How Attackers Exploit Office 365 Vulnerabilities

A Hacker Explains

Liam ClearyCEO/OwnerSharePlicity

Jeff MelnickSystems EngineerNetwrix Corporation

Agenda

• Office 365 Hacked

• Office 365 Attacks

• Netwrix Auditor Solutions

• Q&A Session

• Prize Drawing

Steps

AttackSimulationExploitation Protection

Is Office 365 Vulnerable?

Yes No

Has Office 365 Been Hacked?

• Office 365 OWA Security Vulnerability – January 2018

– https://community.spiceworks.com/topic/2105786-office-365-owa-security-vulnerability

• Widespread, Brute-Force, Cloud-to-Cloud Attacks Hit Office 365 Users – July 2017

– https://www.skyhighnetworks.com/cloud-security-blog/skyhigh-discovers-a-targeted-brute-force-attack-on-enterprise-customers/

• Microsoft Office 365 hit with massive Cerber ransomware attack – June 2016

– https://www.scmagazine.com/microsoft-office-365-hit-with-massive-cerber-ransomware-attack-report/article/529295/

Office 365 Breach Flow

Login & Access Service AccessFile

DownloadsSite Traversal

Mail AccessMail RulesCreate / Read

/ Update / Delete

API Access

Exploitation

Exploiting Office 365

Phishing Brute-forcePassword

MaliciousURLs

*MFA bypass

* https://twitter.com/rkalember/status/1017082306853392384

Brute-force Password

Identify web formparameters

Intercept trafficusing Proxy

Retrieve badresponse

Construct commandfor Brute-force

Malicious URLs

<!DOCTYPE html>

<html lang=“en”>

<head></head>

<body>

Click the Malicious<a href=“https://bit.ly/malicious”>link</a>

</body>

</html>

<!DOCTYPE html>

<html lang=“en”>

<head>

<base href=“https://bit.ly”>

</head>

<body>

Click the Malicious<a href=“malicious”>link</a>

</body>

</html>

Attack Simulation

Why Simulate an Attack?

People are theweakest link

Test currentsystems

End-usertraining

Attack Simulation Prerequisites

• Office 365 License that includes Office 365 Threat Intelligenceo Can be purchased as a separate add-on

• Utilize Exchange Online

• Assigned as Global Administratoro If not Global Administrator, specific permissions to Security & Compliance Center

• Enabled Multi-Factor Authentication for Office 365 Users

Attack Simulation Types

Spear-phishing(Credential Harvesting)

Password-spray Brute-force Password(Dictionary Attack)

Office 365Attack Simulator

Protection

What Does Microsoft Provide?

Identity and accessmanagement

Threatprotection

Informationprotection

Securitymanagement

Security Graph

Risk Assessment

• Identify and define Office 365 scoped services

• Review existing Security documentation and guidance

• Gather existing configuration and security data

• Review assessment data, define risks and actions

• Define current Security posture based on assessment

• Perform remedial actions, based on assessment results and guidance

Security Controls

• Core Protectionso Exchange Online Protection

o Exchange Advanced Threat Protection

o Advanced Security Management / Cloud App Security

o Threat Intelligence

o Advanced Data Governance

o Azure Active Directory Authentication

o Multi-factor Authentication

o Office 365 Secure Score

o Conditional Access

o Mobile Device Management

• Content Protectionso Information Rights Management

o Azure Information Protection

o Data Loss Prevention

Takeaways

Takeaways

• Office 365 License that includes Office 365 Threat Intelligence

• Enabled Multi-Factor Authentication for Office 365 Users

• Execute Attack Simulator

• Enable ALL or AS MANY Security controls as possible

• Provide End User Training

Demonstration

Netwrix Auditor

Netwrix Auditor for Office 365

Netwrix Auditor for Active Directory

Netwrix Auditor for Windows File Servers

Netwrix Auditor for Windows Server

Netwrix Auditor for Exchange

Netwrix Auditor for SQL Server

Netwrix Auditor for SharePoint

Netwrix Auditor for NetApp

Netwrix Auditor for EMC

Netwrix Auditor for VMware

Netwrix Auditor Platform

Netwrix Auditor for Azure AD

Netwrix Auditor for Oracle Database

Netwrix Auditor Unified Platform

• Exchange Online administrative changes, changes to

mailboxes, mail users, groups, permissions, policies,

and management roles

• Non-owner mailbox access auditing

• SharePoint Online and OneDrive for Business

configuration, security, and content changes, and

data access events

• Changes to Azure AD groups, users, passwords,

roles, applications, service principals, devices,

contacts, and more

• Logon auditing

• Changes to farm configuration, user content and

security, permissions, group membership, security

policies

• Read access auditing

All Exchange Server Changes

Exchange Online Mailbox Permissions Changes

Behavior Anomalies

Interactive Search

Alerts on Suspicious Activity

Alerts on Threat Patterns

Useful links

Webinars: join our upcoming webinars and watch the recorded sessions

• netwrix.com/webinars

• netwrix.com/webinars#featured

Upcoming webinar: Join Liam Cleary and Jeff Melnick to learn the core tenets of SharePoint securityhttps://try.netwrix.com/the_3_pillars_of_sharepoint_security

Questions?

Prize Drawing

www. .com

Thank you!

Liam ClearyCEO/OwnerSharePlicity

Jeff MelnickSystems EngineerNetwrix Corporation