Christian Family Man, CEO of Patriot Consulting (Microsoft Security Partner) Author of "Securing Microsoft 365" Microsoft MVP (Security) (2020-present)
2 subscribers
Dec 7, 2023 • 9 tweets • 4 min read
🧵Entra Identity Governance license changes went into effect on October 30, 2023.
Some of what you used to own with @azuread P2 now requires you to purchase an additional Identity Governance license.
Here is my journey on failing to understand the new Access Review licensing.
My use case: remove inactive guests. Clicking on the link in the warning message takes you do this docs page: (TL;DR: "some of what you used to own in P2 now requires an additional purchase 😡 ) How can you remove things I paid for?
🧵Did some lightweight #DFIR on a Russian threat actor last night. Several observations to share here. 1) they may initial do some scanning from Russia but quickly pivot to IP’s inside the USA to bypass GeoFencing. Too customers feel way too safe with Geo Fencing! 2) …
2) The initial access was standard phishing but once the creds were shared the attack itself consisted sending thousands of emails to internal and external recipients in worm-like manner, phishing propagation by an Initial Access Vector? Look for “OfficeHome” app doing the …
Nov 4, 2023 • 7 tweets • 2 min read
Microsoft 365 Copilot is now for sale as of November 1st.
The question I see most often asked on social media is: “How can a company justify the minimum investment of $108,000?
What’s the return on investment?”
A thread 🧵
Harvard Business review found AI can help a consulting company increase quality by 40%, and complete tasks 25% faster.
Microsoft Defender for Office, Horror Story. A thread. (1/5)
On Wednesday at 6:00 PM CST, Customer’s primary domain name is suddenly marked as a phishing URL by MDO. Outbound emails are blocked because the email signature has their URL… it gets worse…
(2/5) Support case opened Thursday morning at 9:00 AM CST. No response until 3:00 PM CST. What the support engineer tells them to do .. well… it’s disturbing. “Add your domain to the the anti-spam domain allow list.” This is bad advise for two reasons …(continued)…
Dec 22, 2021 • 9 tweets • 4 min read
Did you know you can audit what hackers search for in a mailbox or SharePoint after they compromise an account?
To do this, you must first run this in EXO
get-mailbox -ResultSize unlimited | set-mailbox -AuditOwner @{add="SearchQueryInitiated"}
Requires an M365 E5 License
there are lots of caveats, such as if you use Group-Based licensing to apply the M365 E5 license, then you have to do this weird step where you disable and re-enable the Advanced Audit feature. docs.microsoft.com/en-us/microsof…
Aug 28, 2021 • 10 tweets • 3 min read
(1/x) M365 changes to be aware of 1) End-users can purchase PowerBI on their on personal credit cards to bypass IT 2) End-users can purchase Windows 365 Cloud PC VMs on their own personal credit cards to bypass IT 3) End-users can create security groups (even if you disabled it)
4) End-users were automatically enrolled into Bing Search Rewards which indexes corporate data into Bing Search 5) Bing Search now collects data in Microsoft Word for the "Reuse Files" feature 6) Teams Recordings now expire after 60 days
Jul 10, 2021 • 7 tweets • 2 min read
Forensic Investigations in o365 - a short thread on why it’s getting harder and not easier for investigators. 1) Historically the first thing we used to do was enable an EMS E5 trial license in the customer tenant, as that allowed us to have 6 months of MCAS logs. This is gone!
Now, when you enable an MCAS trial, you must manually enable audit logging against O365, so there is no retroactive logs that magically appear 😩… it gets worse tho.. let’s talk about Azure AD “free.” This is what “E1 or E3” gets you
You get 7 days of AAD sign-in and audit logs
Dec 25, 2019 • 4 tweets • 2 min read
New phishing campaign successfully bypasses Microsoft ATP (Office ATP, Defender ATP, and Azure ATP). It also bypasses SmartScreen. Works by sending an .HTM attachment or .ZIP containing .HTM.
IOCs instantrep.xyz secured.com.awi-o.online json.geoiplookup.io
The reason this attack is so effective at reaching inbox: 1. Originates from a compromised mailbox, so it passes SPF, DMARC and DKIM. 2. The .HTM is not malicious, so sandbox detonation is not a problem. 3. There is no remote URL attempted unless the user clicks their username.