The Office 365 ‘Forwarding’ link on the side menu will not even show up for users once removed. This can be achieved through PowerShell commands as described in the article. This will actually remove the forwarding option from Outlook Web Access (OWA) and Exchange Online. The first configuration every organization should set is to not allow mailbox forwarding. To provide a summary and some context on the above linked Microsoft TechNet article: There is a wonderful Microsoft TechNet article already written on this topic. The first step in proper remediation is to actually have configurations in place that take care of compromises before they even happen. Using MCAS to identify compromised office 365 inboxes Proactive Remediation MCAS now also sends alerts to Microsoft Flow. Once it discovers a suspicious inbox rule, it will immediately alert whomever you have configured via e-mail or text message. Once enabled, this will utilize the power of Microsoft’s machine learning to identify questionable inbox rules created on any of your mailboxes. An out-of-box policy from MCAS is called ‘Suspicious inbox forwarding’. One of those SaaS environments is Office 365 Exchange Online. Microsoft Cloud App Security (MCAS) is a powerful tool for monitoring and controlling your Software-as-a-Service (SaaS) environments. When it finds a match, it can then alert your cybersecurity personnel for attention. Knowing the commands above can be useful to have scripts or some form of automation running in your environment looking for keywords or actions being created in user’s inbox rules.Īn example use case: If your environment is small, you can have a script that runs Get-InboxRule on all of your end users and parses for any where the Description includes the phrase “delete the message”. Get-InboxRule -mailbox -Identity 0123456789 | FL Examples of those outputs are what was seen earlier in this blog. To see details only about a specific rule, you can utilize the RuleIdentity (where the number is provided as seen above) and just see that specific inbox rule. In order to see the details about all rules, you can enter the following command on the mailbox (warning: potentially large output): Get-InboxRule -mailbox | FL It will only list Name, Enabled Status, Priority, and RuleIdentity. From the PowerShell module, you can connect to Exchange Online and run the following command on any mailbox to see current rules: Get-InboxRule -mailbox command will provide an output of all rules on that mailbox. With the Exchange Online PowerShell module, you can run immediate commands as part of your incident response procedures. If you have already been made aware (or suspicious) of an account which has been compromised and in some way know that a threat actor has logged into their Office 365 account, you can inspect their mailbox for rules. So how do you go about being alerted when these rules are made? There are a plethora of ways, but let’s talk about a few easy ones. Identifying compromised Office 365 email inboxes – forwarding Alerting Identifying compromised Office 365 email inboxes – rules 1 Identifying compromised Office 365 email inboxes – rules 2Įvery now and then a threat actor will attempt to be bold and forward all mail to an external address. The alternative step commonly taken is to only send e-mails with specific keywords to a special folder or to delete them. Some rules may just delete all inbound mail, which can be noticed by the end user quickly. These rule are created to do all sorts of mischievous activities. It is very common for threat actors to create inbox rules on mailboxes and it’s important to look for those. One strong way is to watch for malicious forwarding and inbox rules created on your mailboxes. From watching sign-in activities through Azure Active Directory Identity Protection to monitoring e-mail traffic for anomalies. There are numerous ways an organization can identify when an Office 365 mailbox is compromised. But in just about every case, the scammers target employees with access to company finances and trick them into making wire transfers to bank accounts thought to belong to trusted partners-except the money ends up in accounts controlled by the criminals. That’s because Business E-mail Compromise (BEC) is one of the most successful cyber crimes showing continuous growth. Once credentials are compromised through tactics like phishing, it feels like O365 is the first – and sometimes only – place that the credentials are played against. Office 365 (O365) has become a recurring favorite and at times the main focus of common threat actors. Be sure to check your individual licensing to fully comprehend which features are available to you. NOTE: This blog refers to several Microsoft products that require special licensing.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |