- Scenario 1
- Scenario 2
- Security Features/Solutions Explained
- Suggested Learning Path & Resources
Microsoft Azure is a cloud computing platform and service offered by Microsoft. It provides a wide range of cloud services, including virtual machines, storage, and networking.
Office 365 is a cloud-based subscription service that provides access to Microsoft Office applications, such as Word, Excel, PowerPoint, and others. It also includes email services, calendaring, and online storage.
Microsoft 365 is a subscription service that includes Office 365, Windows 10, and Enterprise Mobility + Security.
Microsoft Entra is a fairly new product family that includes Azure Active Directory, Cloud Infrastructure Entitlement Management (CIEM), and decentralized identity. Per Microsoft, “The products in the Entra family will help provide secure access to everything for everyone, by providing identity and access management, cloud infrastructure entitlement management, and identity verification.” (Microsoft Entra helps secure your identity - Microsoft Security Blog) (Microsoft Entra documentation | Microsoft Learn)
*Tip - If you’re going crazy trying to figure out what licenses cover what check out this really simple but amazingly helpful free tool: Feature Matrix | M365 Maps
A malicious actor targeting Danilovgrad Capital Management (danilovgradcapital.com) conducts a phishing attack by impersonating their CEO Nelly Johnson and originating from [email protected]. One employee falls for the phish and enters their credentials into a HTTP reverse proxy phishing portal (GitHub - drk1wi/Modlishka: Modlishka. Reverse Proxy.) set up by the malicious actor, including the MFA code supplied by their authenticator application. Once inside, the malicious actor establishes persistence by connecting to a malicious third party oAuth application, and establishing another form of MFA. Then the malicious actor searches the available documents and applications for sensitive banking information.
A malicious actor conducts a password spraying attack against Office.com () which hits on an employee using the password “Winter2023!”. The user has MFA but one of the options is a push notification. The malicious actor sends push after push after push until the frustrated user finally hits accept, granting access. Once inside, sensitive information is identified and downloaded en masse.
SIM Swapping Attack Explanation
Security Features/Solutions Explained
Password Protection Best Practices
1) The default setting under Authentication Methods would look a lot like this:
With this configuration, a malicious actor could generate a list of valid user accounts and systematically 'spray' those accounts with custom password attempts at a rate as slow as 35 attempts per 10-minute period (on different user accounts) without triggering an alert. Over the course of a continuous week, that scenario would amount to over 35 thousand login attempts. Given enough time, this has a high probability of leading to a first-factor account compromise.
2) Custom banned password lists can be defined up to 1,000 entries which can include terms unique to the business, or popular (yet terrible) passwords like Winter2023!. Consider using a simple tool like Mentalist to help generate a list
Use a Stronger Form of MFA
The use of authentication apps like Microsoft Authenticator can significantly improve the security of the environment compared to traditional call, push notification, or SMS based MFA. (Download and install the Microsoft Authenticator app - Microsoft Support).
SMS and phone call based two-factor authentication can be problematic as a malicious actor could defeat this MFA method through a SIM swapping attack or through call fatigue.
With Microsoft Authenticator enabled, a company would benefit from advanced security features such as additional context. This can be configured to include the application and location of the MFA attempt on the user’s Authenticator app. This is preferable to the traditional call-based MFA as it becomes far more apparent to end users in the event of a fraudulent login.
Use additional context in Microsoft Authenticator notifications - Azure Active Directory - Microsoft Entra
Learn how to use additional context in MFA notifications
Block Legacy Authentication
Legacy authentication is a term that refers to authentication requests made by older Office clients that do not use modern authentication or any client that uses legacy mail protocols such as IMAP, SMTP or POP3. Legacy authentication methods introduce unnecessary risks to the environment as many legacy protocols do not support MFA.
Block legacy authentication with Conditional Access - Microsoft Entra
Create a custom Conditional Access policy to block legacy authentication protocols
Risky User Detection
Microsoft 365 Lighthouse can be used to manage risks detected by Azure AD Identity Protection by providing a single view of risky user activity across the tenant. This includes all the Azure AD identity protection risks including:
- Leaked Credentials
- Anonymous IP Use
- Atypical Travel
- Signing in from infected devices
- Signing in from an IP address with suspicious activity
- Signing in from unfamiliar locations
View and manage risky users in Microsoft 365 Lighthouse - Microsoft 365 Lighthouse
For Managed Service Providers (MSPs) using Microsoft 365 Lighthouse, learn how to view and manage risky users.
Using Conditional Access Policies to Block Impossible Travel
Conditional Access policies enable assignment and access control measures to be implemented through the use of tailored if-then statements. Impossible travel is one of the most basic anomaly detections to indicate a compromised user. This feature is included with Azure AD Identity Protection.
Sign-in risk-based multifactor authentication - Microsoft Entra
Create Conditional Access policies using Identity Protection sign-in risk
Don’t Allow User’s The Ability to Grant Access to Untrusted Applications
A popular method of maintaining persistence to cloud-based environments by malicious actors is to leverage a compromised account to grant access to a malicious third-party application. This can also introduce a social engineering attack vector as users could be misled into granting permissions to untrusted applications.
Configure how users consent to applications - Microsoft Entra
Learn how to manage how and when users can consent to applications that will have access to your organization's data.
Domain and User Impersonation Controls
These controls can be set up with Microsoft 365 Defender and can play a huge role in mitigating very common (and very effective) phishing and spearphishing campaigns by malicious actors. When a protected domain or user becomes flagged by this control it will not arrive in the end users inbox.
Impersonation insight - Office 365
Admins can learn how the impersonation insight works. They can quickly determine which senders are legitimately sending email into their organizations from domains that don't pass email authentication checks (SPF, DKIM, or DMARC).
Safe Links / Safe Attachments
This is a feature within Defender for Office365 (plan 1 and plan 2) which provides dynamic URL and attachment scanning of inbound messages. This occurs in addition to (not in place of) typical anti-spam or anti-malware scanning.
Complete Safe Links overview for Microsoft Defender for Office 365 - Office 365
Learn about Safe Links protection in Defender for Office 365 to protect an organization from phishing and other attacks that use malicious URLs. Discover Teams Safe Links, and see graphics of Safe Links messages.
First Contact Safety Tips
These refer to the banners that pop up on emails that say things like “You don’t often get email from <sender>. This is a very simple way to give end users another extra indicator that an email may be phishing and can be included in internal security awareness training.
Anti-phishing policies - Office 365
Admins can learn about the anti-phishing policies that are available in Exchange Online Protection (EOP) and Microsoft Defender for Office 365.
Data Classification & Data Loss Prevention Controls
Data classification controls refer to automated policies which sort and label data by predefined classification sets and assign different requirements to associated labels. This ensures that sensitive data such as PII or financial data are stored in appropriate ways. Data loss prevention (DLP) controls to safeguard against unauthorized exfiltration of potentially sensitive data.
How to use the Microsoft data classification dashboard - Microsoft Purview (compliance)
The data Microsoft Purview compliance classification dashboard provides visibility into how much sensitive data has been found and classified in your organization.
Suggested Learning Path & Resources
If your goal is to increase your skills surrounding Microsoft’s cloud solutions with a specific emphasis on security, consider a training path similar to this one. This starts with the fundamentals and getting a good understanding on licensing, core products, and how they integrate. This is essential baseline understanding to build regardless of if you use M365 regularly or not. If you jump straight to one of the upper security courses, like AZ-500, you may pass the exam but you’d lack a lot of important context around those solutions without really strong fundamentals.
Fantastic (Free) Learning Content
- Learn.Microsoft.com is the official course material for all of their certifications. The training is free and includes several labs you can go through on your own.
- Create a free Azure account. You can actually set up a free account with a $200 credit included to learn about and explore various services.
- John Savill's Technical Training - This has been my absolute favorite resources for learning Azure and Microsoft 365 content, from the very basics to advanced topics. It’s all free on YouTube and John does an incredible job with the quality of the videos.
- The Cloud Edition of HackTricks has a lot of content surrounding pentesting Azure.
The skills required to advance your career and earn your spot at the top do not come easily. Now there’s a more rewarding approach to hands-on learning that helps you achieve your goals faster. Earn points, levels, and achieve more!
Create an Azure account - Training
Find out how to start using Azure by creating an account where you’ll see services and personal settings for identity, billing, and preferences.
John Savill's Technical Training
This channel focuses on videos designed to help you learn. Big focus on Azure, DevOps, PowerShell and other Microsoft technologies but also some virtual mentoring content! Thanks for visiting! Please note this channel is my hobby and completely unrelated to my day job at Microsoft. 🤙 Also note due to the channel growth and number of people wanting help I no longer can answer or even read questions and they will just stay in the moderation queue never to be seen so please post questions to other sites like Reddit, Microsoft Community Hub etc.