Term | Description | Link(s) |
---|---|---|
Alias | Another email address that people can use to email | |
App Password | An app password is a password that is created within the Azure portal and that allows the user to bypass MFA and continue to use their application. | |
Alternate email address | Required for admins to receive important notifications, or resetting the admin password which cannot be modified by the end users | |
AuditAdmin | ||
AuditDelegate | ||
Delegate | An account with assigned permissions to a mailbox. | |
Display Name | Name that appears in the Address Book & on the TO and From lines on an email. | |
EAC | "Exchange Admin Center" | |
HardDelete | A message is purged from the Recoverable Items folder. | |
Identity | ||
inactive mailbox | If an organization needs to retain mailbox content for former employees longer than 30 period. | ref |
Product license | ||
Litigation Hold | ||
Tenant | An Office 365 Organization. It is within the overall o365 Data Center which would be the "apartment" complex (and your org. would be a "tenant" inside the "apartment"). It's the container for items of your Organization such as users, domains, subscriptions etc | |
SoftDelete | A message was deleted from the Deleted Items folder. | |
Trace | As an administrator, you can find out what happened to an email message by running a message trace in the Exchange admin center (EAC). After running the message trace, you can view the results in a list, and then view the details about a specific message. Message trace data is available for the past 90 days. If a message is more than 7 days old, the results can only be viewed in a downloadable .CSV file. | ref |
UAL | "Unified Audit Log" ; A central log where data from the following services is logged: SharePoint, Exchange, Sway, Microsoft Teams, OneDrive, Azure Active Directory, Power BI. | ref |
UPN | The user principal name. |
Parameter | Schema | Timezone | Description |
---|---|---|---|
CreationTime | AuditRecord | UTC | The date and time in Coordinated Universal Time (UTC) when the user performed the activity. |
itemCreationTime | SharePointMetadata | UTC | Datetimestamp in UTC of when event logged. |
LastLogonTime | |||
LastModifiedTime | SharePointMetadata | UTC | Timestamp in UTC for when doc was last modified. |
LastPasswordChangeTimestamp | |||
Sent | ExchangeMetadata | UTC | The time in UTC of when the email was sent. |
Parameter | Schema | Description |
---|---|---|
ActorIpAddress | Azure Active Directoy | The actor's IP address. |
ClientIp | AuditRecord | The IP address of the device that was used when the activity was logged. |
ClientIPAddress | Exchange Mailbox | The IP address of the device that was used when the operation was logged. |
SenderIp | Office 365 Advanced Threat Protection and Threat Intelligence | The IP address that submitted the email of Office 365. |
- Business Plans, E5, E3 and E1
- Can be via a phone or via mobile app
- Send me a code by text message
- Call
- Receive notifications for verification or Use verification code
- Will require a phone # as a backup anyway
If your users do not regularly sign in through the browser, you can send them to this link to register for multi-factor auth: https://aka.ms/MFASetup
- forcing new users to change their password after initial login is enabled by default
Role | Description | Admin | Link(s) |
---|---|---|---|
User | This user won't have permissions to the Office 365 admin center or any admin tasks. This is the defaukt option when creating a new user. | No | |
Globl administrator | This user will have access to all features in the admin center and can perform all tasks in the Office 365 admin center. | Yes | |
Customized administrator | You can assign this user one or many roles so they can manage specific areas of Office 365. | Yes |
Resource to use | Requires Permission / Roles |
---|---|
Audit Log Search | Global administrator or be added to the Security & Compliance center roles groups, Compliance Manager or Organization management . |
MFA is enabled per user. This means that if a user has MFA-enabled, they won't be able to use a non-browser client, such as Outlook 2013 with Office 365, until they create an app password. An app password is a password that is created within the Azure portal and that allows the user to bypass MFA and continue to use their application.
- Admin portal
- Azure Active Directory Portal
- [Exchange admin center (EAC)]
- Security & Compliance Center / eDiscovery
- Use multi-factor authentication (MFA)
- Enforcing Multi-Factor Authentication for External Users on SharePoint Online ref
- Use Office 365 Cloud App Security
- Secure mail flow
- Enable mailbox audit logging
- currently, this can only be enabled via PowerShell and not via the EAC Get all mailboxes in the tenant (includes Shared, Room and Discovery Mailboxes) & enable audit logging across all these mailboxes.
Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox" -or RecipientTypeDetails -eq "SharedMailbox" -or RecipientTypeDetails -eq "RoomMailbox" -or RecipientTypeDetails -eq "DiscoveryMailbox"}| Set-Mailbox -AuditEnabled $true -AuditLogAgeLimit 365 -AuditOwner Create,HardDelete,MailboxLogin,MoveToDeletedItems
- Configure Data Loss Prevention (DLP)
- Use Customer Lockbox
- Use Office 365 Secure Score
- Create a Strong Password Policy
- Rights Management (Rights management requires E3 license or Azure rights management add-on license.)
- API schema
- Web portals limits how many days you can go back for logs, 30?
- Entries in the mailbox audit log are retained for 90 days by default. limit**.
- The date and time (in UTC format) when the event occurred.
- Properties
Module | cmdlet |
---|---|
Exchange | Search-UnifiedAuditLog |
Use the short date format that's defined in the Regional Options settings on the computer where you're running the command. For example, if the computer is configured to use the short date format mm/dd/yyyy, enter 09/01/2015 to specify September 1, 2015. You can enter the date only, or you can enter the date and time of day. If you enter the date and time of day, enclose the value in quotation marks ("), for example, "09/01/2015 5:00 PM". If you don't include a timestamp in the value for this parameter, the default timestamp is 12:00 AM (midnight) on the specified date.
- By default, admin audit log entries are kept for 90 days. When an entry is older than 90 days, it's deleted. This setting can’t be changed in a cloud-based organization.
- Entries in the mailbox audit log are retained for 90 days by default.
- Mailbox audit logging lets users obtain information about actions that are performed by non-owners and administrators.
- By default. owner audit logging is not turned on. It should only be used if you have to investigate an action by the owner of the mailbox. It should be used for a limited time period, approximately two weeks. **This is because the audit log entries are stored in the mailbox, and this may cause the mailbox dumpster to exceed the size
- Number of Tenants
- Number of Users
- Is mailbox auditing enabled on each mailbox?
- Was email sent to individual email address or a DL? If latter, who/how many people are part of it?
- Provide original .eml/.msg of the email(s)
- Provide the original attachment
- Any IOCs / notes / remediation steps taken
- Any reports deemed appropriate (e.g. Email activity, Mailbox usage, Non-Owner Mailbox Access etc.)
- An account with the
Audit Logs
role attached- determine if you want/need MFA or an App password added for extra security
Users have to be assigned permissions in Exchange Online to turn audit log search on or off. If you assign users the
Audit Logs
role on the Permissions page in the Security & Compliance Center, they won't be able to turn audit log search on or off. This is because the underlying cmdlet is an Exchange Online cmdlet.
The Audit Logs
role won't permit you to:
- use the
Search-Mailbox
cmdlet - read users emails
- search users emails to determine if an IOC was contained in it
- download users mailboxes
- download email attachments
-
verify the account created for your dfir work has the proper permissions
-
verify if/what accounts have mailbox auditing enabled
Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | FL Name, UserPrincipalName, Auditenabled, AuditDelegate, AuditAdmin, AuditLogAgeLimit
A value of True for the
AuditEnabled
property verifies that mailbox audit logging is enabled.Get-Mailbox -ResultSize Unlimited -Filter {AuditEnabled -eq $false} | Select Name, UserPrincipalName, Auditenabled, AuditDelegate, AuditAdmin
All mailbox actions for all users
Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true -AuditAdmin Copy,Create,FolderBind,HardDelete,MessageBind,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditDelegate Create,FolderBind,HardDelete,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditOwner Create,HardDelete,MailboxLogin,Move,MoveToDeletedItems,SoftDelete,Update }
-
List of all delegates
- Pivot for their activity
-
List of all global admins
- Pivot for their activity
-
List of users who have aliases
-
search UAL for IOCs
- What other accounts did IP login as
- Who else received said email? (admin privs needed?)
-
New accounts created
-
Azure Active Directory user account
-
o365 user account
-
Exchange Online mailbox
-
If email send to a DL, list all members of said DL
#Get all Distribution Groups from Office 365
$objDistributionGroups = Get-DistributionGroup -ResultSize Unlimited
#Iterate through all groups, one at a time
Foreach ($objDistributionGroup in $objDistributionGroups)
{
write-host "Processing $($objDistributionGroup.DisplayName)..."
#Get members of this group
$objDGMembers = Get-DistributionGroupMember -Identity $($objDistributionGroup.PrimarySmtpAddress)
write-host "Found $($objDGMembers.Count) members..."
#Iterate through each member
Foreach ($objMember in $objDGMembers)
{
"$($objDistributionGroup.DisplayName),$($objDistributionGroup.PrimarySMTPAddress),$($objMember.DisplayName),$($objMember.PrimarySMTPAddress),$($objMember.RecipientType)" | Export-Csv -NoTypeInformation -append <output file>
}
}
- InboxRules
- Delegates
- Shared Mailboxes
SendOnBehalfOf
SendAs
- Forwarding
- Outlook Homepage
- Custom Forms
- New account creation
- eDiscovery searches
- InboxRules
- Forwarding
- Delegates
- View a list of mobile devices for a specific user.
Get-MobileDevice -Mailbox <useralias>
- For all users ref
- stack:
Client
, which will show device usedLogonType
ExternalAccess
UserAgent
- members of eDiscovery Adminitsrators can perform an export
- ActiveSync
Set-CASMailbox -Identity [email protected] -ActiveSyncEnabled $true
- POP3 / IMAPI4
POP is enabled by default for all users.
-
Exchange Web Services (EWS)
-
If ActiveSync logging is enabled:
Get-MobileDeviceStatistics -Mailbox alias -GetMailboxLog:$true -NotificationEmailAddresses "[email protected]"
- OWA – Outlook Web Access/Webmail
- MAPI – Outlook Desktop Application
- EAS – Exchange ActiveSync, most modern smartphones
- IMAP – Older email clients/Blackberries
- POP3 – Outlook Express etc
- EWS – Exchange Web Services
- MOWA – Mobile Outlook Web Access
- REST – via REST API
- Outlook – Outlook client
validate these, some are prob. deprecated for graphs
- Get-ConnectionByClientTypeReport - produces overview report for which connection types are being used
- Get-ConnectionByClientTypeDetailReport - Provides details on how each user accesses their own mailbox.
- Get-MobileDeviceStatistics
- New-MailboxRestoreRequest
- Get-MailboxRestoreRequest
Restore vs. Recover vs. Archiving
When you recover an inactive mailbox, the mailbox is basically converted to a new mailbox, the contents and folder structure of the inactive mailbox are retained, and the mailbox is linked to a new user account. After it's recovered, the inactive mailbox no longer exists, and any changes made to the content in the new mailbox will affect the content that was originally on hold in the inactive mailbox. Conversely, when you restore an inactive mailbox, the contents are merely copied to another mailbox. The inactive mailbox is preserved and remains an inactive mailbox. Any changes made to the content in the target mailbox won't affect the original content held in the inactive mailbox. The inactive mailbox can still be searched by using In-Place eDiscovery, its contents can be restored to another mailbox, or it can be recovered or deleted at a later
-
RetainDeletedItemsFor
(mailbox property) is typicall set to 14 days when a new mailbox is created in Exchange Online (maximum value is 30). -
Archiving
- the archive policy that is part of the default Exchange retention policy assigned to Exchange Online mailboxes will move items that are two years or older to the archive mailbox. If you don't enable the archive mailbox, items older than two years will remain in the user's primary mailbox.(https://support.office.com/en-us/article/enable-archive-mailboxes-in-the-office-365-security-compliance-center-268a109e-7843-405b-bb3d-b9393b2342ce?ui=en-US&rs=en-US&ad=
- Remove-MsolUser
- Remove-Mailbox
- new users created (X operation in UAL)
- Users with multiple sessions
- Login type & Geo location info.
- Stack logins (
MailboxLogin
)- Failed logins before successful login
- Logins / Login attempts per IP address
- IP addresses successfully logged in to 1+ accounts
- password resets
- delegation added
- member added to role
- service principal added
- inbox rules
- delete messages
- archive to certain folder
- forward rules
SendAs
SendOnBehalf
- Identify any unauthroized mailbox access
- Non-owners : Access by administrators and delegated users inside your organization, and by Microsoft datacenter administrators.
- External Users : Access by Microsoft datacenter administrators.
- Administrators and delegated users : Access by administrators and delegated users inside your organization.
- Administrators : Access by administrators in your organization.
- Emails deleted by user (admin pivs needed?)
- Determine if anyone downloaded / exported a users inbox
- Any communication or file syncing done via Drafts or Calendar?
- Was a message viewed?
MessageBind
action will indicate whether or not a message is viewed in the preview pane or opened.
- Was a folder accessed?
FolderBind
action will indicate whether or not a mailbox folder was accessed. This operation indicates the times at which the mailbox is accessed by a non-owner. This is the most common operation. You do not have to view the FolderBind operations when you investigate an item that is updated or deleted.
- Any unauthorized eDiscovery searches performed?
- Add-MailboxPermission
- Policy / Config / App installed
- file created
- file accessed
- Number of Tenants
- Number of Users
- Number of Users without MFA
- Number of Users without app passwords
- Number of Unliscensed users
- Number of Users on Litigation Hold
- Number of Operations per user
- Number of IPs per Identity
- Number of Users never logged in
Get-Mailbox -RecipientTypeDetails UserMailbox | Get-MailboxStatistics | Where-Object {$_.LastLogonTime -eq $null} | Select DisplayName, LastLogonTime
- Number of Inactive users last 90 / 60 / 30 days
- Search ADD & Exchange Online
Get-Mailbox -InactiveMailboxOnly | FL Name,DistinguishedName,ExchangeGuid,PrimarySmtpAddress
- Number of Users with email synced to more than 1 device / accessed fom more than one device ? Might be difficult, essentially, if attacker synced account via an email client
- MailboxLogin
- PasswordLogonInitialAuthUsingPassword
- LastLoggedOnuserAccount
- Add-ADPermission
- New-SafeAttachmentPolicy
- New-SafeAttachmentRule
- New-SafeLinksPolicy
- New-SafeLinksRule
- Set-SafeAttachmentRule
- Set-SafeLinksPolicy
- Set-SafeLinksRule
- Remove-IPBlocklistEntry
- Set-IPAllowListConfig
- New-ClientAccessRule
- New-OwaMailboxPolicy
- Set-OwaMailboxPolicy
- Set-TextMessagingAccount
- New-ActiveSyncDeviceAccessRule
- New-ActiveSyncMailboxPolicy
- Set-ActiveSyncDeviceAccessRule
- Set-ActiveSyncMailboxPolicy
- Export-ExchangeCertificate
- New-ExchangeCertificate
- Add-MailboxFolderPermission
- Add-MailboxPermission
- Add-RecipientPermission
- Enable-InboxRule
- Get-Mailbox
- Get-MailboxFolder
- New-InboxRule
- New-Mailbox
- New-MailboxExportRequest
- Remove-InboxRule
- Set-InboxRule
- Export-Message
- New-AcceptedDomain
- New-RemoteDomain
- Set-RemoteDomain
- Add-ManagementRoleEntry
- Add-RoleGroupMember
- New-ManagementRole
- New-ManagementRoleAssignment
- New-RoleAssignmentPolicy
- Add-PublicFolderAdministrativePermission
- Add-PublicFolderClientPermission
- Enable-MailPublicFolder
- New-OrganizationRelationship
- New-PublicFolder
- New-PublicFolderDatabase
- New-SharingPolicy
- Set-MailPublicFolder
- Set-OrganizationRelationship
- Set-PublicFolder
- Set-PublicFolderDatabase
- Set-SharingPolicy
- Add-DistributionGroupMember
- Enable-MailUser
- New-DistributionGroup
- Litigation Hold
- Blocking someone is a good idea when you think their password or username may have been compromised by someone else. This stops anyone from signing as this user.
- Blocking doesn't stop the account from receiving email and it doesn't delete any data.