User app registration - exploitable for BEC?
Hello. Recently dealt with a case of BEC. I'm not trained in forensics, but doing my best. Appears the hacker used an application called eM Client for their attack, getting access to a user's mailbox and hijacking a thread. I can see the login from two weeks ago (the incident was only noticed a couple days ago, however) - from a European country that SHOULD have been blocked by Conditional Access. Come to find out, the tenant conditional access was unassigned from everyone. We're not sure how - we re-enabled it, and audited changes, but the only change that appears was us re-enabling it. Which I thought indicates it was never configured right, except we've got a ticket documenting a change to Conditional Access a couple days after the hack that ALSO does not appear in the logs. So... it's likely it was changed, yet I have no record of that change (atleast, not through Entra > Monitoring > Auditing). If anyone knows any other ways of checking this, please advise - but I can't seem to even access our Diagnostic settings, the page tells me I need an Azure Active Directory subscription (I'm on Entra ID P1, which includes AAD.... this might be related to being global admin, and not Security Admin - we don't use that role in this relationship) ANYWAY, my amateur forensic skills have found that the attacker used an app called eM Client to get access. I'm not sure yet how they obtained the password, and got past MFA... But quick research shows this application (esp it's pro version) is known for use in BEC. The app was registered in Entra, and granted certain read permissions in Entra ID for shared mailboxes, presumably to find a decent thread to hijack. I'm not 100% sure yet there was any actual exploit done using this app, but it's popularity amongst hackers implies it does SOMETHING useful (i think remember that it authenticates using Exchange Web Services instead of Exchange Online, or something similar? Will update when I have the chance to check). We're in the process of improving our Secure Score, and this incident makes me think user's ability to register apps should be locked down. Checked Secure Score for this, and while there ARE recommendations around apps, disabling user app registration is NOT one of them. Just curious about people's thoughts. I just barely understand App Registration in Entra, but if this is a known attack vector, I would think disabling app registration would be a security recommendation?
Secure Score Improvement Recommended actions information sheet
Hello All I am starting a project to Improve our Secure score following the "Recommended Actions" section in the M365 Defender portal. Now each action comes with its own set of General information and remediation options. Rather than get the actions on each of the 208 recommendations by clicking through all the tabs and recording every step required to complete the recommendation , does anyone know if Microsoft has an Excel sheet with all the relevant Secure Score Improvement actions/information in one place? Will make running this project so much easier! Thanks in advance ! Kind Regards Christo
Secure Score - Secure Home Folders in macOS
I've performed the recommended manual remediation action (sudo chmod -R og-rw /Users/) on my Macs but Secure Score doesn't recognize it. I have noticed this occurring for a few item. We have also remediated some things through InTune but still seem to have no movement on the SecureScore. Is this a glitch within or am I missing something altogether. ThanksSecure Score - Enable conditional access policies to block legacy authentication.
Hi all, it reports me to block legacy authentications for all users, however I have already done so by configuring conditional access; does anyone else have the same report despite the fact that we have already implemented blocking?Secure Score Dropped including the last 6 months
I have registered a customer Secure Score for at least 6 months. Suddenly the score dropped from about 92% to 84% and checking the history looks like we never met the score above 90% but we have evidence of it including weekly meetings registering the score with a close follow up. I need that Microsoft explain how the score has dropped if we don't have regressed points, and don't matter if regressed since the history has been changed for the past months and we can't recover more than 6 months. I understand that daily we have new Items allocated to secure score, but how is that possible that it changes without history register? I need this explanation since I can't see any possible reason instead Microsoft Bug at Secure Score tool.
How much time does it takes to update secure score on Defender portal?
Hi Folks, I have marked some of the recommended actions on secure score as "third party" or "alternate mitigation". Even after 10 hours I can see action is still marked as "to be addressed". How much time does it take for changes to show up there? And also, how much time will it take to get this add up to my cumulative secure score?Outgoing mail is considered spam
Hi, I have a user in our tenant who sends emails to multiple people at one time. The maximum number is 200 recipients at a time per day. This concerns 1 email with, for example, 200 recipients. Now, after the email has been sent, this user is marked as Spam and the account is blocked. When I then look at the reason, it says Domain reputation. The user also remains within Microsoft's sent limits. How can I find out or where can I within O365 what the exact reason is why this user is blocked and the email is considered spam. There are several users who do this and do not receive any notifications. Can someone help me with this? Kind regards, JacobSettings Catalog Policies that are set as Blocked are being detected as Audited
Hello, Our Settings Catalog ASR policies that are set as Blocked are being detected as Audited within Secure Score. It seems to have started on 11/13. The rules that have been impacted: Block untrusted and unsigned processes that run from USB Block Adobe Reader from creating child processes Block JavaScript or VBScript from launching downloaded executable content Block persistence through WMI event subscription Block executable files from running unless they meet a prevalence, age, or trusted list criterion Block Office communication application from creating child processes Block Office applications from creating executable content Block Office applications from injecting code into other processes Block execution of potentially obfuscated scripts I have updated my policy in the hopes that it redetects everything is set to blocked, will update this post if it works. *Update* It sadly does not. Thank you very much,
