My key takeaways
- BEC external-to-internal passes all technical security measures like SPF, DKIM and DMARC
- BEC internal-to-internal bypasses anti-spam solutions
- Get comfy with PowerShell to interact with M365
- since Jan 2019 MS enabled mailbox auditing for Exchange Online
- CrowdStrike Reporting Tool also reviews excessive permissions in Azure AD
- If you are suspiscous to have a compromised account, start with a tenant wide investigation
- less frequently used folders like Archive, Junk Mail and RSS Feeds are common for the attacker to store juicy mail in it for futher investigation
- Many threat actors operate in +03 UTC, may be a good indicator
- Mitigate by long passwords (15+ chars), MFA and disable auto forward to external domains
Env
-
Provided by BHIS
-
Speaker
- Derek Banks
- Troy Wojewoda
- Hal Denton
additional links
- https://www.cisa.gov/uscert/ncas/alerts/aa21-008a
- Script for connecting to PowerShell to all services
- https://github.com/CrowdStrike/CRT
- https://github.com/cisagov/Sparrow
- https://cloudforensicator.com
- http://virustotal.github.io/yara/
- script for auditing all users inbox rules