Webinar takeaway – How to Detect and Respond to Business Email (M365) Compromise

My key takeaways

• BEC external-to-internal passes all technical security measures like SPF, DKIM and DMARC
• BEC internal-to-internal bypasses anti-spam solutions
• Get comfy with PowerShell to interact with M365
• since Jan 2019 MS enabled mailbox auditing for Exchange Online
• CrowdStrike Reporting Tool also reviews excessive permissions in Azure AD
• If you are suspiscous to have a compromised account, start with a tenant wide investigation
• less frequently used folders like Archive, Junk Mail and RSS Feeds are common for the attacker to store juicy mail in it for futher investigation
• Many threat actors operate in +03 UTC, may be a good indicator
• Mitigate by long passwords (15+ chars), MFA and disable auto forward to external domains

Env

• Provided by BHIS

• Speaker

  • Derek Banks
  • Troy Wojewoda
  • Hal Denton

additional links

• https://www.cisa.gov/uscert/ncas/alerts/aa21-008a
• Script for connecting to PowerShell to all services
• https://github.com/CrowdStrike/CRT
• https://github.com/cisagov/Sparrow
• https://cloudforensicator.com
• http://virustotal.github.io/yara/
• script for auditing all users inbox rules

Video