Cloud Era. Everything becoming Cloud now. But are you really looking into all the settings before you buy? Specially Security Services behind the Cloud ?
Most of the Cloud Service Vendors including Amazon, Google, IBM and Azure gives you the complete cloud services , but are they really come default with Security enhanced ? The answer is NO
Either you need to purchase the Security Solution separately or you need to deploy the security solutions by yourself to protect the Cloud which you purchases. Considering the scenario’s, Does Office 365 gives you complete security for your email?
I would say the answer is YES. But, if you haven’t tuned your security settings, consider that you have already compromised. Before you get compromised, Let’s look into Office 365 Settings you should know & should be monitored.
Microsoft Office 365 – Plan and Subscriptions available for customers:
Check what you have subscribed. Make sure you are using Office 365 Enterprise, which has lot of feature’s including
|Feature||ATP Plan 1||ATP Plan 2||Office 365 Enterprise E5|
|ATP for SharePoint,||Yes||Yes||Yes|
|Safe Links in Teams||Yes||Yes||Yes|
|Explorer (advanced threat investigation)||No||Yes||Yes|
|Automated investigation and response||No||Yes||Yes|
What can be monitored when you moved to Office 365?
|File and page activities||Folder activities||Sharing and access request activities|
|Synchronization activities||Site administration activities||Exchange mailbox activities|
|Sway activities||User administration activities||Azure administration activities|
|Application administration activities||Role administration activities||Directory administration activities|
|eDiscovery activities||Power BI activities||Microsoft Workplace Analytics|
|Microsoft Teams activities||Yammer activities||Microsoft Flow activities|
|Microsoft PowerApps activities||Microsoft Stream activities||Exchange admin activities|
Can you believe, we can create 198 different use cases in your SIEM to monitor you complete Office 365. All the use cases can be customized according to organization environment. Can’t you Believe? Click here to get the complete use Cases list to your organization
If you already migrated to Office 365, Have you ever came across any of your employee email account got compromise ? Do you know how to identify the compromised Account behaviors ?
10 Sign’s Which Confirm’s your Office 365 Email Account Compromised:
- Suspicious activity, such as missing or deleted emails from a particular account
- Other users might receive emails from the compromised account without the corresponding email existing in the Sent Items folder of the sender.
- The presence of inbox rules that weren’t created by the intended user or the administrator. These rules may automatically forward emails to unknown addresses or move them to the Notes, Junk Email, or RSS Subscriptions folders.
- The user’s display name might be changed in the Global Address List
- The user’s mailbox is blocked from sending email.
- The Sent or Deleted Items folders in Microsoft Outlook or Outlook on the web (formerly known as Outlook Web App) contain common hacked-account messages, such as “I’m stuck in London, send money.”
- Unusual profile changes, such as the name, the telephone number, or the postal code were updated.
- Unusual credential changes, such as multiple password changes are required.
- Mail forwarding was recently added and number of emails sent to internally or outside domains.
- An unusual signature was recently added, such as a fake banking signature or a prescription drug signature.
What are the Containment Steps you should follow when your Office 365 Email account Compromise?
- Disable the email account and user account immediately from the AD and Office 365
- Reset the password of the impacted user account immediately and Remove the user from administrative privileges in any of the system associated with email account
- Check the rules and email forwarding addresses from suspicious account, export all and save it and delete it from Mailbox
- If user has a OWA / Mobile Sync Enabled with his smartphones / laptops / any other systems enabled in Office 365, remove the sync and remove the device authorization
- Please check his account for any suspicious contacts / lot of contacts saved apart from local domain. Export all and save it and delete it from Mailbox
- Verify the Junk Email Option in the Outlook Client to confirm the “Safe Sender” and “Safe Recipients” list. If any other domain remove the senders list
- If the changes / compromise suspected to be performed from Microsoft make sure the account is enabled with “Customer Lockbox” option to avoid Microsoft support accessing particular account / entire office 365
- Check the user Outlook / Client for any suspicious Rules are enabled to forward / received any specific emails / user accounts from external domains
All the stages of security incident management can be effectively managed from Preparation, Identification, Containment, Mitigation, Lessons Learned are enriched in Office 365. Do you have the enough Skilled resources to enable the Office 365 Monitoring in our environment ?
IF your answer is NO, Please click here to fill the employer Form for Experts to Visit your environment to have the Security Enriched . Let us in & Let you Win !!!
Cloud is Better, But make sure you have guarded and shielded well.