A June 14 report from Microsoft’s Threat Intelligence Center (MSTIC) highlights the issue of basic authentication once again, this time in the context of business email compromise (BEC) attacks. Essentially, successful phishing using email like an invoice request or missed voicemail results in the collection of user credentials. Attackers use the credentials to sign into mailboxes and create an inbox rule to forward copies of messages containing terms like invoice, payment, or statement to their system. Another inbox rule then cleans up the copies of the forwarded messages so that the mailbox owner doesn’t see them in their Sent Items folder. I have experience of such an attack in a company where I worked, where attackers used the technique to copy messages from the CFO’s mailbox and eventually attempt to send a BEC message to secure funds.
There’s no surprise in learning that phishing is an ongoing problem and an attack vector used by people wishing to gather confidential data like user credentials with the aim of achieving some illegal gain.
Basic Authentication Still in Place
The sad fact is that many Microsoft 365 tenants continue to allow people to use a combination of basic authentication with antiquated connection protocols like POP3 and IMAP4 to access Exchange Online mailboxes. Microsoft is doing its best to cajole organizations to turn off basic authentication for as many connection protocols as possible, and has offered hard evidence of why basic authentication is so bad. Moving to modern authentication (MFA) reduces the likelihood of success for a password spray attack. Better again, using multi-factor authentication blocks 99.9% of account compromise attacks. And adding conditional access policies to the mix improves things even more.
All of which makes it hard to understand when organizations continue along a dangerous path that only benefits hackers.
The MSTIC report explains how the attackers likely use POP3 or IMAP4 to test credentials (MFA stops this happening) before creating the rules in the mailbox. Microsoft recently clamped down on email forwarding by blocking the ability of users to configure forwarding unless allowed by the outbound spam filter policy. The report isn’t clear if any of the organizations where Microsoft found problems used the outbound spam filter policy to block forwarding, but notes that because of the clampdown, the threat of BEC campaigns using mail forwarding rules is significantly reduced.
Checklist for Tenant Administrators
The introduction of forwarding blocks in the outbound spam policy is a big step forward. However, it’s also true that users can argue the case for exceptions and build a case to be allowed forward some email outside the organization. With an eye on minimizing risk, what should tenant administrators do? Here’s a checklist:
The most important steps are:
Configure the outbound spam policy with restricted exceptions to suppress as much forwarding as possible.
If you haven’t already done so, configure Azure AD to use Security Defaults. Microsoft enables all new tenants with Security Defaults to make sure that basic steps like enabling MFA for administrator accounts is done. If your tenant is like mine and already uses conditional access policies, you won’t be able to enable Security Defaults (Figure 1), but that’s OK because you’re already well on the way to protecting the tenant. Azure AD evaluates conditional access policies after a successful sign-in, so they won’t stop an attacker penetrating. However, they can stop attackers accessing sensitive information from unmanaged devices or unknown locations. Conditional access policies require Azure AD premium licenses.
Monitor what’s happening in the tenant. If you have Office 365 E5, you can use Microsoft Cloud App Security for Office 365. The point is that administrators should use whatever data and tools are available to check the tenant. Even a periodic browse through the Office 365 audit log can turn up unexplained or suspicious events which deserve investigation.
The MSTIC report points out that Microsoft Defender for Office 365 includes a standard alert policy to detect and report suspicious forwarding activity to tenant administrators. Another alert tells administrators when users create a rule to forward email (Figure 2). These alerts should be actioned whenever they happen.
Figure 2: An alert because a user creates an inbox rule to forward email
Check Mailboxes
If you don’t have Microsoft Defender for Office 365, you can use PowerShell to scan for accounts configured with forwarding addresses or with inbox rules to forward email. The outbound spam policy blocks any attempt to forward email unless the user is listed as an exception in the policy. Even so, it’s good to know where forwarding in configured via mailbox settings or rules. Here’s some code to look for forwarding configured in mailboxes and to check inbox rules with forwarding actions.
$Mbx = (Get-ExoMailbox -RecipientTypeDetails UserMailbox, SharedMailbox -Properties ForwardingSmtpAddress -ResultSize Unlimited)
Write-Host $Mbx.Count "user and shared mailboxes found. Now checking..."
$NumberMbxWithRules = 0; $NumberForwards = 0
ForEach ($M in $Mbx) {
Write-Host "Processing" $M.DisplayName
$Rule = $Null
If ($M.ForwardingSmtpAddress -ne $Null) { # Mailbox has a forwarding address
$NumberForwards++
Write-Host $M.DisplayName "is forwarding email to" $M.ForwardingSmtpAddress.Split(":")[1] }
$InboxRules = (Get-InboxRule -Mailbox $M.Alias | ? {$_.ForwardTo -or $_.ForwardAsAttachmentTo })
If ($InboxRules -ne $Null) {
Write-Host "Processing inbox rules"
ForEach ($Rule in $InboxRules) {
$Ex = $Null
$ForwardTo = @()
$ForwardTo = ($Rule.ForwardTo | ? { ($_ -Match "SMTP") -or ($_ -Match "EX:") } )
$ForwardTo += ($Rule.ForwardAsAttachmentTo | ? {($_ -Match "SMTP") -or ($_ -Match "EX:")})
If ($ForwardTo.Count -gt 0) {
ForEach ($Recipient in $ForwardTo) {
If ($Recipient -Match "EX:") {
# Recipient known in Exchange directory
$Ex = (Get-Recipient -Identity ($Recipient-Split "Ex:")[1].trim("]}"))
$EmailAddress = $Ex.PrimarySmtpAddress }
Else {
# Simple SMTP address
$EmailAddress = ($Recipient -Split "SMTP:")[1].Trim("]")
$Ex = (Get-Recipient -Identity $EmailAddress) }
}
Write-Host $M.RecipientTypeDetails $M.DisplayName "has a rule to forward email to" $EmailAddress -ForegroundColor Red
# Remove the rule if the address is unknown to the directory
If ($Ex -eq $Null) {
Remove-InboxRule -Identity $Rule.Identity -Confirm:$False
Write-Host "Rule" $Rule.Name "removed from mailbox!" }
Else {
Write-Host "Destination is known to the tenant directory. Please remove" $Rule.Name "manually if necessary" }
$NumberMbxWithRules++ }
}
}
}
Comment out the relevant lines if you don’t want to remove the inbox rules from user mailboxes. You can download the script from GitHub and amend it to suit the needs of your organization.
A Long Road to Remove Basic Authentication
Microsoft announced their intention to remove basic authentication from Exchange Online connectivity protocols in September 2019. It’s taken a lot of effort so far to educate, convince, and move customers. The signs are that even more effort will be necessary to complete the transformation. If you’ve been hanging back, maybe now’s the time to consider jumping in to improve the security of your tenant. After all, you wouldn’t like to be the subject matter for the next MSTIC report.
Update (September 1): Microsoft is granting tenants the ability to get a three-month extension before retiring basic authentication. See this article for more detail. January 1, 2023 is the new drop-dead date.
Learn about protecting Exchange Online and the rest of Office 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s importance and how best to protect your tenant.
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}