o365-kb.md

Term	Description	Link(s)
Alias	Another email address that people can use to email
App Password	An app password is a password that is created within the Azure portal and that allows the user to bypass MFA and continue to use their application.
Alternate email address	Required for admins to receive important notifications, or resetting the admin password which cannot be modified by the end users
AuditAdmin
AuditDelegate
Delegate	An account with assigned permissions to a mailbox.
Display Name	Name that appears in the Address Book & on the TO and From lines on an email.
EAC	"Exchange Admin Center"
HardDelete	A message is purged from the Recoverable Items folder.
Identity
inactive mailbox	If an organization needs to retain mailbox content for former employees longer than 30 period.	ref
Product license
Litigation Hold
Tenant	An Office 365 Organization. It is within the overall o365 Data Center which would be the "apartment" complex (and your org. would be a "tenant" inside the "apartment"). It's the container for items of your Organization such as users, domains, subscriptions etc
SoftDelete	A message was deleted from the Deleted Items folder.
Trace	As an administrator, you can find out what happened to an email message by running a message trace in the Exchange admin center (EAC). After running the message trace, you can view the results in a list, and then view the details about a specific message. Message trace data is available for the past 90 days. If a message is more than 7 days old, the results can only be viewed in a downloadable .CSV file.	ref
UAL	"Unified Audit Log" ; A central log where data from the following services is logged: SharePoint, Exchange, Sway, Microsoft Teams, OneDrive, Azure Active Directory, Power BI.	ref
UPN	The user principal name.

Helpful Mappings

Timestamps

Parameter	Schema	Timezone	Description
CreationTime	AuditRecord	UTC	The date and time in Coordinated Universal Time (UTC) when the user performed the activity.
itemCreationTime	SharePointMetadata	UTC	Datetimestamp in UTC of when event logged.
LastLogonTime
LastModifiedTime	SharePointMetadata	UTC	Timestamp in UTC for when doc was last modified.
LastPasswordChangeTimestamp
Sent	ExchangeMetadata	UTC	The time in UTC of when the email was sent.

IP Addresses

Parameter	Schema	Description
ActorIpAddress	Azure Active Directoy	The actor's IP address.
ClientIp	AuditRecord	The IP address of the device that was used when the activity was logged.
ClientIPAddress	Exchange Mailbox	The IP address of the device that was used when the operation was logged.
SenderIp	Office 365 Advanced Threat Protection and Threat Intelligence	The IP address that submitted the email of Office 365.

Liscensing

• Business Plans, E5, E3 and E1

MFA

• Can be via a phone or via mobile app

Phone

• Send me a code by text message
• Call

Mobile App (Microsoft Authenticator app)

• Receive notifications for verification or Use verification code
• Will require a phone # as a backup anyway

Setup

• setup

Mobile users

If your users do not regularly sign in through the browser, you can send them to this link to register for multi-factor auth: https://aka.ms/MFASetup

Users

• forcing new users to change their password after initial login is enabled by default

Role	Description	Admin	Link(s)
User	This user won't have permissions to the Office 365 admin center or any admin tasks. This is the defaukt option when creating a new user.	No
Globl administrator	This user will have access to all features in the admin center and can perform all tasks in the Office 365 admin center.	Yes
Customized administrator	You can assign this user one or many roles so they can manage specific areas of Office 365.	Yes

Permissions / Roles

Resource to use	Requires Permission / Roles
Audit Log Search	Global administrator or be added to the Security & Compliance center roles groups, Compliance Manager or Organization management.

APP passwords

MFA is enabled per user. This means that if a user has MFA-enabled, they won't be able to use a non-browser client, such as Outlook 2013 with Office 365, until they create an app password. An app password is a password that is created within the Azure portal and that allows the user to bypass MFA and continue to use their application.

Internal links

• Admin portal
• Azure Active Directory Portal
• [Exchange admin center (EAC)]
• Security & Compliance Center / eDiscovery

Best practices

• Use multi-factor authentication (MFA)
  • Enforcing Multi-Factor Authentication for External Users on SharePoint Online ref
• Use Office 365 Cloud App Security
• Secure mail flow
• Enable mailbox audit logging
  • currently, this can only be enabled via PowerShell and not via the EAC Get all mailboxes in the tenant (includes Shared, Room and Discovery Mailboxes) & enable audit logging across all these mailboxes.

  Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox" -or RecipientTypeDetails -eq "SharedMailbox" -or RecipientTypeDetails -eq "RoomMailbox" -or RecipientTypeDetails -eq "DiscoveryMailbox"}| Set-Mailbox -AuditEnabled $true -AuditLogAgeLimit 365 -AuditOwner Create,HardDelete,MailboxLogin,MoveToDeletedItems
  

• Configure Data Loss Prevention (DLP)
• Use Customer Lockbox
• Use Office 365 Secure Score
• Create a Strong Password Policy
• Rights Management (Rights management requires E3 license or Azure rights management add-on license.)

Logs

• API schema
• Web portals limits how many days you can go back for logs, 30?
• Entries in the mailbox audit log are retained for 90 days by default. limit**.

Unified Audit Log (UAL)

• The date and time (in UTC format) when the event occurred.
• Properties

Module	cmdlet
Exchange	Search-UnifiedAuditLog

Use the short date format that's defined in the Regional Options settings on the computer where you're running the command. For example, if the computer is configured to use the short date format mm/dd/yyyy, enter 09/01/2015 to specify September 1, 2015. You can enter the date only, or you can enter the date and time of day. If you enter the date and time of day, enclose the value in quotation marks ("), for example, "09/01/2015 5:00 PM". If you don't include a timestamp in the value for this parameter, the default timestamp is 12:00 AM (midnight) on the specified date.

Admin audit log

• By default, admin audit log entries are kept for 90 days. When an entry is older than 90 days, it's deleted. This setting can’t be changed in a cloud-based organization.

Mailbox audit log

• Entries in the mailbox audit log are retained for 90 days by default.
• Mailbox audit logging lets users obtain information about actions that are performed by non-owners and administrators.
• By default. owner audit logging is not turned on. It should only be used if you have to investigate an action by the owner of the mailbox. It should be used for a limited time period, approximately two weeks. **This is because the audit log entries are stored in the mailbox, and this may cause the mailbox dumpster to exceed the size

Scoping

• Number of Tenants
• Number of Users
• Is mailbox auditing enabled on each mailbox?
• Was email sent to individual email address or a DL? If latter, who/how many people are part of it?

Requests

Evidence

• Provide original .eml/.msg of the email(s)
• Provide the original attachment
• Any IOCs / notes / remediation steps taken
• Any reports deemed appropriate (e.g. Email activity, Mailbox usage, Non-Owner Mailbox Access etc.)

Authentication

• An account with the Audit Logs role attached
  • determine if you want/need MFA or an App password added for extra security

Users have to be assigned permissions in Exchange Online to turn audit log search on or off. If you assign users the Audit Logs role on the Permissions page in the Security & Compliance Center, they won't be able to turn audit log search on or off. This is because the underlying cmdlet is an Exchange Online cmdlet.

Limitations

The Audit Logs role won't permit you to:

• use the Search-Mailbox cmdlet
• read users emails
• search users emails to determine if an IOC was contained in it
• download users mailboxes
• download email attachments

Methodology

• verify the account created for your dfir work has the proper permissions

• verify if/what accounts have mailbox auditing enabled

  Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | FL Name, UserPrincipalName, Auditenabled, AuditDelegate, AuditAdmin, AuditLogAgeLimit
  

  A value of True for the AuditEnabled property verifies that mailbox audit logging is enabled.

  Get-Mailbox -ResultSize Unlimited -Filter {AuditEnabled -eq $false} | Select Name, UserPrincipalName, Auditenabled, AuditDelegate, AuditAdmin
  

  All mailbox actions for all users

  Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true -AuditAdmin Copy,Create,FolderBind,HardDelete,MessageBind,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditDelegate Create,FolderBind,HardDelete,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditOwner Create,HardDelete,MailboxLogin,Move,MoveToDeletedItems,SoftDelete,Update }
  

• List of all delegates

  • Pivot for their activity

• List of all global admins

  • Pivot for their activity

• List of users who have aliases

• search UAL for IOCs

  • What other accounts did IP login as
  • Who else received said email? (admin privs needed?)

• New accounts created

• Azure Active Directory user account

• o365 user account

• Exchange Online mailbox

• If email send to a DL, list all members of said DL

#Get all Distribution Groups from Office 365  
$objDistributionGroups = Get-DistributionGroup -ResultSize Unlimited  
  
#Iterate through all groups, one at a time      
Foreach ($objDistributionGroup in $objDistributionGroups)  
{      
     
    write-host "Processing $($objDistributionGroup.DisplayName)..."  
  
    #Get members of this group  
    $objDGMembers = Get-DistributionGroupMember -Identity $($objDistributionGroup.PrimarySmtpAddress)  
      
    write-host "Found $($objDGMembers.Count) members..."  
      
    #Iterate through each member  
    Foreach ($objMember in $objDGMembers)  
    {  
 "$($objDistributionGroup.DisplayName),$($objDistributionGroup.PrimarySMTPAddress),$($objMember.DisplayName),$($objMember.PrimarySMTPAddress),$($objMember.RecipientType)" | Export-Csv -NoTypeInformation -append <output file>
    }  
}  

Scenarios

Persistence

• InboxRules
• Delegates
• Shared Mailboxes
  • SendOnBehalfOf
  • SendAs
• Forwarding
• Outlook Homepage
• Custom Forms
• New account creation

Data Theft

• eDiscovery searches
• InboxRules
• Forwarding
• Delegates

Mobile devices

• View a list of mobile devices for a specific user.

Get-MobileDevice -Mailbox <useralias>

• For all users ref
• stack:
  • Client, which will show device used
  • LogonType
  • ExternalAccess
  • UserAgent

Mailbox sync/access

• members of eDiscovery Adminitsrators can perform an export

Ways to sync

• ActiveSync

Set-CASMailbox -Identity Ellyn@contoso.com -ActiveSyncEnabled $true

• POP3 / IMAPI4

POP is enabled by default for all users.

• Exchange Web Services (EWS)

• If ActiveSync logging is enabled:

Get-MobileDeviceStatistics -Mailbox alias -GetMailboxLog:$true -NotificationEmailAddresses "admin@contoso.com" 

Ways to access

• OWA – Outlook Web Access/Webmail
• MAPI – Outlook Desktop Application
• EAS – Exchange ActiveSync, most modern smartphones
• IMAP – Older email clients/Blackberries
• POP3 – Outlook Express etc
• EWS – Exchange Web Services
• MOWA – Mobile Outlook Web Access
• REST – via REST API
• Outlook – Outlook client

validate these, some are prob. deprecated for graphs

• Get-ConnectionByClientTypeReport - produces overview report for which connection types are being used
• Get-ConnectionByClientTypeDetailReport - Provides details on how each user accesses their own mailbox.
• Get-MobileDeviceStatistics

Restore

• New-MailboxRestoreRequest
• Get-MailboxRestoreRequest

Restore vs. Recover vs. Archiving

When you recover an inactive mailbox, the mailbox is basically converted to a new mailbox, the contents and folder structure of the inactive mailbox are retained, and the mailbox is linked to a new user account. After it's recovered, the inactive mailbox no longer exists, and any changes made to the content in the new mailbox will affect the content that was originally on hold in the inactive mailbox. Conversely, when you restore an inactive mailbox, the contents are merely copied to another mailbox. The inactive mailbox is preserved and remains an inactive mailbox. Any changes made to the content in the target mailbox won't affect the original content held in the inactive mailbox. The inactive mailbox can still be searched by using In-Place eDiscovery, its contents can be restored to another mailbox, or it can be recovered or deleted at a later

• RetainDeletedItemsFor (mailbox property) is typicall set to 14 days when a new mailbox is created in Exchange Online (maximum value is 30).

• Archiving - the archive policy that is part of the default Exchange retention policy assigned to Exchange Online mailboxes will move items that are two years or older to the archive mailbox. If you don't enable the archive mailbox, items older than two years will remain in the user's primary mailbox.(https://support.office.com/en-us/article/enable-archive-mailboxes-in-the-office-365-security-compliance-center-268a109e-7843-405b-bb3d-b9393b2342ce?ui=en-US&rs=en-US&ad=

Destructive

• Remove-MsolUser
• Remove-Mailbox

Azure

• new users created (X operation in UAL)
• Users with multiple sessions
  • Login type & Geo location info.
• Stack logins (MailboxLogin)
  • Failed logins before successful login
  • Logins / Login attempts per IP address
  • IP addresses successfully logged in to 1+ accounts

Activities

• password resets
• delegation added
• member added to role
• service principal added

Exchange Online

• inbox rules
  • delete messages
  • archive to certain folder
• forward rules
• SendAs
• SendOnBehalf
• Identify any unauthroized mailbox access
  • Non-owners : Access by administrators and delegated users inside your organization, and by Microsoft datacenter administrators.
  • External Users : Access by Microsoft datacenter administrators.
  • Administrators and delegated users : Access by administrators and delegated users inside your organization.
  • Administrators : Access by administrators in your organization.
• Emails deleted by user (admin pivs needed?)
• Determine if anyone downloaded / exported a users inbox
• Any communication or file syncing done via Drafts or Calendar?
• Was a message viewed?
  • MessageBind action will indicate whether or not a message is viewed in the preview pane or opened.
• Was a folder accessed?
  • FolderBind action will indicate whether or not a mailbox folder was accessed. This operation indicates the times at which the mailbox is accessed by a non-owner. This is the most common operation. You do not have to view the FolderBind operations when you investigate an item that is updated or deleted.
• Any unauthorized eDiscovery searches performed?

Activities

• Add-MailboxPermission
• Policy / Config / App installed

Sharepoint

Activities

• file created
• file accessed

Misc.

• Number of Tenants
• Number of Users
• Number of Users without MFA
• Number of Users without app passwords
• Number of Unliscensed users
• Number of Users on Litigation Hold
• Number of Operations per user
• Number of IPs per Identity
• Number of Users never logged in

Get-Mailbox -RecipientTypeDetails UserMailbox | Get-MailboxStatistics | Where-Object {$_.LastLogonTime -eq $null} | Select DisplayName, LastLogonTime

• Number of Inactive users last 90 / 60 / 30 days
  • Search ADD & Exchange Online

  Get-Mailbox -InactiveMailboxOnly | FL Name,DistinguishedName,ExchangeGuid,PrimarySmtpAddress
  

• Number of Users with email synced to more than 1 device / accessed fom more than one device ? Might be difficult, essentially, if attacker synced account via an email client

Suspicious operations

• MailboxLogin
• PasswordLogonInitialAuthUsingPassword
• LastLoggedOnuserAccount

active directory

• Add-ADPermission

advanced threat protection

• New-SafeAttachmentPolicy
• New-SafeAttachmentRule
• New-SafeLinksPolicy
• New-SafeLinksRule
• Set-SafeAttachmentRule
• Set-SafeLinksPolicy
• Set-SafeLinksRule

anti-spam / anti-malware

• Remove-IPBlocklistEntry
• Set-IPAllowListConfig

client access

• New-ClientAccessRule
• New-OwaMailboxPolicy
• Set-OwaMailboxPolicy
• Set-TextMessagingAccount

devices

• New-ActiveSyncDeviceAccessRule
• New-ActiveSyncMailboxPolicy
• Set-ActiveSyncDeviceAccessRule
• Set-ActiveSyncMailboxPolicy

encryption

• Export-ExchangeCertificate
• New-ExchangeCertificate

mailboxes

• Add-MailboxFolderPermission
• Add-MailboxPermission
• Add-RecipientPermission
• Enable-InboxRule
• Get-Mailbox
• Get-MailboxFolder
• New-InboxRule
• New-Mailbox
• New-MailboxExportRequest
• Remove-InboxRule
• Set-InboxRule

mailflow

• Export-Message
• New-AcceptedDomain
• New-RemoteDomain
• Set-RemoteDomain

RBAC

• Add-ManagementRoleEntry
• Add-RoleGroupMember
• New-ManagementRole
• New-ManagementRoleAssignment
• New-RoleAssignmentPolicy

Sharing

• Add-PublicFolderAdministrativePermission
• Add-PublicFolderClientPermission
• Enable-MailPublicFolder
• New-OrganizationRelationship
• New-PublicFolder
• New-PublicFolderDatabase
• New-SharingPolicy
• Set-MailPublicFolder
• Set-OrganizationRelationship
• Set-PublicFolder
• Set-PublicFolderDatabase
• Set-SharingPolicy

Users / Groups

• Add-DistributionGroupMember
• Enable-MailUser
• New-DistributionGroup

Remdiation

• Litigation Hold

Compromised account

• Blocking someone is a good idea when you think their password or username may have been compromised by someone else. This stops anyone from signing as this user.
• Blocking doesn't stop the account from receiving email and it doesn't delete any data.