Back to BlogFormer Microsoft Employee M365 Threat Hunting Tips
San Francisco, Calif. — As a Senior Security Strategist at Microsoft in the late 90s, Aaron Turner learned the phrase “SB 3”: secure by design, secure by default, secure by deployment. He relied on the mantra as he worked on the first version of Exchange delivered as an application service provider.
After leaving Microsoft, Turner began delving into the “undocumented details of Microsoft” as he assisted customers with large migrations to Exchange Online.
“As I began to look into hardening that environment, I came away with more questions and answers. And what was sort of frustrating to me, having worked at Microsoft in those early days…a lot of the stuff in Exchange Online didn’t follow the SB 3 mantra.”
Instead, he found Exchange Online to be “cobbled together and reactionary,” and too complicated for the average administrator to properly secure.
“The vast majority of organizations that migrated to Microsoft 365 services have done so without appropriate preparedness for hardening detection and response capabilities,” Turner said.
In the session M365 Threat Hunting—How to Understand Attacker’s TTPs in Your Tenant, Turner explained the risks of Microsoft 365 and common attack paths.
The Increasing Efficacy of Microsoft 365 Attacks
Microsoft 365 has been fraught with attacks, especially since the start of the pandemic in 2020. In March 2020, foreign state-sponsored breached the U.S. Treasury, among other victims, by bypassing Microsoft’s authentication controls. Then in December, over 100,000 Microsoft 365 customers were compromised in a series of attacks called Dark Halo.
From there, attacks have only escalated in scope and magnitude. In 2021, Hafnium attackers pivoted from on-premises to Microsoft 365, targeting command and control (C2) servers. Later that year, Nobelium attacks affected over 100,000 customers, many of them MSPs and their customers. In early 2022, adversaries exploited Microsoft 365 vulnerabilities to interrupt Ukraine military support operations.
Microsoft 365 Threat Hunting Tips
Threat hunting in Microsoft 365 requires an understanding of common attack paths.
Shorten The Identity Supply Chain
In the SolarWinds attack, threat actors stole API keys from identity providers such as Duo and Okta, which allowed them to bypass multi-factor authentication (MFA) on Exchange accounts.
“How can you detect if an API key is stolen and being abused to authenticate to a cloud service that you don’t necessarily have visibility into?” Turner said. “It’s one of those things where you just start chasing your tail.”
Shortening the identity supply chain can prevent these attacks, which means you should ideally use Azure Active Directory as the authoritative identity provider for Microsoft 365.
The advisory “Detecting Abuse of Authentication Mechanisms” was a rare instance of the NSA making a vendor recommendation with this advice.
“By consolidating identity and access natively in the cloud, tenants relieve themselves from the burden of managing the federation of authentication and the on-premises service, and gain more of the protections that the cloud provider has in place, including system hardening, configuration and monitoring,” the advisory reads.
Turn Off Legacy Authentication
Another way that adversaries bypass MFA is by using legacy protocols such as IMAP or POP3. Legacy authentication protocols such as IMAP/POP3 don’t support MFA, so threat actors can circumvent MFA when victims fail to restrict legacy authentication. This technique is a major attack path, and was used in the US Treasury attacks.
“You need to have the discipline of shutting them off, and maintaining them off,” Turner said. “Any time you see a legacy protocol being turned on, that’s a bad thing.”
It’s crucial to be able to detect when MFA is disabled on a Microsoft 365 account.
Sharpen Your PowerShell Skills
PowerShell is the only way to truly understand the Microsoft 365 world, Turner said. A good threat hunting team needs to look for seven different PowerShell modules for a run-of-the-mill E3 license, Turner said — including Azure AD, Azure RM, Exchange Online, MS Online, SharePoint Online, MS Teams, and MS Graph.
Having a PowerShell expert within your organization is crucial — or alternatively, working with a partner that has that expertise.
Invest in people who are reading through the Microsoft developer content around the Graph API and PowerShell, Turner said.
“That’s going to be the source of truth for threat hunting in this environment,” he added.
Microsoft 365 Security Made Easy
Most organizations don’t have the time to wade through hundreds of pages in developer documentation, or the expertise to hunt for seven different PowerShell modules, Turner recognizes.
Blumira is designed for teams with fewer resources. Our security team is composed of experts in PowerShell that perform threat hunting on your behalf, constantly looking for the latest attack trends and developing detections to automatically roll out to our cloud SIEM.
Blumira’s Free Edition easily integrates with your Microsoft 365 environment to detect threats such as identity-based attacks, suspicious activity, and more. Get your account for free, without a credit card or a sales conversation.
