(1/x) M365 changes to be aware of 1) End-users can purchase PowerBI on their on personal credit cards to bypass IT 2) End-users can purchase Windows 365 Cloud PC VMs on their own personal credit cards to bypass IT 3) End-users can create security groups (even if you disabled it)
4) End-users were automatically enrolled into Bing Search Rewards which indexes corporate data into Bing Search 5) Bing Search now collects data in Microsoft Word for the "Reuse Files" feature 6) Teams Recordings now expire after 60 days
7) The only way to prevent account lockouts from brute force is to create an Authentication policy (globally in web interface) or for selected users with PowerShell new-AuthenticationPolicy 8) End to End encryption for Teams Calling is off by default
9) AAD Default access token lifetime is no longer static 60 minutes, and is now 60 to 90 minutes effective 5/31/2021 10) Windows 10 version 1809 stopped receiving security updates on 5/11/2021
11) QR-code sign-in rolled out on by default, to disable:
set-organizationConfig -MobileAppEducationEnabled $false 12) Guest access in Teams is now on by default as of 2/8/2021 13) Autoforwarded emails are now disabled by default
14) Any new conditional access policy created after August 2020 includes legacy auth by default (previously you had to explicitly target legacy auth) 15) Legacy auth protocols are now being disabled randomly unless they are being actively used techcommunity.microsoft.com/t5/exchange-te…
16) If you are using the custom notification feature in Intune, all users must remove and re-add the Intune Company portal app portal.microsoft.com/Adminportal/Ho… 17) M365 dropped support for IE11 on 8/17/2021 18) On 11/1/2021 M365 will drop support for older Outlook clients
19) Microsoft TODO enabled external sharing ON by default as of 9/25/2020 20) Windows 10 version 2004 will stop receiving security updates on December 14th 2021 docs.microsoft.com/en-us/lifecycl…
Forensic Investigations in o365 - a short thread on why it’s getting harder and not easier for investigators. 1) Historically the first thing we used to do was enable an EMS E5 trial license in the customer tenant, as that allowed us to have 6 months of MCAS logs. This is gone!
Now, when you enable an MCAS trial, you must manually enable audit logging against O365, so there is no retroactive logs that magically appear 😩… it gets worse tho.. let’s talk about Azure AD “free.” This is what “E1 or E3” gets you
You get 7 days of AAD sign-in and audit logs
Historically when you enabled an AAD P1 or P2 or EMSE5 trial, you could go back 30 days. Now? When you enable the trials, no retroactive logs magically appear. 😭
So at this point the only forensic logs available in O365 beyond 7 days is the Security and Compliance Center Log…
New phishing campaign successfully bypasses Microsoft ATP (Office ATP, Defender ATP, and Azure ATP). It also bypasses SmartScreen. Works by sending an .HTM attachment or .ZIP containing .HTM.
IOCs instantrep.xyz secured.com.awi-o.online json.geoiplookup.io
The reason this attack is so effective at reaching inbox: 1. Originates from a compromised mailbox, so it passes SPF, DMARC and DKIM. 2. The .HTM is not malicious, so sandbox detonation is not a problem. 3. There is no remote URL attempted unless the user clicks their username.
I've received the same payload from two different compromised accounts at different companies. The body of the email is the same:
"Remittance advice required."
Firstname Lastname (of compromised user)
CFO