Connecting the Dots Around O365 Advanced Security

May 25, 2018

Let me paint you a picture… We’ll assume you have (or have before) a compromised account somewhere. Now assume that instead of leveraging that compromised account to send out SPAM (and getting caught quickly), the attacker lurks, looking for what it needs to make changes in the payroll system (say changing direct deposit) or in the student registration system (un-enrolling and receiving the refund). These are real stories. Let me walk you through the payroll scenario with a bit more detail.

  • Compromised account (Social Engineering)
  • Attacker scours for keywords (Payroll, HR, etc)
  • Stumbles across the Payroll system and gains access
  • Changes Direct Deposit info for employee
  • Creates rules in outlook to delete messages notifying the employee of the change
  • Employee fails to receive paycheck

This is a real attack and it has occurred in multiple enterprises causing over $500k in misdirected payroll in one instance. So, what do you do? You leverage all the tools at your disposal to identify and remediate this attack.

The answer to this attack and others like it does not lie in a single product. It really lies in the power of a solution that leverages the M365 platform as a whole. The solution is a series of settings, configuration, and scripts that use the whole M365 stack- we call it Phish Hunter.

Phish Hunter is a comprehensive approach for combating compromised accounts using ASM, ATP, Power BI, Flow AADP, and Azure. The idea is to add local insights to cloud intelligence and edge enforcement. ATP and AADP P2 provide automatic protection at the edge while ASM and AADP P1 provide insights into the environment to find and profile attacks. Flow and Azure automate the remediation of compromised accounts based upon known attack profiles and their associated risk profile. Power BI, ATP, and AADP P1 can then be used to push tenant-specific insights to the edge for additional protection against current and future attacks via Conditional Access and SafeLinks.

So what do you need to get this going? While some very basic elements can be had for the price of an E3 Office 365 license, the real admission starts with M365-E3 and the real powerful features comes with a ticket labeled M365-E5.

 

Phish Hunter Features by Solution

Microsoft M365 E3

  • Azure Active Directory P1 conditional access policies and MFA block attackers from signing in to Office 365.
  • Microsoft Cloud App Security provides forensic behavioral data with event enrichment and multiple pivots for attack investigation, maintains known attack signature policies, and tracks indications of compromise for discovering unknown attacks.

Microsoft M365 E5

  • Office 365 Advanced Threat Protection protects users from phishing URLs at time-of-click and allows attack URL blocking.
  • Office 365 Threat Intelligence defeats outbound phishing obfuscation with enhanced message reporting and correlation.
  • Azure Active Directory P2 baselines and monitors user logins, detect anomalies, and applies risk tags to accounts and sessions.
  • Microsoft Cloud App Security for Non-O365 apps provides forensic behavioral data with event enrichment and multiple pivots for attack investigation, maintains known attack signature policies, and tracks indications of compromise for discovering unknown attacks.
  • Power BI visually correlates data gathered from threat assessments and indications of compromise in order to determine likely sources of compromise and common attack vectors.
  • Azure Automation dramatically reduces response times by enforcing account protection, and remediation based on risk.
  • Azure Machine Learning reduces the time and complexity of attack detection and trains environment-specific models

So it’s time to get proactive around security and stop these attacks before they happen in your environment. Reach out to your Planet Cloud Strategist today to find out more details.