The basics of investigating an Office 365 breach
Organisations of all sizes use Office 365 for email, data storage, and collaboration services making it a tempting target for attackers, and a key resource for organisations to secure. Larger organisations may have security operations with a range of tools capable of effectively monitoring Office 365. However, there are several tools and features within the basic Office 365 offering that you can use simply and easily to monitor or investigate Office 365 activity regardless of your organisational size or security capabilities.
Identity
As with many Software as a Service (SaaS) applications identity is they key security control plane for organisations to protect and monitor. Office 365 is no exception, with every security incident involving identity in some form. Identity within Office 365 is managed by Azure Active Directory (Azure AD) and this service provides a wealth of data and features to aid in investigating and should be a primary resource in any investigation. Whilst Office 365 provides some user identity management via https://admin.microsoft.com to access they key features we are going to look at here we need to access the AAD service directly via https://portal.azure.com.
Which flavour of Azure AD licence you have will determine which of the following features you will have access to in the Azure portal. If you have Azure AD P1 or P2 you will have access to a Risk Based sign-in features, these provide automatic detection of suspicious or risky sign-ins and can be used to quickly identity potential account compromises. Navigate to the Azure AD service within the Azure portal and scroll down until you see two options — Users flagged for risk, and Risk events.
Users flagged for risk will show you a list of users who meet a criterion for them to be considered suspicious. This can include things such as impossible travel situations, use of anonymisation service, or the appearance of that account in a data breach. Clicking on a user will present details about these risk events why they were flagged for risk, and a risk level of either low, medium, or high.
Risk events will show you the individual sign-in events that were deemed risky and that are linked to the Users flagged for risk. Each event shows you the status of the logon and the risk level, as well as details of the reason for applying the risk level. This feature can be useful for tracking Conditional Access policies you may have applied Azure AD.
These intelligent risk-based services provide a quick and easy way to identify user accounts that may have been compromised, however they require additional licencing and may not provide the full picture. To expand on them we can use detailed logging provided by Azure AD which is broken down into two key elements, Sign-in logs which provide details of all sign-ins, and Audit logs which provide details of all AAD activity. Whilst Sign-in logs are another Azure AD P1 &P2 feature the Audit log is available for all Azure AD subscriptions.
Sign-ins is gives you a simplified view of each sign-in that has occurred and gives you an overview of the sign-in characteristics. However, it does not natively provide an easy way to summarise or visualise the data. We can do that by using another Office 365 tool, Power BI, and handily the Sign-ins page provides one click integration with Power BI.
Clicking this button will open the Power BI service, import your Azure AD data and load the Azure Activity Directory Activity Logs app which provides a range of summarisations and visualisations of the data.
Using this app we can quickly get an idea of things such as sign-in location, number of sign-ins, ratio of failed to successful sign-ins, and much more. This allows us to easily identify potentially suspicious patterns. On top of this Power BI’s natural language query engine allows us to ask questions of the data to investigate further. For example in the dashboard above we can see we had some sign-in activities from South Africa, to see how many sign-ins we saw we can simply type “How many signin activities came from South Africa?” into the query box and we will be presented with an answer.
PowerBI Pro is only available as part of Office 365 Enterprise, but Power BI Desktop (https://www.microsoft.com/store/productId/9NTXR16HNW1T) is a completely free to use application and is often overlooked in favour of Excel. I would highly recommend learning some of its capabilities. It is extremely powerful and its native integration with data from many Microsoft services makes it a very quick and easy to dig into data. You can still export the Azure AD data in CSV or JSON format if you want to interrogate it with other tools, but the simplicity and capability of Power BI makes it my first choice.
Moving back to the Azure AD service within the Azure Portal we have on more data source to look at, the Audit log. This log provides details of all changes made to Azure AD, and whilst it’s not as immediately useful for triaging a potential account breach the logs do provide a useful source of data if you want to investigate further and see if any changes have been made to the Directory that shouldn’t have been.
There is no native Power BI integration with these logs but they can be downloaded for interrogation. To do this in Power BI Desktop download the audit log in CSV format, then using Power BI Desktop click ‘Get Data’, select ‘Text/CSV’ and select the audit log you downloaded. Once imported you can select, query, and visualise the data in a range of ways to suit your investigation.
Malware & phishing
Another common thing to check early in an investigation is whether any of your users have been targeted by malware or phishing. As this investigation is focussed on Office 365, we are not going to look at endpoint security, but we can still investigate attempted malware delivery by email or document sharing. As standard Office 365 comes with Exchange Online Protection (EOP) malware protection for mailboxes, and SharePoint Online and OneDrive for Business and the best place to access and investigate this activity is via the Office 365 Security & Compliance Portal (https://protection.office.com). Within the Threat management tab of this portal you can access data regarding malware detections, items quarantined, and emails reported by users. The licencing you have will determine the type and granularity you will see, with Office 365 E5 adding additional ATP capabilities to this tab, however for the purpose of this article we will focus on the basic, native capabilities of Office 365.
The first section of the Threat management tab is the Dashboard, which provides an overview of threats observed targeting your organisation, whilst it is likely to always show some threats it can be useful to identity any specific changes such a sudden spike that might suggest an increased threat.
The next section of value for our investigation is Review. Here you can review items that have been quarantined both in email or SharePoint and OneDrive to see if someone is trying to share malicious files within your organisation. In addition, if you have enabled the Office 365 message reporting add in (https://docs.microsoft.com/en-us/office365/securitycompliance/enable-the-report-message-add-in) you can review the volume of emails reported by users as potentially being phishing, allowing you to get a better idea of if your organisation is being targeted.
The Threat management tab provides a useful high-level overview to identify trends or anomalies that might be useful for your investigation, however if you want to dig deeper into the data a number of other tools are required. The first of these are the Office 365 Reports, these pre-generated reports provide a wealth of information on a range of areas including malware threats. Opening the reports Dashboard will show you a large number of graphs that can be drilled down on to get more detail, down to the level of the raw data. Looking at the screenshots below we can see how we go from a graph showing malware detection trends into the raw data regard what was seen and when.
If you need to get more granular detail on a specific email you are investigating, you can also run a Message trace from the Office 365 Security & Compliance portal. Found under the Mail flow tab, this feature allows you to request granular details about a specific email or set of emails. In most cases this level of detail isn’t needed in the initial investigation phase, but it can be useful if you are starting an investigation from the point of a user reported email, or other specific email threat.
One tool that is not really considered a security investigation tool in Office 365 is the Content search feature. Primarily aimed at compliance users it can be useful for tracking the spread of a file or email within your estate. For example, we have an email received by several of our users, each comes from a different recipient and has a different subject line, but the content is the same each time. We can create a content search to find all the emails within the environment that have this content. Whilst this tool requires you to be quite targeted in your search it can be extremely powerful. This means that as well as being useful for you it is often abused by attackers to find sensitive information so it’s worth creating alert policies (see below) to monitor for content search activity.
Data Loss
If you have gotten to a point where you believe your Office 365 environment might have been compromised one of the things you may want to do is look at what actions have been conducted by the attacker. The best source of data for this stage of your investigation is your Audit log, which provides full details of all activity within Office 365. This log is accessed via the Office 365 Security & Compliance portal under the Search tab, however it is not enabled by default and the first time you access the Audit log search page you will be prompted to Turn on auditing. Make sure you do this before you need the log for investigation purposes!
When searching the audit log you can scope your search based on time, activity, and user, meaning you can look at a specific users activity or across all users for specific activity types. You can of course search all data from all users, however the detail in the audit log means you will get a very large number of log entries so this isn’t recommended.
When searching for specific entries it can be difficult to find the audit log name of the activity you are after, so use the search box under the activity picker and try out a few different keywords to find the activity you are looking for. You can also select multiple activities so if one doesn’t meet you needs try selecting a few. In the below search I am looking for all mailbox rule creation or modification activity to see if I can find any potential mailbox forwarding activity. I can see from the results that a new mailbox rule was created, when, by whom, and what the rule created does.
The audit log results can be exported in CSV format and imported into Power BI for further interrogation.
Once you have finished you investigation you may want to regularly check for certain activity with Office 365 to identify the next potential compromise. One easy way to do this is to set up an alert for that key activity. Alerts are accessed via the Alerts tab of the Office 365 Security & Compliance portal. Here you can see alerts generated, review alert policies, and create your own policies. Alerts generated appear in the portal and can also be emailed to key individuals and provides an easy way to continuously monitor for risky behaviour within your Office 365 environment.
Conclusion
We have seen that just using the built-in tools of Office 365 we can quickly and easily investigate identity or email-based compromises, monitor malware within the environment, and track attacker activity post breach. Its worth spending some time with these tools to make sure you are familiar with them (and that audit logging is enabled) before you need to use them. If you have other security tooling it is also worth looking at the data available via the Office 365 Management Activity API (https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference ) and Microsoft Security Graph API (https://www.microsoft.com/en-us/security/partnerships/graph-security-api ) for integration and monitoring purposes.
It’s also worth bearing in mind there are many advanced security features offered by Microsoft to enhance the security and monitoring of Office 365 such as DLP, Microsoft Office 365 ATP, and Microsoft Cloud App Security, which I have not covered here and that you should look at.
