Tag: Outlook | Page 2

Tag Archive for: Outlook

Enhanced Monitoring to Detect APT Activity Targeting Outlook Online

July 13, 2023/in Alerts

SUMMARY

In June 2023, a Federal Civilian Executive Branch (FCEB) agency identified suspicious activity in their Microsoft 365 (M365) cloud environment. The agency reported the activity to Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA), and Microsoft determined that advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data.

CISA and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory to provide guidance to critical infrastructure organizations on enhancing monitoring of Microsoft Exchange Online environments. Organizations can enhance their cyber posture and position themselves to detect similar malicious activity by implementing logging recommendations in this advisory. Organizations that identify suspicious, anomalous activity should contact Microsoft for proceeding with mitigation actions due to the cloud-based infrastructure affected, as well as report to CISA and the FBI.

Download the PDF version of this report:

TECHNICAL DETAILS

In Mid-June 2023, an FCEB agency observed MailItemsAccessed events with an unexpected ClientAppID and AppID in M365 Audit Logs. The MailItemsAccessed event is generated when licensed users access items in Exchange Online mailboxes using any connectivity protocol from any client. The FCEB agency deemed this activity suspicious because the observed AppId did not normally access mailbox items in their environment. The agency reported the activity to Microsoft and CISA.

Microsoft determined that APT actors accessed and exfiltrated unclassified Exchange Online Outlook data from a small number of accounts. The APT actors used a Microsoft account (MSA) consumer key to forge tokens to impersonate consumer and enterprise users. Microsoft remediated the issue by first blocking tokens issued with the acquired key and then replacing the key to prevent continued misuse.[1]

The affected FCEB agency identified suspicious activity by leveraging enhanced logging—specifically of MailItemsAccessed events—and an established baseline of normal Outlook activity (e.g., expected AppID). The MailItemsAccessed event enables detection of otherwise difficult to detect adversarial activity.

CISA and FBI are not aware of other audit logs or events that would have detected this activity. Critical infrastructure organizations are strongly urged to implement the logging recommendations in this advisory to enhance their cybersecurity posture and position themselves to detect similar malicious activity.

LOGGING

CISA and the FBI strongly encourage critical infrastructure organizations to ensure audit logging is enabled. Note: Per CISA’s Microsoft Exchange Online Microsoft 365 Minimum Viable Secure Configuration Baselines, FCEB agencies shall enable audit logging. These minimum viable secure configuration baselines are part of CISA’s Secure Cloud Business Applications (SCuBA) Project, which provides guidance for FCEB agencies securing their cloud business application environments and protecting federal information created, accessed, shared, and stored in those environments. Although tailored to FCEB agencies, the project provides security guidance applicable to all organizations with cloud environments. The Office of Management and Budget (OMB) M-21-31 requires Microsoft audit logs be retained for at least twelve months in active storage and an additional eighteen months in cold storage. This can be accomplished either by offloading the logs out of the cloud environment or natively through Microsoft by creating an audit log retention policy.

In addition to enabling audit logging, CISA and FBI strongly encourage organizations to:

Enable Purview Audit (Premium) logging. This logging requires licensing at the G5/E5 level. See Microsoft’s guidance on Assigning Microsoft 365 Licenses to Users for additional information.
Ensure logs are searchable by operators. The relevant logs need to be accessible to operational teams in a platform (e.g., security operations center [SOC] tooling) that enables hunting for this activity and distinguishing it from expected behavior within the environment.
Enable Microsoft 365 Unified Audit Logging (UAL). UAL should be enabled by default, but organizations are encouraged to validate these settings.
Understand your organization’s cloud baseline. Organizations are encouraged to look for outliers and become familiar with baseline patterns to better understand abnormal versus normal traffic.

GENERAL CLOUD MITIGATIONS

All mitigation actions for this activity are the responsibility of Microsoft due to the cloud-based infrastructure affected; however, CISA and the FBI recommend that critical infrastructure organizations implement the following to harden their cloud environments. Although, these mitigations will not prevent this or related activity where actors leverage compromised consumer keys, they will reduce the impact of less sophisticated malicious activity targeting cloud environments. Note: These mitigations align with CISA’s SCuBA Technical Reference Architecture (TRA), which describes essential components of security services and capabilities to secure and harden cloud business applications, including the platforms hosting the applications.

Apply CISA’s recommended baseline security configurations for Microsoft Defender for Office 365, Azure Active Directory, Exchange Online, OneDrive for Business, Power BI, Power Platform, SharePoint Online, and Teams [SCuBA TRA Section 6.6].
Separate administrator accounts from user accounts according to the National Institute of Standards and Technology’s (NIST’s) guidance, AC-5: Separation of Duties. Only allow designated administrator accounts to be used for administration purposes. If an individual user requires administrative rights over their workstation, use a separate account without administrative access to other hosts.
Collect and store access and security logs for secure cloud access (SCA) solutions, endpoint solutions, cloud applications/platforms and security services, such as firewalls, data loss prevention systems, and intrusion detection systems [SCuBA TRA Section 6.8.1].
Use a telemetry hosting solution (e.g., SIEM solution) that aggregates logs and telemetry data to facilitate internal organization monitoring, auditing, alerting, and threat detection activities [SCuBA TRA Section 6.8.1].
Review contractual relationships with all Cloud Service Providers (CSPs) and ensure contracts include:
- Security controls the customer deems appropriate.
- Appropriate monitoring and logging of provider-managed customer systems.
- Appropriate monitoring of the service provider’s presence, activities, and connections to the customer network.
- Notification of confirmed or suspected activity.

REPORTING SUSPICIOUS ACTIVITY

Organizations are encouraged to report suspicious activity to CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870). The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or IC3.gov.

RESOURCES

REFERENCES

[1] Microsoft Security Response Center (MSRC) blog: Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email

ACKNOWLEDGEMENTS

Microsoft contributed to this CSA.

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. The FBI, and CISA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI and CISA.

Source…

Australia Cyber Security Market Outlook 2023 to 2027: Featuring Akamai Technologies, CyberCX, McAfee Enterprise Among Others

June 29, 2023/in Internet Security

DUBLIN, June 28, 2023 /PRNewswire/ — The “Australia Cyber Security Market Outlook to 2027F” report has been added to ResearchAndMarkets.com’s offering.

The report provides a comprehensive analysis of the potential of cyber security industry in Australia. The report covers an overview and genesis of the industry, market size in terms of revenue generated.

Its market segmentations include by component, security, deployment type, region, organization type, and industry; growth enablers and drivers; challenges and bottlenecks; trends driving adoption trends; regulatory framework; end-user analysis, industry analysis, competitive landscape including competition scenario and market shares of major players. The report concludes with future market projections of each market segmentation and analyst recommendations.

Market Overview:

IoT devices have a security system that is vulnerable to cyberattacks. It is not designed to pre-detect or prevent threats, such as hacking. Thus, these devices could be prime targets for hackers to obtain usernames and passwords and access other confidential information.

The quantity of personal information and transaction data that all Australian firms have on hand is growing. Sensitive data is frequently exposed due to organizational system weaknesses, making these firms the prime targets of cyberattacks.

Key Trends by Market Segment:

By Deployment Type: Cloud segment contributed to the highest share, and it is attributed to increasing technological integration and surging digital usage by consumers post COVID-19
By Component: Entities generally approach a cybersecurity service provider to take care of various functions rather than standalone hardware and software. Therefore, the revenue contribution is higher for services

Competitive Landscape

Australia Cyber Security Market is at a growing stage and has a moderately fragmented market with more than 15 players in the market that adopt strategic initiatives such as partnerships, investments, and new product offerings due to increasing awareness regarding mobility security among enterprises. IBM, Akamai Technologies, Context Information Security, iSight Partners, NCC Group, Ping Identity, CyberCX, McAfee Enterprise

Source…

https://spinsafe.com/wp-content/uploads/2022/03/schema-image-default.png 1043 1043 SecureTech https://spinsafe.com/wp-content/uploads/2024/01/SS-Logo.svg SecureTech2023-06-29 07:30:052023-06-29 07:30:05Australia Cyber Security Market Outlook 2023 to 2027: Featuring Akamai Technologies, CyberCX, McAfee Enterprise Among Others

Microsoft says early June disruptions to Outlook, cloud platform, were cyberattacks

June 18, 2023/in Internet Security

Thomas Trutschel | Photothek | Getty Images

In early June, sporadic but serious service disruptions plagued Microsoft’s flagship office suite — including the Outlook email and OneDrive file-sharing apps — and cloud computing platform. A shadowy hacktivist group claimed responsibility, saying it flooded the sites with junk traffic in distributed denial-of-service attacks.

Initially reticent to name the cause, Microsoft has now disclosed that DDoS attacks by a murky upstart were indeed to blame.

But the software giant has offered few details — and would not comment on the attacks’ magnitude. It would not say how many customers were affected or describe the attackers, who it has named Storm-1359. A group that calls itself Anonymous Sudan claimed responsibility on its Telegram social media channel at the time. Some security researchers believe the group to be Russian.

Microsoft’s explanation in a blog post Friday evening followed a request by The Associated Press two days earlier. Slim on details, the post said the attacks “temporarily impacted availability” of some services. It said the attackers were focused on “disruption and publicity” and likely used rented cloud infrastructure and virtual private networks to bombard Microsoft servers from so-called botnets of zombie computers around the globe.

Microsoft said there was no evidence any customer data was accessed or compromised.

While DDoS attacks are mainly a nuisance — making websites unreachable without penetrating them — security experts say they can disrupt the work of millions if they successfully interrupt the services of a software service giant like Microsoft on which so much global commerce depends.

It’s not clear if that’s what happened here.

“We really have no way to measure the impact if Microsoft doesn’t provide that info,” said Jake Williams, a prominent cybersecurity researcher and a former National Security Agency offensive hacker. Williams said he was not aware of Outlook previously being attacked at this scale.

“We know some resources were inaccessible for some, but not others. This often happens with DDoS of globally distributed systems,” Williams added. He said Microsoft’s apparent unwillingness to provide an…

Source…

https://spinsafe.com/wp-content/uploads/2023/06/107163536-1670525525395-gettyimages-1211180733-200422_tfea_pht19-scaled.jpeg 1707 2560 SecureTech https://spinsafe.com/wp-content/uploads/2024/01/SS-Logo.svg SecureTech2023-06-18 01:00:062023-06-18 01:00:06Microsoft says early June disruptions to Outlook, cloud platform, were cyberattacks

Microsoft adds Authenticator Lite for Outlook on iOS and Android for better email security

May 27, 2023/in Mobile Security

In March, we reported that Microsoft was working on a new feature called Authenticator Lite for its Outlook email apps for iOS and Android. This week, Microsoft confirmed that Authenticator Lite is now available in those Outlook mobile apps in general availability.

In a blog post, Microsoft stated:

According to research done by Microsoft, multifactor authentications completed via push notifications in the Microsoft Authenticator app are 71% less likely to be compromised than those completed via SMS codes. Therefore, we strongly recommend moving your users off phone transports for authentication and towards more secure methods such as push notifications. Authenticator Lite (in Outlook) expands the opportunity to convert users by bringing the enhanced security of push notifications to devices that have not yet downloaded the Microsoft Authenticator App.

The update to Outlook on iOS and Android means that users won”t have to download the stand-alone Microsoft Authenticator app to get multi-factor authentication (MFA) security for the email app. Instead, when users launch the Outlook app after the latest update, they will be asked to register the app as an MFA-secured device.

Once that happens, people who need to sign into the app won”t have to confirm their identity with a text message or a phone number. Instead, they will receive a push notification from the Outlook app itself. They will then be prompted to type in the number sent by the notification.

The app can also offer another level of security. In addition to the number prompt, it can ask the user for either a biometric or pin verification if those methods are used on the smartphone.

The Outlook mobile app will continue to add new features in the coming months. That includes one that”s on its roadmap called Message Reminders which will place emails at the top of your inbox that require you to respond to them.

Source…

https://spinsafe.com/wp-content/uploads/2023/05/1678458463_authenticator_lite_story.jpg 428 760 SecureTech https://spinsafe.com/wp-content/uploads/2024/01/SS-Logo.svg SecureTech2023-05-27 06:30:082023-05-27 06:30:08Microsoft adds Authenticator Lite for Outlook on iOS and Android for better email security

Highest levels of security and privacy possible.

Archives
Archives

© 2006 - 2024 SpinSafe
SpinSafe may be compensated by providing links to products, services, websites, and various other options.
Rss
Mail
Powered by DigitalOceanSign up and get a $200, 60-day credit to try Digital Ocean products.

Privacy Policy

Terms of Service

Best VPN