Getting Started with Azure & Microsoft365 Security (Part 1)

Microsoft Azure is a cloud computing platform and service offered by Microsoft. It provides a wide range of cloud services, including virtual machines, storage, and networking.

Office 365 is a cloud-based subscription service that provides access to Microsoft Office applications, such as Word, Excel, PowerPoint, and others. It also includes email services, calendaring, and online storage.

Microsoft 365 is a subscription service that includes Office 365, Windows 10, and Enterprise Mobility + Security.

Microsoft Entra is a fairly new product family that includes Azure Active Directory, Cloud Infrastructure Entitlement Management (CIEM), and decentralized identity. Per Microsoft, “The products in the Entra family will help provide secure access to everything for everyone, by providing identity and access management, cloud infrastructure entitlement management, and identity verification.” (Microsoft Entra helps secure your identity - Microsoft Security Blog) (Microsoft Entra documentation | Microsoft Learn)

*Tip - If you’re going crazy trying to figure out what licenses cover what check out this really simple but amazingly helpful free tool: Feature Matrix | M365 Maps

A malicious actor targeting Danilovgrad Capital Management (danilovgradcapital.com) conducts a phishing attack by impersonating their CEO Nelly Johnson and originating from [email protected]. One employee falls for the phish and enters their credentials into a HTTP reverse proxy phishing portal (GitHub - drk1wi/Modlishka: Modlishka. Reverse Proxy.) set up by the malicious actor, including the MFA code supplied by their authenticator application. Once inside, the malicious actor establishes persistence by connecting to a malicious third party oAuth application, and establishing another form of MFA. Then the malicious actor searches the available documents and applications for sensitive banking information.

A malicious actor conducts a password spraying attack against Office.com () which hits on an employee using the password “Winter2023!”. The user has MFA but one of the options is a push notification. The malicious actor sends push after push after push until the frustrated user finally hits accept, granting access. Once inside, sensitive information is identified and downloaded en masse.

1) The default setting under Authentication Methods would look a lot like this:

With this configuration, a malicious actor could generate a list of valid user accounts and systematically 'spray' those accounts with custom password attempts at a rate as slow as 35 attempts per 10-minute period (on different user accounts) without triggering an alert. Over the course of a continuous week, that scenario would amount to over 35 thousand login attempts. Given enough time, this has a high probability of leading to a first-factor account compromise.

2) Custom banned password lists can be defined up to 1,000 entries which can include terms unique to the business, or popular (yet terrible) passwords like Winter2023!. Consider using a simple tool like Mentalist to help generate a list

The use of authentication apps like Microsoft Authenticator can significantly improve the security of the environment compared to traditional call, push notification, or SMS based MFA. (Download and install the Microsoft Authenticator app - Microsoft Support).

SMS and phone call based two-factor authentication can be problematic as a malicious actor could defeat this MFA method through a SIM swapping attack or through call fatigue.

With Microsoft Authenticator enabled, a company would benefit from advanced security features such as additional context. This can be configured to include the application and location of the MFA attempt on the user’s Authenticator app. This is preferable to the traditional call-based MFA as it becomes far more apparent to end users in the event of a fraudulent login.

Legacy authentication is a term that refers to authentication requests made by older Office clients that do not use modern authentication or any client that uses legacy mail protocols such as IMAP, SMTP or POP3. Legacy authentication methods introduce unnecessary risks to the environment as many legacy protocols do not support MFA.

Microsoft 365 Lighthouse can be used to manage risks detected by Azure AD Identity Protection by providing a single view of risky user activity across the tenant. This includes all the Azure AD identity protection risks including:

Conditional Access policies enable assignment and access control measures to be implemented through the use of tailored if-then statements. Impossible travel is one of the most basic anomaly detections to indicate a compromised user. This feature is included with Azure AD Identity Protection.

A popular method of maintaining persistence to cloud-based environments by malicious actors is to leverage a compromised account to grant access to a malicious third-party application. This can also introduce a social engineering attack vector as users could be misled into granting permissions to untrusted applications.

These controls can be set up with Microsoft 365 Defender and can play a huge role in mitigating very common (and very effective) phishing and spearphishing campaigns by malicious actors. When a protected domain or user becomes flagged by this control it will not arrive in the end users inbox.

This is a feature within Defender for Office365 (plan 1 and plan 2) which provides dynamic URL and attachment scanning of inbound messages. This occurs in addition to (not in place of) typical anti-spam or anti-malware scanning.

These refer to the banners that pop up on emails that say things like “You don’t often get email from <sender>. This is a very simple way to give end users another extra indicator that an email may be phishing and can be included in internal security awareness training.

Data classification controls refer to automated policies which sort and label data by predefined classification sets and assign different requirements to associated labels. This ensures that sensitive data such as PII or financial data are stored in appropriate ways. Data loss prevention (DLP) controls to safeguard against unauthorized exfiltration of potentially sensitive data.

If your goal is to increase your skills surrounding Microsoft’s cloud solutions with a specific emphasis on security, consider a training path similar to this one. This starts with the fundamentals and getting a good understanding on licensing, core products, and how they integrate. This is essential baseline understanding to build regardless of if you use M365 regularly or not. If you jump straight to one of the upper security courses, like AZ-500, you may pass the exam but you’d lack a lot of important context around those solutions without really strong fundamentals.