With the advent of scammers, spammers, phishers, and other types of baddies, and the complementary rise in anti-malware, anti-spam, domain and sender verification techniques, we’re in a perpetual cat-and-mouse game. I’ve had several customers over the past few weeks ask me about best practices for configuring some of the Advanced Threat Protection (ATP) features.… [ Continue reading ]
In Part 1 of this blog series, I went through the setup of the Splunk Add-On for Microsoft Cloud Services, which you can use to extract, query, and analyze data provided by the Office 365 Management Activity API. In this particular post, we’re going to explore the Microsoft Office 365 Reporting Add-On for Splunk, which you can use to review message trace data from Office 365.… [ Continue reading ]
I’ve had a number of customers ask me about configuring their monitoring systems to Office 365. So, rather than repeating the same information and re-issuing the same links (most of which contain outdated information), I’m going to put together a series on how to connect a few systems to Office 365. … [ Continue reading ]
In my previous post, I discussed using the new Attack Simulator for crafting phishing campaigns against your users. If you haven’t tried it out yet, I’d heartily recommend it. It’s more fun than a barrel of monkeys.
For this post, we’re going to shift into slightly more traditional attack strategies. … [ Continue reading ]
Over the last few weeks, we’ve released some great new features for Office 365 Advanced Threat Protection users. The Attack Simulator has three core components, each of which I’ll cover in a series:
- Spear Phishing (Credential Harvest)
- Brute Force Password (Dictionary Attack)
- Password Spray Attack
For this post, I want to focus on the Spear Phishing campaign.… [ Continue reading ]
A few users reported bugs with logging that I have updated. There was also an unreported bug when searching the XML generated by Get-ADSyncServerConfiguration for the connector’s AD user, which I have also resolved.
You can get the updated tool at https://gallery.technet.microsoft.com/AD-Advanced-Permissions-49723f74.… [ Continue reading ]
Update: We now have some public documentation available for this as well, so be sure to check there, too! https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-deployment-plans
Imagine this scenario: You’ve been running Active Directory Federation Services (AD FS) since before it was cool, and you’re tired of maintaining that highly available infrastructure (at least 4 servers) and the whole federation thing and its myriad of quirks and drawbacks and headaches (such as alt-id (which is still supported in Pass-through authentication with some caveats, listed below), claims rules, certificates, and the fun of trying to change UPN suffixes from one federated UPN to another).… [ Continue reading ]
Two updates for the tool in a week? Yes! It is so!
At the behest of my good friend Darryl and one of his customer’s needs, I have updated the the AAD Connect Advanced Permissions tool with the following:
- Allow the underscore (“_”) character to be used in an OU name path
- Allow CN= to be used as part of the OU filter name path, since some organizations may want to try to scope permissions specifically to CN=Users.
On the recommendation of my good friend Darryl, I’ve added some things to my AAD Connect permissions tool:
- Better logging of errors. When running the tool for a large organization that had $ characters in its service account names, the tool would report successful but not leave any log files or indicators where things may have happened.
I have updated the Office 365 Proxy PAC tool to allow selection of the US Department of Defense XML feed for proxy bypass configurations.
You can see previous updates for the tool:
And of course, the updated tool is available on the TechNet Gallery, with a couple of other bugfixes that some people reported (invalid characters/smart quotes appeared in some versions of the file, which have been corrected): https://gallery.technet.microsoft.com/Office-365-Proxy-Pac-60fb28f7 … [ Continue reading ]
Picking up where I left off on part 1 of this post, I wanted go into what it would take to refine some roles for managing eDiscovery for larger organizations.
In this scenario, we’re going to:
- Remove users from any existing eDiscovery roles or groups
- Create a security group to hold users that will perform eDiscovery searches
- Create a custom role group that has the appropriate eDiscovery roles and add the security group as a member
If you didn’t read the previous blog post on this topic, I’d encourage you to go back and do so, since I’m going to continue using the same users and compliance filters.… [ Continue reading ]
Diving deeper into the Security & Compliance Center, I decided to embark on trying to scope eDiscovery permissions to meet a certain set of requirements that we see when multiple business units want or need to maintain independence from a content search and discovery perspective.… [ Continue reading ]
UPDATE: [11/20/2018] I had an error in the transport rule configuration in the last example, as well as a note that a TR would NDR external traffic. I have this post accordingly.
We’re all familiar with how Office 365 tenants work–when you spin up a new Office 365 tenant, you get a managed domain (tenant.onmicrosoft.com). … [ Continue reading ]
While I was working on a script to configure Office 365 Secure Score settings, I came up with a few scripts that I thought would be helpful in monitoring your messaging environments. Many organizations have policies against data exfiltration, but detecting and enforcing are totally different animals. … [ Continue reading ]
In light of the discovery that a recent comprise involved administrator credentials that were not protected with multi-factor authentication, I thought revisiting http://securescore.office.com might be a good idea.
For the uninitiated, Secure Score is a tool that we provide to examine some configuration items and give guidance on others in respect to creating a more secure operating environment for your Office 365 tenant. … [ Continue reading ]
This week, I received an email from a colleague asking if there was a way to work around the default behavior described in https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization:
Password expiration policy
If a user is in the scope of password synchronization, the cloud account password is set to Never Expire.… [ Continue reading ]
Update: I’ve also added some new features, detailed in https://www.undocumented-features.com/2017/10/16/recovering-from-crypto-or-ransomware-attacks-with-the-onedrive-for-business-admin-tool/.
While updating a script I wrote to remove the “Shared with Everyone” folder in OneDrive for business, it dawned on me that there are a number of bulk management tasks for OneDrive that are not easy to do, that we don’t have specific guidance on, or only have little bits of information scattered around the interwebs.… [ Continue reading ]
The people have spoken.
I’ve updated the tool with a couple of features:
- Include the Skype for Business IP ranges in the proxy bypass list, since there are occasions that it is necessary.
- Added an option for *all* IP ranges in the XML feed for selected products to be added to the proxy bypass list
- Added an option for *only* IP ranges in the XML feed for selected products to be added to the proxy bypass list
- Added an option to export the IP ranges for selected products to a separate text file.
Recently, a customer asked for clarification on the difference between Content Search (Security & Compliance center | Search & investigation | Content search) and the Content Search feature in an eDiscovery case (Security & Compliance center | Search & investigation | eDiscovery). … [ Continue reading ]
This past week has seen the widespread growth of the WannaCry ransomware attack, which was based on the EternalBlue SMB vulnerability. We released security update MS17-010 on March 14, 2017 to address the vulnerability.
Preliminary reports show at least 300,000 computers have been affected globally by this ransomware that encrypts files, requiring up to $600 in bitcoin payments within 7 days before the data is deleted.… [ Continue reading ]