Office 365 Survival Kit by Eric English

Office 365 is gaining popularity in the last few years because of it being cloud based and easier
for administrators to manage without dealing with the infrastructure headaches and costs. With
convenience comes sacrifice and with Office 365 the sacrifice is security.

For all you cybersecurity pros out there, this is a huge risk to the organization. Office 365 is
always online and is a constant target for hackers. Microsoft provides minimal controls on the
Office 365 platform to prevent password spraying attacks against your organization. This means
that hackers can constantly try to get into your email accounts over and over. This can cause
account lockouts but even worse can cause account compromise.

The BIGGEST RISK is the additional alias email address that Microsoft requires when creating
a new user in O365. Microsoft REQUIRES an address with @yourdomain.onmicrosoft.com as
the domain name. You can’t turn this off or disable it, at all! This can be used to completely
bypass an external spam filter because you don’t control the MX records for onmicrosoft.com.
This is the craziest thing and the biggest flaw in Office 365 by far.

I’ve put together some tips on hardening your Office 365 environment and slow down the
attackers.

1. Turn on 2-factor - This is obviously not as easy as it appears and the adoption from
users is typically not a friendly one. Overall this is the best way to prevent account
compromises.

2. Harden Office 365 -

a. Disable IMAP and POP3

b. Disable Office 365 PowerShell access for non-admin users

c. Enable Modern Authentication in Office 365

d. Disable Outlook Web Access for users that don’t need it

e. Only accept inbound emails from your spam filter

f. Configure Geo-IP Blocking to block foreign countries that you don’t do business with

g. Restrict API access to only allowed IP ranges

h. Block ALL inbound emails to example@example.onmicrosoft.com. The onmicrosoft.com domain is a great way for hackers to bypass your spam filter because the MX records are pointing directly to Office 365.

i. Here is more info on the hardening process with links for how to do it:
https://ericenglish.com/2018/08/28/8-ways-to-harden-office-365-environments/

3. Have a gameplan ready to go when account compromise happens. The biggest thing to
do is lock down the account as soon as the compromise is suspected. Quick steps to
lock down the account and kill all active sessions:

a. From the Office 365 admin console, search for the user, open the user’s page,
under “Sign-in Status”, click the “Edit” button and choose “Block sign-ins”.

b. Under the OneDrive settings, in the “Sign out” section, click the “Initiate” button to
trigger an account logout. Yea I know it looks weird doing that through OneDrive
but they’re all tied together.

c. Quarantine any emails that were delivered using PowerShell scripts. I wrote one
that is menu based script to help with quarantining and logging users out/killing
active sessions. You can find it here:
https://github.com/eenglish34/O365-Powershell

You’ll need to modify this script to point to which mailbox you want the
quarantined emails to go to. Aside from that it’s pretty straight forward.
Microsoft has their own guide on how to deal with a compromised account. You can find it here:
https://blogs.technet.microsoft.com/office365security/how-to-fix-a-compromised-hackedmicrosoft-
office-365-account/

I found that the Microsoft documentation is lacking quite a bit and doesn’t really tell you
how to help prevent this from happening to begin with. Hence the reason I made this
blog post. It was nearly impossible to find anything on the web that was useful and it
took hours of trial and error to get to this point and figure out where all the weaknesses
are.

I hope this helps someone else that is struggling with account compromises and
provides a good baseline for hardening and preventing this as much as possible.
If you’d like to contact me you can reach me on Twitter @cybercryptoguy.

I also have a podcast where I discuss Cybersecurity and Cryptocurrency if you’d like to
take a listen.