Skip to content

Instantly share code, notes, and snippets.

@robert-moses

robert-moses/O365 security and IR.md

Last active February 21, 2024 14:19
Show Gist options
  • Save robert-moses/f2a27d75779d1cfc4759b7bf75940520 to your computer and use it in GitHub Desktop.
Save robert-moses/f2a27d75779d1cfc4759b7bf75940520 to your computer and use it in GitHub Desktop.
Download ZIP
Office 365 security baseline and incident response
Raw
O365 security and IR.md

O365 security baseline and incident response

Basics and Tools

Email Incident Response steps

Basics

https://docs.microsoft.com/en-us/office365/securitycompliance/office365-security-incident-response-overview

Tools

https://gallery.technet.microsoft.com/office365/Office-365-Reporting-Tool-7987b4c2

https://github.com/renisac/O365-Management-and-Log-Scripts/tree/master/source/O365_IR_Toolbox

MFA setup/config

Phishing/Spoofing:

https://docs.microsoft.com/en-us/office365/securitycompliance/anti-spoofing-protection

https://docs.microsoft.com/en-us/office365/securitycompliance/anti-phishing-protection

https://docs.microsoft.com/en-us/office365/securitycompliance/set-up-anti-phishing-policies

https://docs.microsoft.com/en-us/office365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide

Audit Log

https://docs.microsoft.com/en-us/office365/securitycompliance/turn-audit-log-search-on-or-off

https://docs.microsoft.com/en-us/office365/securitycompliance/enable-mailbox-auditing

Get-OrganizationConfig | FL AuditDisabled

Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Set-OrganizationConfig -AuditDisabled $false

restore audit settings

Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -DefaultAuditSet Admin,Delegate,Owner

Office365: How to investigate email account comprimise or suspicions messages

  1. Determine if a 3rd party is logging into the email account and take appropriate action (change password, block access)
  2. Examine suspicious message details to determine whether it is send from the user account or it is external source spoofing.
  3. Remediate comprimised account.

INVESTIGATE ACCOUNT ACCESS / LOGINS - we are looking for a Indicator of Comprimise (IOC)

  1. check risky signing via AzureAD -

https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RiskySignIns

Look for unusual IPs (locations, time-of-day)

This interface should highlight unusual activity

  1. check Unified Audit Log

filter for user account, user name.

review IPs, login times, etc.

IOC is access to the account (ie: login to OWA, SMTP/POP authentication)

  1. EXAMINE MESSAGE: Is the message an external spoof, or is it sent from the user account.

Check Message Trace in Exchange Admin

Look for the sender/source IP - is it coming from the outside? Then it is a spoofed message.

If it appears internal (from the user account) - review account access above: is it sent via OWA/SMTP remotely or is the user PC/Phone comprimised.

https://protection.office.com/?rfr=AdminCenter#/messagetrace

https://outlook.office365.com/ecp/?rfr=Admin_o365&exsvurl=1&mkt=en-US&Realm=[CLIENT EMAIL DOMAIN]

  1. Check Unified Audit Log: searching for this specific message

https://protection.office.com/?rfr=AdminCenter#/unifiedauditlog

  1. (E3 with archiving) check message headers (via content search/original message download)

https://protection.office.com/?ContentOnly=1#/contentsearchbeta

MORE INFO:

https://docs.microsoft.com/en-us/office365/securitycompliance/responding-to-a-compromised-email-account

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment