In recent weeks, I have noticed a significant uptick in the use of “.onmicrosoft.com” domains for phishing attempts. It seems that the attackers have been setting up multiple trial Microsoft 365 accounts, automatically activating Exchange Online. They are exploiting this as a temporary method to send out phishing emails. At one point, I observed nearly […]
Imagine your organization’s Microsoft 365 tenant as your home. You wouldn’t welcome a stranger with unknown intentions and a shady introduction into your home?Similarly, proactively identifying and mitigating risks associated with guest users in their home tenant is vital for safeguarding your organization’s data and resources within your tenant.It’s a common practice among organizations to […]
In many organizations, the practice of utilizing a local SMTP server integrated with Exchange Online remains quite common.Depending on the SMTP service used, you have different possibilities to both secure the usage of the smtp server and getting insights from the usage. One crucial area often overlooked is the monitoring of unusual spikes in outbound […]
A while back ago Microsoft decided to default start to block end-users from being able to set up auto forwarding of emails outside the organization. This decision was partly taken due to the risk of data leakage and the common strategy to auto forward emails to an external email address when an attacker have compromised […]
When we start to implement MFA or Conditional Access to larger Azure AD environments with many different user types, you some times come across end-users that simply don’t have any possibility to answer a MFA Challenge. It could be production users, external users, teachers or even students in some cases that simply have no device […]
Microsoft have now released a new(ish) MFA method that will be available for both users running Passwordless and regular authentication combined with MFA/Conditional Access, currently in Public Preview.With the new code matching, users will be required to type in a code within the Microsoft Authenticator app, that will be presented by Microsoft when the end-user […]
During last week an customer had the need to make sure that all mobile devices that weren’t MDM enrolled into intune should get blocked for accessing Azure AD resources using mobile apps.This due to start forcing specific users to start MDM enroll devices without having compliance policies at place within intune.To achieve this, we will […]
In the recent investigations of compromised Microsoft 365 tenants I’ve been involved in, we have seen that one of the first actions the attacker make is connecting to Azure-AD as the compromised user.This is most likely to exfiltrate information about the employees and all other accounts that is present in your Azure-AD.In several cases, I’ve […]
Conditional Access is an amazing feature within Azure-AD and is more or less the zero trust engine in the Microsoft 365 platform.It lets us gather a lot of signals from the end-users sign-in process to decide how they should access the company data.We can for example take decision based on location, device type, device os, […]
Not too long ago I where involved in a security incident where the attacker used phishing to gain access to several end-users Microsoft 365 credentials.In this case, the customer didn’t have MFA or Conditional Access implemented, leaving them exposed for this type of general attack that unfortunately is really common.To make a long story short, […]
Microsoft 365 Security blog by Pontus Själander