Mitigating the impact of incidents in M365

Phishing and credential harvesting make up a large proportion of the incidents that CERT NZ sees — it's one of the top three reported incident types. These incidents are common because of the low amount of effort and resource it takes to conduct these attacks.

These incidents can also lead to business email compromise, which can have large scale impacts on organisations.

We see a large number of Microsoft 365 branded phishing attacks in particular. This is due to it being such a commonly used cloud platform. A portion of phishing emails are successful and attackers can gain valid credentials. Organisations need to configure security controls to mitigate what attackers can do once they access M365.

Email forwarding rules

Once an attacker has access to an M365 account, they often set up ways to steal data over time. They also try to cover their tracks by hiding any emails they might send and receive a reply to.

Email forwarding rules can be configured to automatically send an email to an email address outside of the organisation’s domain. Inbox rules are also used to auto-delete sent and received emails.

Incidents we’ve seen

CERT NZ often finds that when an attacker gains access to an M365 account, they'll go into the mailbox and configure inbox rules. Emails will be auto-forwarded to a temporary email account, usually on a free email service like Gmail. The O365 inbox rules will be configured to automatically delete all incoming emails, or emails with a specific subject.

They'll also set up rules to automatically delete any emails they send (usually with a specific subject).

The attackers will use their access to phish other users within the domain, and try to further their access into the M365 instance. They usually target higher value employees, such as the executive team’s assistants.

What you can do

To prevent this, an organisation can disable automatic forwarding of emails to external mailboxes.

Disable automatic forwarding in Microsoft 365 and Exchange Server to prevent information leakage External Link

If you can't apply this rule across the domain, you can:

set up exceptions for mailboxes, and
check them periodically to see if any new email forwarding rules have been set.

While these rules can be set for valid reasons, automatic forwarding is usually a less-common occurrence. You can treat each of these occurrences as an exception to the rule.

Retention policies

By default, Microsoft 365 data isn’t covered by a retention policy. By creating and implementing Microsoft 365 retention policies, you decrease the risk of data loss in the event of a security incident. Retention policies can also help you recover from accidental data deletion or modification.

You can apply a retention policy to the whole organisation or to specific locations and users.

Microsoft’s retention policies External Link

Principle of least privilege

Microsoft 365 has several types of administrative roles which give the assigned user permission to do specific tasks in Microsoft 365. Ensure that your administrators have the lowest access needed to do their role. This decreases the risk of data leakage or malicious access to data when a security incident or account compromise occurs.

Once you’ve established the tasks each role needs to do, document it. Actively manage this list and do regular access reviews to make sure the right permissions are still applied.

Enforcing the principle of least privilege

The available administrative roles are frequently changing in the service, so it’s important to periodically review that the least privileged role is used to align with the changes in the platform.

Microsoft on admin roles External Link

Remediating compromised M365 accounts

Dealing with account compromises is more complicated than resetting a password. While investigating, you should consider what the attacker did while they had access to valid credentials. Attackers can use mechanisms built into Microsoft 365 to maintain their access once their password has been reset.

Incidents we’ve seen

An attacker will often try to maintain access to an account once it’s been identified as compromised. An example of persistent access after compromise is described below:

Attacker sends a malicious email to User X at your organisation containing a phishing URL.
User X clicks on phishing link and provides their corporate credentials.
The attacker does reconnaissance on your organisation, and identifies you’re using Microsoft 365.
The attacker ‘logs in’ to User X’s account and uses legacy protocols IMAP and SMTPAUTH to send spam emails and copy outgoing emails.
The attacker creates an inbox forwarding rule to themselves so they can exfiltrate data.
Your organisation resets the password for User X.
Outbound SMTP will stop with the password reset. All emails received by User X continues to be sent to the attacker by the inbox forwarding rule.

It’s a lot harder for attackers to phish staff and get valid credentials with multi-factor authentication (MFA) enabled. CERT NZ recommends enabling MFA on all accounts accessible from the internet. Our critical control has advice on implementing it in an organisational level.

Implementing MFA

What you can do

CERT NZ recommends you do the following when an Microsoft 365 account is compromised:

Report the incident to CERT NZ.
Reset the account password.
Revoke Azure AD refresh tokens. This ensures all established sessions are required to re-authenticate with the new password.Use Microsoft 365 audit searches to determine what the attacker did with the access.
Enable multi-factor authentication, if not already enabled.
Remove any mailbox forward rules (SMTP forwards and inbox rules)
Remove any mailbox permissions and delegations.
Remove any activesync/MDM-managed devices associated with the account.
Revoke any OneDrive/SharePoint external shares created by the user. This is a great way for an attacker to exfiltrate data.

Report to CERT NZ

Microsoft’s advice for compromised accounts External Link