieve badresponse
Construct commandfor Brute-force
![Page 10: Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections o Exchange ... Intelligence o Advanced Data Governance o Azure Active Directory](https://reader033.vdocument.in/reader033/viewer/2022051605/601608731b8f884f0c583e0d/html5/thumbnails/10.jpg)
Malicious URLs
<!DOCTYPE html>
<html lang=“en”>
<head></head>
<body>
Click the Malicious<a href=“https://bit.ly/malicious”>link</a>
</body>
</html>
<!DOCTYPE html>
<html lang=“en”>
<head>
<base href=“https://bit.ly”>
</head>
<body>
Click the Malicious<a href=“malicious”>link</a>
</body>
</html>
![Page 11: Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections o Exchange ... Intelligence o Advanced Data Governance o Azure Active Directory](https://reader033.vdocument.in/reader033/viewer/2022051605/601608731b8f884f0c583e0d/html5/thumbnails/11.jpg)
Attack Simulation
![Page 12: Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections o Exchange ... Intelligence o Advanced Data Governance o Azure Active Directory](https://reader033.vdocument.in/reader033/viewer/2022051605/601608731b8f884f0c583e0d/html5/thumbnails/12.jpg)
Why Simulate an Attack?
People are theweakest link
Test currentsystems
End-usertraining
![Page 13: Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections o Exchange ... Intelligence o Advanced Data Governance o Azure Active Directory](https://reader033.vdocument.in/reader033/viewer/2022051605/601608731b8f884f0c583e0d/html5/thumbnails/13.jpg)
Attack Simulation Prerequisites
• Office 365 License that includes Office 365 Threat Intelligenceo Can be purchased as a separate add-on
• Utilize Exchange Online
• Assigned as Global Administratoro If not Global Administrator, specific permissions to Security & Compliance Center
• Enabled Multi-Factor Authentication for Office 365 Users
![Page 14: Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections o Exchange ... Intelligence o Advanced Data Governance o Azure Active Directory](https://reader033.vdocument.in/reader033/viewer/2022051605/601608731b8f884f0c583e0d/html5/thumbnails/14.jpg)
Attack Simulation Types
Spear-phishing(Credential Harvesting)
Password-spray Brute-force Password(Dictionary Attack)
![Page 15: Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections o Exchange ... Intelligence o Advanced Data Governance o Azure Active Directory](https://reader033.vdocument.in/reader033/viewer/2022051605/601608731b8f884f0c583e0d/html5/thumbnails/15.jpg)
Office 365Attack Simulator
![Page 16: Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections o Exchange ... Intelligence o Advanced Data Governance o Azure Active Directory](https://reader033.vdocument.in/reader033/viewer/2022051605/601608731b8f884f0c583e0d/html5/thumbnails/16.jpg)
Protection
![Page 17: Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections o Exchange ... Intelligence o Advanced Data Governance o Azure Active Directory](https://reader033.vdocument.in/reader033/viewer/2022051605/601608731b8f884f0c583e0d/html5/thumbnails/17.jpg)
What Does Microsoft Provide?
Identity and accessmanagement
Threatprotection
Informationprotection
Securitymanagement
Security Graph
![Page 18: Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections o Exchange ... Intelligence o Advanced Data Governance o Azure Active Directory](https://reader033.vdocument.in/reader033/viewer/2022051605/601608731b8f884f0c583e0d/html5/thumbnails/18.jpg)
Risk Assessment
• Identify and define Office 365 scoped services
• Review existing Security documentation and guidance
• Gather existing configuration and security data
• Review assessment data, define risks and actions
• Define current Security posture based on assessment
• Perform remedial actions, based on assessment results and guidance
![Page 19: Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections o Exchange ... Intelligence o Advanced Data Governance o Azure Active Directory](https://reader033.vdocument.in/reader033/viewer/2022051605/601608731b8f884f0c583e0d/html5/thumbnails/19.jpg)
Security Controls
• Core Protectionso Exchange Online Protection
o Exchange Advanced Threat Protection
o Advanced Security Management / Cloud App Security
o Threat Intelligence
o Advanced Data Governance
o Azure Active Directory Authentication
o Multi-factor Authentication
o Office 365 Secure Score
o Conditional Access
o Mobile Device Management
• Content Protectionso Information Rights Management
o Azure Information Protection
o Data Loss Prevention
![Page 20: Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections o Exchange ... Intelligence o Advanced Data Governance o Azure Active Directory](https://reader033.vdocument.in/reader033/viewer/2022051605/601608731b8f884f0c583e0d/html5/thumbnails/20.jpg)
Takeaways
![Page 21: Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections o Exchange ... Intelligence o Advanced Data Governance o Azure Active Directory](https://reader033.vdocument.in/reader033/viewer/2022051605/601608731b8f884f0c583e0d/html5/thumbnails/21.jpg)
Takeaways
• Office 365 License that includes Office 365 Threat Intelligence
• Enabled Multi-Factor Authentication for Office 365 Users
• Execute Attack Simulator
• Enable ALL or AS MANY Security controls as possible
• Provide End User Training
![Page 22: Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections o Exchange ... Intelligence o Advanced Data Governance o Azure Active Directory](https://reader033.vdocument.in/reader033/viewer/2022051605/601608731b8f884f0c583e0d/html5/thumbnails/22.jpg)
Demonstration
Netwrix Auditor
![Page 23: Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections o Exchange ... Intelligence o Advanced Data Governance o Azure Active Directory](https://reader033.vdocument.in/reader033/viewer/2022051605/601608731b8f884f0c583e0d/html5/thumbnails/23.jpg)
Netwrix Auditor for Office 365
Netwrix Auditor for Active Directory
Netwrix Auditor for Windows File Servers
Netwrix Auditor for Windows Server
Netwrix Auditor for Exchange
Netwrix Auditor for SQL Server
Netwrix Auditor for SharePoint
Netwrix Auditor for NetApp
Netwrix Auditor for EMC
Netwrix Auditor for VMware
Netwrix Auditor Platform
Netwrix Auditor for Azure AD
Netwrix Auditor for Oracle Database
Netwrix Auditor Unified Platform
• Exchange Online administrative changes, changes to
mailboxes, mail users, groups, permissions, policies,
and management roles
• Non-owner mailbox access auditing
• SharePoint Online and OneDrive for Business
configuration, security, and content changes, and
data access events
• Changes to Azure AD groups, users, passwords,
roles, applications, service principals, devices,
contacts, and more
• Logon auditing
• Changes to farm configuration, user content and
security, permissions, group membership, security
policies
• Read access auditing
![Page 24: Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections o Exchange ... Intelligence o Advanced Data Governance o Azure Active Directory](https://reader033.vdocument.in/reader033/viewer/2022051605/601608731b8f884f0c583e0d/html5/thumbnails/24.jpg)
All Exchange Server Changes
![Page 25: Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections o Exchange ... Intelligence o Advanced Data Governance o Azure Active Directory](https://reader033.vdocument.in/reader033/viewer/2022051605/601608731b8f884f0c583e0d/html5/thumbnails/25.jpg)
Exchange Online Mailbox Permissions Changes
![Page 26: Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections o Exchange ... Intelligence o Advanced Data Governance o Azure Active Directory](https://reader033.vdocument.in/reader033/viewer/2022051605/601608731b8f884f0c583e0d/html5/thumbnails/26.jpg)
Behavior Anomalies
![Page 27: Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections o Exchange ... Intelligence o Advanced Data Governance o Azure Active Directory](https://reader033.vdocument.in/reader033/viewer/2022051605/601608731b8f884f0c583e0d/html5/thumbnails/27.jpg)
Interactive Search
![Page 28: Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections o Exchange ... Intelligence o Advanced Data Governance o Azure Active Directory](https://reader033.vdocument.in/reader033/viewer/2022051605/601608731b8f884f0c583e0d/html5/thumbnails/28.jpg)
Alerts on Suspicious Activity
![Page 29: Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections o Exchange ... Intelligence o Advanced Data Governance o Azure Active Directory](https://reader033.vdocument.in/reader033/viewer/2022051605/601608731b8f884f0c583e0d/html5/thumbnails/29.jpg)
Alerts on Threat Patterns
![Page 30: Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections o Exchange ... Intelligence o Advanced Data Governance o Azure Active Directory](https://reader033.vdocument.in/reader033/viewer/2022051605/601608731b8f884f0c583e0d/html5/thumbnails/30.jpg)
Useful links
Online TestDrive: experience Netwrix Auditor with no download or installation required
https://www.netwrix.com/browser_demo.html
Live One-to-One Demo: product tour with Netwrix expert
netwrix.com/livedemo
Contact Sales to obtain more information: netwrix.com/contactsales
Webinars: join our upcoming webinars and watch the recorded sessions
• netwrix.com/webinars
• netwrix.com/webinars#featured
![Page 31: Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections o Exchange ... Intelligence o Advanced Data Governance o Azure Active Directory](https://reader033.vdocument.in/reader033/viewer/2022051605/601608731b8f884f0c583e0d/html5/thumbnails/31.jpg)
Questions?
![Page 32: Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections o Exchange ... Intelligence o Advanced Data Governance o Azure Active Directory](https://reader033.vdocument.in/reader033/viewer/2022051605/601608731b8f884f0c583e0d/html5/thumbnails/32.jpg)
www. .com
Thank you!
Liam ClearyCEO/OwnerSharePlicity
Russell McDermottSystems EngineerNetwrix Corporation