Tag Archives: Office 365

Best Practices for Office 365 Monitoring

Logging, monitoring and alerting is probably the single biggest weakness that most organizations have.

Office 365 is also likely the single biggest vulnerability.

So what actions should you be monitoring in Office?

According to AT&T’s Alien Vault division, here is the answer.

  1.  User access – who is there normally; what is your user baseline.  Are you seeing more failed logins than normal?
  2. Administrator actions – a hacker will likely try to become an administrator, assuming the account they hacked doesn’t belong to an administrator already.  Any change in patterns could be a warning sign.
  3. Changes to Office policies –  if the attacker wants to get away with something would normally normally not be allowed, they will want to change the policy to let them do it.
  4. Current threat intelligence – use your threat intel sources such as the FBI, Secret Service, public alert feeds and others to tweak what you are alerting on based on attacks that the industry is currently seeing.

What are the details (see the link for even more detail)?

  • Logins – both success and failures including time and location
  • New users, deleted users, permission changes
  • Changes to logging rules
  • Access –  to Sharepoint,  One drive and other resources
  • Changes to Sharepoint and One drive permissions
  • Changes to O.365 policies including spam, DLP and other policies that might allow an attacker to get data out or malware in
  • Contact with known malicious IPs (see indicators of compromise from various alerts)
  • File uploads of file types known to be used in ransomware attacks (exfiltration of data)

You do need to review the alerts that you get in real time and that will take some resources, but you should be able to train lower level staff to perform first level triage.

This is not simple and it will take resources.  However, being hacked, having a breach or dealing with a ransomware attack is not free either.

Source: AT&T Alienvault

Hackers Figure Out How to Evade Microsoft’s Advanced Threat Protection

Hackers are always in a cat-and-mouse game with the good guys (and gals) as the hackers try to do us in and the good guys try to swat them away.

Microsoft has an add-on to Office 365 called Advanced Threat Protection or ATP.  One of the things that ATP  does is make links inside emails safer by replacing all of the links with a link to a Microsoft filtering service that reviews the links to make sure that they are not malicious.


There is a bit of a flaw in their process.  In HTML you can split up the URL into a BASE and a RELATIVE link.  When the link is clicked on the two pieces are glued together to make the full web address.

Apparently ATP does not understand that and, at least for now, the bad guys can get through.

Interestingly, Proofpoint also falls for this attack, but Mimecast does not.  GMail does not seem to fall for this attack either.

So what should you do?

First, don’t let users let their guard down just you have some software in place.  Keep training and keep phishing.  

Second, it is probably worthwhile to let your users know that this attack is in the wild and they should be extra careful.

Finally, whine at Microsoft and ask them when they are going to fix the BASESTRIKER vulnerability.  The more people who complain, the faster it will get fixed.

This is one of the good things about the web.  Since this is a service hosted at Microsoft, all they have to do is fix the service in one place and THE ENTIRE POPULATION OF OFFICE 365 USERS ARE PROTECTED.  That’s pretty neat.

And, I bet, that there are some folks in Redmond or Dublin or some place like that working on the problem right now.  It doesn’t seem like it will be hard to fix.  It will likely be fixed soon.

Information for this post came from The Hacker News.