Threat Hunting with Microsoft O365 Logs

Monica Nathalia
6 min readAug 15, 2020

--

Office 365 is currently the most popular line of digital services for businesses. However, when it comes to cyberattacks, its ubiquity is creating challenges.

If it seems like every week there’s a new headline about a large-scale hacking incident stemming from phishing, it’s not a case of rampant fake news. According to the 2020 Symantec Internet Security Threat Report[SN1], 7,710 organizations are hit by a business email compromise scam every month, and 71.4% of targeted attacks involve the use of spear-phishing emails.

O365-related incidents

Office 365 (O365) has reached the status of ubiquity — in April 2019, it counted 180 million monthly active users. The subscription model puts all of Microsoft Office’s programs online and accessible through a cloud, dramatically increasing its convenience for users. But convenience comes with a price.

Recently, Cybersecurity training firm SANS has confirmed a data breach resulting from a phishing attack that allowed an attacker to compromise an employee’s email environment and steal data.

The incident was discovered on Aug. 6 as part of a regular review of its email configurations and rules. SANS initiated its incident response process upon discovering a suspicious forwarding rule that was sending emails from one person’s email account to an unknown external address. It is ironic and unfortunate that the most popular training institution which advocates for cybersecurity best-practices became a victim of cyberattacks. It’s also a reminder that no one’s safe from cybercriminals, and there is always a need to hunt for threat actors in the environment.

The hunt for threat actors

When my team and I embark on an O365 investigation for a client, we will typically collect 90-days worth of O365 Logs. These logs are called Advanced Audit Logs (AAL), Mail Audit Logs (MAL), and Unified Audit Logs (UAL). With UAL, you can search for various types of user and admin activity in Office 365 (SharePoint, Exchange Online, OneDrive, Azure AD, Microsoft Teams, etc). The log collection itself is quite painful as it usually takes around 2 weeks (Microsoft Office purposely introduced throttling issues to prevent denial of service).

Once collected (a 500-people enterprise will usually have 100GB worth of logs), we will export the logs to an ElasticSearch dashboard to aid with our investigation. The investigation itself will take around 2–3 weeks. We will have to understand the log properties in-depth in order to correlate the data and make sense of the logs.

Sample Visualisation for Azure AD logs
Sample Visualisation for SharePoint logs
Sample Visualisation for OneDrive logs

Once processed and visualized, we will have to look out for various indicators:

  • Auto-forwarding rules
  • Brute-force attacks/ multiple failed logins
  • Anomalous logins (based on geographic location, IP, time of activities)
  • Data exfiltration (large data being sent out or batches of data sent over a period of time)
  • Addition of admin role
  • Anonymizer tools (An anonymizer or an anonymous proxy is a tool that attempts to make activity on the Internet untraceable.)
  • Cryptominer tools
  • Malware (SharePoint anti-virus engine detects malware in a file.)
  • Remote administration tools (Remote administration tool is software that helps the administrator or attacker to receive full control of the targeted device.)
  • Suspicious group member change
  • User password reset

Recommendations for Enterprise

So how can companies protect their Microsoft O365 applications from cybercriminals? Below are the best practices that I have collated and have advised my clients so far:

  • [Azure AD] Enable Multi-factor Authentication (MFA): a breach of any of the user accounts can lead to a breach of any data that the user has access to. MFA is encouraged to be mandatory across all users, especially in today’s remote workforce. At a minimum, it should be enforced on all global admins.
    This recommendation seems common sense, but trust me, I had encountered a case whereby a manufacturing company (with advanced technology) did not enable the MFA and as a result, became a victim of compromised accounts and (the simple) auto-forwarding attack.
  • [Azure AD] Block Legacy Authentication: Legacy authentication is more susceptible to password spray attacks or brute force attacks because you cannot layer on MFA. End of support for legacy authentication like IMAP/POP is coming in October of 2020. (Update: the Exchange Team announced that due to the COVID19 crisis, they will postpone disabling legacy authentication until the second half of 2021).
  • [Azure AD] Delete/block accounts not used in the last N-days (usually 30 days): Deleting or blocking accounts that haven’t been used in the last N days, after checking with owners, helps prevent unauthorized use of inactive accounts. These accounts can be targets for attackers who are looking to find ways to access your data without being noticed.
  • [Azure AD] Do not allow users to grant consent to unmanaged applications: Only allow access to necessary apps that support robust security controls. Third-party applications are not created by Microsoft, so there is a possibility they could be used for malicious purposes like exfiltrating data from your tenancy. Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts.
  • [Exchange Online] Set Outbound Spam Notifications: Spam notifications give you visibility into when a user has been blocked for sending excessive or spam emails. A blocked account is a good indication that the account in question has been breached and that an attacker is using it to send spam emails.
  • [Exchange Online] Add SPF remarks, DKIM remarks, and DMARC: SPF validates the origin of email messages by verifying the IP address of the sender against the alleged owner of the sending domain which helps prevent spoofing. DKIM lets you attach a digital signature to email messages in the message header of emails you send. Email systems that receive email from your domain use this digital signature to determine if incoming email that they receive is legitimate. DMARC helps to receive mail systems to determine what to do with messages that fail SPF or DKIM checks and provides another level of trust for your email partners.
  • [Auditing and Reporting] Enable Audit Log Search: You should enable audit data recording for your Microsoft 365 or Office 365 service to ensure that you have a record of every user and administrator’s interaction with the service, including Azure AD, Exchange Online, and SharePoint Online/OneDrive for Business.
  • [Auditing and Reporting] Enable Mailbox Auditing for All User: By default, all non-owner access is audited, but you must enable auditing on the mailbox for owner access to also be audited. This will allow you to discover illicit access to Exchange Online activity if a user’s account has been breached.
  • [Auditing and Reporting] Review Mailbox Forwarding Rules Weekly: While there are lots of legitimate uses of mail forwarding rules to other locations, it is also a very popular data exfiltration tactic for attackers. You should review them regularly to ensure your users’ email is not being exfiltrated.
  • [Teams] Use Private Channel, Block External Access, and Block Guest Access

Source:

[1] https://logrhythm.com/blog/detecting-and-preventing-auto-forwarding-and-phishing-attacks-in-office-365/

[2] https://usc.pax8.com/resource/display/33588

[3] https://www.darkreading.com/attacks-breaches/sans-security-training-firm-hit-with-data-breach/d/d-id/1338647

[4] https://docs.microsoft.com/en-us/microsoft-365/compliance/detailed-properties-in-the-office-365-audit-log?view=o365-worldwide

--

--

Monica Nathalia
Monica Nathalia

Written by Monica Nathalia

Cybersecurity (Incident Response, Forensics and Threat Hunting) | all opinion and content are my own | Singapore

Responses (1)