Author Archives: jstocker

Azure AD Connect Deletion Scare

On September 10th, 2019, Microsoft released Azure AD Connect v1.4.

Customers that had configured their Azure AD Connect for auto-upgrade are now experiencing rolling upgrades, which can cause mass deletion of devices from Azure AD. One of my clients contacted me today after receiving a rather alarming and unsettling email about several hundred objects being deleted:

Their question to me was: “This is very concerning. Should I be worried or no?

My immediate response was “Call me ASAP!” – as I thought that someone had restructured their organizational units in Active Directory, which is a common cause of mass deletion of objects from Azure AD. As I waited for the remote sharing invite to arrive in m y inbox, I began formulating my plan: identify the OU that changed, go into AAD Connect and start syncing that OU again, and then on next full sync, it would restore all the soft deleted objects. I’ve done this before, so I was expecting to bring this issue to closure quickly… or so I thought.

After further investigation, we couldn’t find any evidence of OU changes. In fact, this customer followed best practice by not performing OU filtering (which avoids the problem of OU changes causing mass deletes).

Puzzled, I noticed that in the AAD Synchronization Service, the first instance of the mass delete event occurred as part of a FULL Sync. “Aha!” – I thought to myself, a full sync can only occur when a human is involved, so let’s track down who did this and have a chat. If left unprovoked, AAD Connect only runs Delta syncs every 30 minutes.

We quickly ruled out human involvement, as there was no evidence of any recent interactive logon.

The next thought that came to mind was a feature of AD Connect, called Auto Upgrade. We checked the Control Panel > Programs and noticed that AAD Connect was updated today. Aha! .. But why would the upgrade cause a mass deletion?

We then looked at the Azure AD release notes and noticed this explanation:

With this version of Azure AD Connect some customers may see some or all of their Windows devices disappear from Azure AD. This is not a cause for concern, as these device identities are not used by Azure AD during conditional access authorization. For more information see Understanding Azure AD Connect 1.4.xx.x device disappearnce

Then scrolling down to the Fixed Issues section we saw:

“Fixed a bug where non-Windows 10 computers were syncing unexpectedly. Note that the effect of this change is that non-Windows-10 computers that were previously synced will now be deleted. This does not affect any features as the sync of Windows computers is only used for Hybrid Azure AD domain join, which only works for Windows-10 devices.”

Fascinating. So this explained why we saw 900 objects attempt to be deleted, and upon verification, they were Windows 7 objects, and Windows Server objects.

SURPRISE…

Azure AD Connect will not permit more than 500 objects to be deleted, so that is why the warning email was sent. We surmised that the proper thing to do was to remove the deletion protection mechanism otherwise the AAD Connect would perpetually remain in an error-status, unable to delete all these devices itself.

So we ran these three PowerShell Commands on the AAD Connect Server:

Disable-ADSyncExportDeletionThreshold

Then we started a full sync:

start-adsyncsynccycle -policytype Initial

Then after watching the deletion finish in the Synchronization Service GUI tool, we re-enabled the deletion threshold:

Enable-ADSyncExportDeletionThreshold -DeletionThreshold 500.

Reference: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-prevent-accidental-deletes

Hopefully this helps! More information about this issue can be found here:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-device-disappearance

Microsoft Resets Office 365 external cloud storage preferences

Important Announcement from Microsoft on 7/31/19 to all Office 365 customers. Beginning 8/15/19, Microsoft will enable a new setting that allows all Office 365 users to send data to their personal cloud storage accounts (Google Drive, Facebook, Consumer OneDrive, etc). This will take effect even if you had disabled a similar setting in the past. Here is the new command to turn this off.

 

Here is the email all Office 365 administrators should have received relating to this roadmap ID 52597

‪The old way of hardening will no longer work using these cmds: set-owamailboxpolicy -DropboxAttachmentsEnabled $false -BoxAttachmentsEnabled -GoogleDriveAttachmentsEnabled $false -ThirdPartyAttachmentsEnabled $false‬

This is not the first time Microsoft has changed the default settings or experience which has a security / governance impact.

Like it or not – Guest Sharing now includes your Privacy Policy – or LACK of Policy

On June 18th Microsoft announced in the Office 365 Message Center (“MC182498”) that guest user invites will now include your organization’s privacy policy contact information to all external guest invites. This does not apply to you if you have disabled guest access.

Sounds great but what if you don’t have privacy policies? Your new guests will receive a Shame Prompt as shown below.

Follow these instructions to update your organization’s privacy policy. https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-properties-area

Pro-Tip – You don’t need all three configured, you can get by with just the first two. Here is what it looks like when you only have the email address fields completed.

Note: If you have the data in Office 365, you can consider piggy-backing on the Microsoft Privacy Policy so you can defer to how Microsoft stores the data (run that by your Lawyer of course!).

https://privacy.microsoft.com/en-US/privacystatement

Otherwise, there is a free privacy template at the GDPR website here: https://gdpr.eu/wp-content/uploads/2019/01/Our-Company-Privacy-Policy.pdf

Top MFA Myths and Misconfigurations

As a consultant who specializes in deploying Microsoft security solutions, I have helped deploy multi-factor authentication to hundreds of companies over the years. I’ve heard lots of excuses why companies fail to deploy MFA, and I’ve seen even more misconfigured MFA deployments. I’ve heard alarming stats that fewer than 3% of Global Administrators are enabled for MFA. Let’s see if we can bust through the blockers that prevent people from deploying MFA correctly. Here are the top misconfigurations and/or myths that I have encountered.

  • “I can deploy a single Azure Conditional Access Policy to enforce MFA”

    That is a myth. You must deploy at least a 2nd policy to block legacy authentication, because CA policies do not block legacy authentication by default. You must have a 2nd policy that specifically has the client apps “other clients” selected. You would think a ‘block access’ means block all access and that you wouldn’t have to configure something beyond that, but you must create the additional condition.

  • I can block foreign attackers from signing in by creating a Conditional Access policy to block IP addresses outside of the United States.

    This is mostly a myth. While you may deter the laziest “drive-by attackers”, any determined attackers will relay through a VM residing inside the United States (for example, a compromised IaaS VM hosted in Amazon or Azure), or use a VPN proxy with an exit node inside the United States.

    Important note: IP-Fencing policies will not block *all* IPv6 address unless you check the box “Include unknown areas.” This is because some IPv6 blocks are not associated with a particular location.

    Important! This also works the other way:  If you have a block policy that excludes USA, you may still be blocking connections from inside the USA that use IPv6 addresses – since some IPv6 ranges don’t have an associated location.

  • “I can’t block legacy auth because we don’t have an Azure AD Premium license”

    This is a myth because while the premium license certainly makes things easier, there are three ways you can still block legacy authentication.

  • “I don’t need to consider Office clients when deploying MFA.”

    That may be true if you have fully deployed Office 2016 or higher, however, if you have any older clients, then you have work to do.

    • Office 2013 clients do not support MFA unless you deploy two registry keys

    • Office 2010 and older clients require the use of MFA Application Passwords, which are pure evil because they never expire, so when you go to terminate the user by resetting their AD password, most helpdesks forget to delete the MFA app passwords because its buried in a separate administrative interface. Worse yet, MFA App Passwords are enabled by default unless you turn them off in the hidden MFA admin portal (here) (most people don’t realize that ‘service settings’ is a click-able link, so they never see the option to disable MFA app passwords!
  • “We couldn’t deploy MFA at my organization because it broke our administrative PowerShell.”

    Many of the Office 365 Administrators aren’t aware that they have to download MFA–compatible PowerShell modules.
    Try the new Azure Cloud Shell, which takes the hassle out of downloading MFA modules. Azure AD and Exchange Online are already pre-loaded. Sign in from any web browser! https://shell.azure.com

    Or, if you want to use the old method, download all the modules from Terry Munro’s blog here. Setup your workstation following his walkthrough (here), and then download the all-in-one script (here) which is what I prefer to use.

  • “we couldn’t deploy MFA because we use ActiveSync”

    While it is true that older ActiveSync clients do not support MFA, you can work-around this by deploying an MFA-compatible application such as Outlook for iOS or Android. If you don’t have the means of distributing software to your end-users, or if you think you can’t ask them to install the Outlook App themselves (by the way you are underestimating your users, they know how to use the App Store!). Anyway, if you don’t want the hassle of communicating to end-users, then you could create a policy in Exchange Online that quarantines devices by default unless they are authorized by IT. You can also run a PowerShell script to determine how many of your users are using older ActiveSync clients, like the script I published in the TechNet Gallery (here).

  • “we tried rolling out MFA, but our users still had to use “MFA App Passwords” so we stopped the rollout.”

    This can happen if your Office 365 tenant has not been enabled for Modern Auth. Microsoft stated that they were in the process of rolling this out to all new tenants created after August 2017, however, I still sometimes come across customer tenants where these settings are not enabled. In short, if you are still seeing modern clients require Modern Auth, it usually means that it is not enabled for Exchange Online and/or Skype Online. So you need to enable those with PowerShell as described here for Exchange and here for Skype Online.

    Did you know? The new admin center now allows you to enable Modern Auth without using PowerShell!

    https://docs.microsoft.com/en-us/office365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide#enable-multi-factor-authentication-for-your-organization

  • CA Policies do not override MFA Always ON. You must disable MFA-Always ON before a CA Policy will take effect, otherwise MFA-Always ON will override the CA Policy.

    I had a customer start off with deploying Always ON MFA, then they wanted to stop having people prompted for MFA from domain joined machines. They couldn’t figure out why their conditional access policies were not working. It turned out, they never went back to disable Always ON MFA. They assumed it should have been smart enough to override the Always ON MFA. As soon as we disabled the Always ON MFA setting, then the conditional access policies kicked in correctly, so that MFA prompts did not appear when they originated from domain-joined machines.

  • “we are configured to use Mobile Authenticator so we are configured according to best practice!”

    That is only true if you also disabled SMS, which is enabled by default and available for an attacker to perform a downgrade attack. Technically, SMS is better than no MFA (it’s 99% effective against drive-by attacks), but if you want to be configured according to best practice, you will go the extra step of removing SMS from being an option presented to users. PCI & NIST 800-63: SMS should no longer be used in 2FA, because SMS is only 76% effective against nation-state groups.

    Note: As stated above, this setting can be hard to find because the “service settings” option does not appear like a click-able link. Here is the direct link if you need help navigating to that setting. https://account.activedirectory.windowsazure.com/UserManagement/MfaSettings.aspx?culture=en-US&BrandContextID=O365

  • “we use Duo, RSA, OKTA or xyz MFA provider so we are protected against credential phishing.”

    This is a huge misnomer. You can be using what you think is the best user-MFA solution in the market, however, unless you have added machine-level authentication to your conditional access policy, you are vulnerable to man-in-the-middle proxy solutions such as EvilGinx2. The only correct way to defend against man-in-the-middle is to add machine authentication as an additional factor (or Intune enrollment for mobile devices). Machine authentication can be domain-join checking, certificate authentication, or FIDO2/U2F. To learn more about this vulnerability, read my other blog post (here).

  • “Conditional Access Policies are not secure because when a user roams outside the corporate network, they are not immediately prompted for MFA.”

    This loophole was fixed ~2 years ago (for Exchange Online) with the New-clientaccessrule. To learn more about it, watch Jeff Kizner’s 2017 Ignite presentation (here) starting at 7:35 through 15:55. In a nutshell, conditional access provides an authentication token if you meet the requirements at the time the token is issued. If the user roams outside the network, the token is not immediately invalidated. Exchange Online has the ability to re-check the IP address location with every packet, to avoid roaming to unauthorized network locations. It would be great if the other services like SharePoint had this but as far as I am aware they do not.

  • MFA is just too much of a user impact for us to deploy.

    I can sympathize with this sentiment: your IT department is stretched thin and you just can’t gamble with impacting productivity. Just remember this: nobody is going to thank you for reducing user impact when there is a ransomware outbreak that causes a complete work stoppage for days or weeks, or results in having to pay a massive $230 million dollar GDPR fine. Here are four things you can do to reduce the burden of the MFA rollout.

    • Avoid MFA prompts when the PC is domain joined devices (read my blog about this here)
    • Avoid MFA prompts when the mobile device or Mac OSX is managed by Intune
    • Avoid MFA prompts when the user is indie the corporate network
    • Avoid passwords and use the MFA Authenticator app for authentication ( with one important caveat here <- don’t enable passwordless auth if you use the ‘require compliant device checkbox’ )
    • Avoid MFA prompts when connecting from a device that has previously authenticated with MFA at least once (aka Trusted Device)

      If you do any of the above (or all of them), users would only be prompted for MFA when outside the network on a personal device that they haven’t used in the last 60 days! That should reduce the helpdesk calls!

Other Tips:

  • You can now change the frequency of how often users get prompted for MFA! For example, internal users can see the MFA prompt never (see #12 above) or every 1 week, whereas external users can see the MFA prompt every 12 hours.
  • Enable the new Combined Registration experience so that when users register for MFA, they also register for self-service password reset at the same time. Bonus: by enabling the new combined registration experience, you are one step closer to using FIDO2 tokens (the new combined registration is a pre-requisite). Read more here.
  • You can extend your MFA to also protect on-premises workloads like VPN. Read more (here)
I hope this helps! If you need help securing your Office 365 Environment, contact us at Hello@PatriotConsultingTech.com

How to disable diagnostic data from being sent to Microsoft in Windows 10 and Office

I have never put much thought into disabling diagnostic data from being sent to Microsoft, because I’ve always given them the benefit of the doubt that they benefit from using this data to identify faulty drivers and things that cause reliability issues in Windows. However, according to Microsoft, this data may contain “personal data” as defined by Article 4 of the European GDPR (more on that below) and therefore our friends in Europe have asked for guidance on how to disable this diagnostic data from being sent to Microsoft.

If you want to see what type of information is being sent to Microsoft, Windows 10 now includes the ability to view the diagnostic data by downloading a tool called the Diagnostic Data Viewer.

Step 1. Enable the Viewing of Diagnostic Data in Windows 10 (full documentation is here)

Step 2. Download the Diagnostic Data Viewer tool from the Microsoft App Store

Step 3. Launch the tool to review the diagnostic data that was sent to Microsoft.

According to this Microsoft Support article (here)

“Diagnostic data may contain “personal data” as defined by Article 4 of the European GDPR, but it does not contain your name, your email address, or any content from your files. All diagnostic data Microsoft collects during the use of Office applications and services is pseudonymized, as defined in ISO/IEC 19944:2017, section 8.3.3.

According to this Microsoft article (here) this is what the basic data is:

We use Basic diagnostic data to keep Windows devices up to date. Microsoft uses:

  • Basic error information to help determine whether problems your device is experiencing can be addressed by the update process.
  • Information about your device, its settings and capabilities, including applications and drivers installed on your device, to ascertain whether your device is ready for and compatible with the next operating system or app release and ready for update.
  • Logging information from the update process itself to understand how well your device’s updates are proceeding through the stages of downloading, pre-installation, post-installation, post-reboot, and setup.
  • Data about the performance of updates on all Windows devices to assess the success of an update’s deployment and to learn device characteristics (e.g., hardware, peripherals, settings, and applications) that are associated with the success or failure of an update.
  • Data about which devices have had upgrade failures and why to determine whether to offer the same upgrade again

 

However, if you want to block the transmission of this diagnostic data, on a per machine basis you can go into Windows 10 and change the default ‘enhanced’ to ‘basic’


 

To disable this on all machines, deploy the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection

Create a new a 32-bit DWORD value named AllowTelemetry and set it to 0

Windows 10 build 1511 and newer disable these two services:

Connected User Experiences and Telemetry
dmwappushsvc

Then restart the computer.

 

Now as it relates to Office, you need to go into the settings of the Diagnostic Viewer and enable the Office data viewer toggle as shown here:


For Office 365 ProPlus, Microsoft documents the diagnostic information sent to Microsoft (here)

You can manually turn this off on a per user basis as shown below, or you can disable it for all users using the config.office.com website also as shown below.

Office 365 ProPlus Manual Configuration

File Account > and under Account Privacy select Manage Settings.


 

Office 365 ProPlus Configuration for all machines (use config.office.com as shown below)

 


 

 

And for Windows 7, the July 9th 2019 security patch added telemetry. Disable or delete these scheduled tasks after the security patch installation but before rebooting the computer.

\Microsoft\Windows\Application Experience\ProgramDataUpdater
\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser
\Microsoft\Windows\Application Experience\AitAgent

Reference: https://www.howtogeek.com/428265/windows-7s-july-2019-security-patch-includes-telemetry/

Unified Labeling in Azure Information Protection

Microsoft’s Rights Management Services (RMS) first debuted as a role in Windows Server 2003. It was then made available in Office 365 as Azure Rights Management, eliminating the hassle of hosting on-premises RMS server roles. When Microsoft acquired ‘Secure Islands’ in late 2015, that brought classification and labeling into the product, and so it was re-branded as Azure Information Protection. And then in 2018, support for both Mac OSX and Microsoft Windows required re-branding it into a more heterogenous name, as it is currently called Microsoft Information Protection.

 

The product is available in various license options:

  • Office E3 includes Rights Management for Office 365. This is the bare minimum RMS capabilities such as encrypting emails and documents, but it lacks customization and the latest bells and whistles.
  • EMS E3 includes Azure Information Protection, which adds the Secure Islands classification and labeling features, document tracking, revocation, and on-premises AIP Scanner functionality to scan and search for PII data in on-premises file shares and on-premises SharePoint.
  • EMS E5 adds the ‘Automatic Classification’ feature which will scan the content of a document and apply encryption, classification and labeling to a document. The AIP Scanner functionality is also extended to include encryption of data at rest that it finds in on-premises file shares and on-premises SharePoint.
  • M365 E5 which includes Windows 10 E5, is called “Microsoft Information Protection” because it extends protection to include data discovered on the Windows 10 endpoint. It can then prevent users from copying files to USB drives or unsanctioned locations. This feature also appears in the Office 365 Security and Compliance Center when configuring ‘Endpoint DLP’ as part of the DLP Policies. It leverages a combination of technologies including Windows Information Protection (WIP) and Mobile Application Management (MAM) policies on Windows 10.

 

 

On April 16th 2019, Microsoft announced (here) the general availability of the Unified Labeling Client. This is an MSI client software that can be distributed to Windows workstations that shows the labels found in the Security and Compliance Center’s Classification portal. Microsoft’s best practice is that if you have not yet deployed any of the legacy AIP labels, they suggestion you configure the new Unified Labels, distribute the new client (download here) (ending in *ul.exe) and be aware of the limitations that exist (here).


 

Join this free Microsoft webinar on Thursday, May 23rd at 7:00 AM PT to learn how to enable it, and the value that it brings to your organization: https://aka.ms/AIP-UL-Webinar

Defending against Evilginx2 in Office 365

[Updated 7/11/2019 – Azure AD now supports FIDO2 tokens for MFA, which also protect against EvilGinx2]

This is my second blog post in this series. In the first blog post (here) Aidan Holland (@thehappydinoa) demonstrated how EvilGinx2 can bypass Microsoft’s 2FA that is built into Office 365 (SMS Text or Mobile Authenticator), sometimes called “Always-On MFA.”

Kuba Gretzky (@mrgretzky) stated that it can defeat any form of 2FA!

“Be aware that: Every sign-in page, requiring the user to provide their password, with any form of 2FA implemented, can be phished using this technique!” https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens

That’s a bold claim! Matt Soseman from Microsoft says, “always combine MFA with Conditional Access.” Matt is one of Microsoft’s top Cybersecurity experts, as he spoke on behalf of Microsoft at the RSA Security Conference in March 2019 (PDF HERE).

In this blog post, we are going to put both claims to the test. How does Microsoft’s Conditional Access compare against Evilginx2? We tested 13 of Microsoft’s defense capabilities and found 7 ways to defeat EvilGinx2. We also provide 4 recommendations for Microsoft to further improve security, and 5 recommendations for customers.

First, let’s define terms.

  • 2FA, or ‘two-factor authentication’ is most commonly something you know like a password, and then some other factor like an SMS text code or a token-based Authenticator mobile app.
  • MFA, or ‘multi-factor authentication’ can be multiple factors, not just two. For example, Microsoft’s conditional access allows you to go beyond user-authentication to perform machine authentication. You can check to see whether a computer is joined to the on-premises Active Directory domain, or whether it has a certificate issued from Active Directory Certificate Services (using Microsoft Cloud App Security Conditional Access App Control), or is originating from a range of IP addresses (aka IP-fencing). You can also check for the risk level of a user identity (using Azure Identity Protection) or the risk level of a machine (with Microsoft Defender ATP).

In our testing, we found that while EvilGinx2 is successful in bypassing the user-authentication forms of 2FA (yes, even the Microsoft Authenticator App!), and Azure Identity Protection.

EvilGinx2 was unsuccessful in bypassing the full MFA capabilities that Microsoft offers in Azure Conditional Access. This is available for customers who own the Azure AD Premium P1 license, which is also bundled in Enterprise Mobility Suite E3, and/or M365 E3.

According to Microsoft Corporate Vice President, Brad Anderson (@anderson), Microsoft’s EMS suite is currently owned by 100 million subscribers, which is currently 55% of the overall 180 million monthly active users in Office 365.

https://twitter.com/Anderson/status/1121516058345533440

This means there are 100M subscribers who can enable Azure AD Conditional Access to protect themselves from EvilGinx2 MFA bypass. This also means there are 80M subscribers who can only partially defend themselves against EvilGinx (using Client Access Rules). The client access rule only protects Exchange Online, not SharePoint Online, OneDrive, Dynamics, or any of the other Office 365 or Azure services.

How does EvilGinx2 Work?

In order to understand how Azure Conditional Access can block EvilGinx2, its important to understand how EvilGinx2 works. First, the attacker must purchase a domain name, like “office-mfa.com” and convince an end-user to click on that link. The attacker’s machine passes all traffic on to the actual Microsoft Office 365 sign-on page. Since all traffic is passed directly through, the end-user sees the *actual* Office 365 sign-in page. This means the attacker does not have to waste valuable time trying to make the page look identical. The authentication token is captured after the user performs user-based authentication (SMS or Authenticator App). The attacker can then import the cookie into their own browser to access Office 365. In our testing, the link was not blocked by MSFT EOP, Office ATP, Microsoft Defender ATP, or Windows Defender SmartScreen. However, we did find at least three methods that blocked EvilGinx2.

Figure 1 image credit – breakdev.org

The attacker’s EvilGinx2 server terminates the SSL session and it then re-transmits a new SSL session against login.microsoftonline.com. This avoids all SSL errors in the browser, since there is a valid ssl handshake to the attacker’s machine. This is an advantage for the hacker, but it turns out to be the Achilles heel because Azure Conditional Access can perform additional checks that will all block EvilGinx such as: IP address, Domain Join Membership, Compliance (via Intune UEM), or Certificate (via CASB).

Here is a screen shot showing Azure Conditional Access blocking EvilGinx2 because the attacker’s IP address does not match the policy.

Here is a screen shot showing that Azure Conditional Access blocks EvilGinx2 because the attacker’s proxy machine is not a domain-joined device

Here is a screen shot showing that Azure Conditional Access blocks EvilGinx2 because the attacker’s proxy machine is not meeting Intune compliance policy.

Here is a screen shot showing Microsoft Cloud App Security Conditional Access App Control successfully blocked the attacker from getting into Exchange Online because the attacker could not present a valid certificate.

Here is a screen shot showing new-clientaccessrule blocking EvilGinx2 from accessing the mailbox in Office 365

Another method that blocks EvilGinx is U2F (Universal 2nd Factor Authentication). The author of EvilGinx2 states (here) that U2F “leaves no room for error and is totally unphishable using Evilginx method…” and that “make your life easier and get a U2F device! This will greatly improve your accounts’ security.” [Update: On July 10th, Microsoft formally announced that Azure AD now supports FIDO2 in public preview (read announcement here).]

So here is a summary of all known/possible defenses in Microsoft’s security arsenal and how they measure up against EvilGinx2.

Defense EvilGinx2 Microsoft License Required Notes
Always-On MFA: “SMS” aka Text Messaging Bypass Successful Any O365 Plan The National Institute of Standards and Technology (NIST) updated guidance back in July of 2016 that government agencies should avoid SMS (NIST 800-63B).

There are several ways to bypass this form of 2FA (sim swapping, SS7, porting, etc).

The Payment Card Industry (PCI) follows the NIST guidance in its latest supplement on MFA issued in July 2017.

Always-On MFA: “Authenticator App” Bypass Successful Any O365 Plan Then authenticator app is much more secure than SMS/Text 2FA, however, because EvilGinx2 captures the authentication token issued, it successfully defeats even this more secure version of 2FA.
Azure Identity Protection Bypass Successful

[Evilginx2 bypassed Azure Identity Protection]

AAD P2 or (EMS E5, M365 E5, Identity & Threat Protection Bundle) We enabled the user risk policy and the sign-in risk policy to block logins with any user risk. We assume that since we had the captured token, Azure Identity Protection is not continuously checking the user identity (unlike the new-clientaccess rule which checks every attempt).
Azure Conditional Access: IP Fence Bypass Unsuccessful

[EvilGinx2 Blocked]

AAD P1 or one of the bundles (EMS E3+ or MS365 E3+) The reason why AAD Conditional Access can block EvilGinx is because the Attacker’s IP address is what is presented rather than the original user’s IP address.
Exchange Online Client Access Rule*
(new-clientaccessrule)
Bypass Unsuccessful against Exchange Online

[EvilGinx2 Blocked]

Any Exchange Online License Effective for protecting Exchange Online only.

(The hacker can get to office.com but then they get an error as soon as they click on Outlook)

Device Enrollment into Intune or Windows 10 Compliance Checking Bypass Unsuccessful

[EvilGinx2 Blocked]

Intune or EMS E3 or M365 E3 Since the attacker’s machine is not enrolled into Intune, it cannot pass a compliance check and it is therefore blocked.
Certificate Based Authentication
(Microsoft Cloud App Security Conditional Access App Control)
Bypass Unsuccessful

[EvilGinx2 Blocked]

AAD P1 + Microsoft Cloud App Security (or EMS E5) The attacker can get to office.com but then they get an error as soon as they access an application protected by an MCAS CAAP access policy)
Hybrid Domain Join Bypass Unsuccessful

[EvilGinx2 Blocked]

AAD P1 or EMS E3 or M365 E3 The reason why AAD Conditional Access can block EvilGinx is because the Attacker’s proxy device is presented rather than the original user’s device
Custom Branding Bypass Unsuccessful

[EvilGinx2 Blocked]

AAD P1 or EMS E3 or M365 E3 Note: in our testing, the ‘custom branding’ feature in AAD P1 caused EvilGinx2 to not render the sign-in page (this is a problem that they should be able to fix though, so I wouldn’t depend on this as a permanent countermeasure).
U2F (Ex: Yubico) Bypass Unsuccessful

[EvilGinx2 Blocked]

AAD P1 or EMS E3 or M365 E3 The author of EvilGinx has already tested and confirmed that U2F will successfully block because of the U2F origin binding implementation.
Windows Defender Smart Screen Smart Screen does not block an EvilGinx hyperlink

(due to zero reputation)

N/A – built into Internet Explorer since version 7, and Microsoft Edge and Windows 10 Creators Update, and available as an add-on for Chrome Smart Screen seems to only be effective against URLs that are in a block list. Since hyperlinks generated by EvilGinx have zero reputation, they are not blocked by Smart Screen.
Exchange Online Protection and/or Office 365 Advanced Threat Protection EOP and/or ATP does not block an EvilGinx hyperlink (due to zero reputation) Office 365 E5 or M365 E5 Since hyperlinks generated by EvilGinx have zero reputation, they are not blocked by ATP Safe Links. Safe Links records that the link was clicked on, which can be searched later using the URL trace feature.
Microsoft Advanced Threat Protection (prior to March 21st 2019 it was called Windows Defender ATP) MDATP (aka WDATP) does not block EvilGinx Windows 10 E5 or M365 E5 Microsoft ATP records that the link was clicked on but it does not block it.

Recommendations for Office 365 Customers

  1. If you are an Office 365 E3 subscriber, upgrade to Enterprise Mobility Suite and configure Azure AD Conditional Access for either (machine-authentication (domain-join checking, certificate checking) or IP address fencing) or (compliant device checking with Intune for Mobile Devices or Intune UEM for Windows 10). If you need assistance, find a qualified Microsoft Partner (here) and scroll down to the bottom.
  2. Consider implementing client access rules to protect Exchange Online. For an excellent overview of how client access rules work, watch this MSFT Ignite Video (here), fast-forward to 7:35 and watch until 15:55. Here is an example client access rule targeting a test account.
    new-ClientAccessRule -name “Allow InternalIP Only” -Action DenyAccess -ExceptAnyOfClientIPAddressesOrRanges [enter your public IP addresses here] -UsernameMatchesAnyOfPatterns *TestUserName
  3. Plan a U2F deployment, for example with Yubico. [This is now supported with Azure AD as of 7/10/2019].

    “With the YubiKey, user login is bound to the origin, meaning that only the real site can authenticate with the key. The authentication will fail on the fake site even if the user was fooled into thinking it was real. This greatly mitigates against the increasing volume and sophistication of phishing attacks and stops account takeovers.” Reference https://www.yubico.com/solutions/fido-u2f/

  4. Perform regular Security Awareness training to help users recognize suspicious URLs.
    Note: Microsoft’s Office 365 ATP has an exclusive feature called ‘Native Link Rendering’
    to show users the original hyperlink when they hover over it. No other advanced hyperlink scanning solution has this capability (I asked all the top vendors this question including ProofPoint, Mimecast, FireEye, Symantec and others). Native Link Rendering requires the Office 365 C2R (click-to-run) version, and not the volume-licensed MSI installer version of Office. Monthly Channel 1808 release (September 2018) or Semi-Annual Channel 1901 (which has not rolled out yet except to the Semi-Annual Targeted channel). See release notes (
    here).
  5. Harden the Office 365 tenant. A good place to start is my blog post ’20 Things to do before and after a phishing event in Office 365′. And we also offer a monthly service to continuously audit and harden Office 365, for more on that service click here.
    If you are investigating an incident and you believe a user’s token has been captured, you can invalidate a token with this AAD PowerShell cmdlet
    $date =get-date; Set-Msoluser -UserPrincipalName (UPN) -StsRefreshTokensValidFrom $date

Feedback for Microsoft:

  • Microsoft should consider improving Office ATP Safe Links and/or SmartScreen to take into consideration the age of a newly registered domain name. Some of Microsoft’s competitors can check the age of a domain name when determining hyperlink reputation.
  • Microsoft should consider developing features similar to new-clientaccessrule for the other services in Office 365 like SharePoint Online, OneDrive for Business, Teams, Dynamics
  • Azure Identity Protection could be improved to check every attempt, similar to new-clientaccesrule. We assume the fact that we had imported a captured token is why we did not get triggered by the User Risk policy or Sign-in risk policies (which were both set to ‘low and above’ with the block control).
  • Don’t give away which factor of authentication was the reason why the attacker could not sign-in. For example, in our testing the attacker is able to learn whether it was a domain join check or a compliance check that they failed. This is precisely what the PCI DSS takes issue with in their MFA guidance (here)

    Therefore we recommend that Microsoft change from Multi-Step to true Multi-Factor authentication. Today, any world-wide user can attempt to guess a username and password, only to then be blocked by a subsequent policy. This arms the attacker with too much information on which challenge failed.

-Joe Stocker, CEO

Patriot Consulting Technology Group, LLC

Our Mission “to empower our clients to manage cyber security risk by securely deploying Microsoft Cloud technology”

Office 365’s MFA is vulnerable to EvilGinx2

According to the latest Microsoft Security Intelligence Report, spear phishing remains the preferred attack method used by hackers. Microsoft detected a 250% increase in phishing messages between January and December 2018.

Figure 1 Page 21 of the Microsoft Security Intelligence Report Volume 24

Many organizations have deployed 2FA as a layer of defense to guard against phishing, so that if the user gives away the username and password, the attacker shouldn’t be able to logon to the user account. The purpose of this blog post is to raise awareness that Office 365 in particular is now vulnerable to “network session hijacking proxy theft” which allows an attacker to sign in regardless of the MFA solution (MSFT, Duo, RSA, SMS, etc). The authentication token is captured after the victim is tricked to going to a credential stealing website where they perform MFA through a proxy server. The token is then re-played by the attacker who can sign in as the user.

To see a demonstration of this, watch this Youtube video, https://www.youtube.com/watch?v=k4bq5A-icBw (Credit to @thehappydinoa)

Prior to this video, I haven’t been able to find any evidence of blog posts or videos demonstrating a successful bypass against Office 365’s 2FA capabilities. It’s worth noting that Office 365 is not unique – the same man-in-the-middle attack works against Google, LinkedIN, and other platforms as first demonstrated by Kevin Mitnick (KnowBe4) in May 2018 (original blog post (here). Since then other phishlets have been developed for Amazon, Github, Protonmail, Citrix, OKTA, Twitter, Instagram, Facebook, reddit, and consumer Outlook.com, and now Office 365.

The reason why this is important is because much of the security industry emphasizes MFA without raising awareness of this man-in-the-middle threat. For example, in my opinion one of the best presentations at the 2018 RSA conference was given by Booz | Allen | Hamilton which gave overwhelming evidence that 2FA would have stopped or reduced the impact of every one of the 159,700 total cyber incidents reported by the Online Threat Alliance in 2017. (Page 6, reference here). Now, the caveat has to be added that MFA would have stopped cyber incidents as long as victims were not tricked to going to proxy websites.

We have taken for granted that the very best anti-spam/anti-phish security solutions will not block 100% of the threats, and it is now time we accept the reality that MFA will not always prevent unauthorized authentication (much like how the SMS version of 2FA is no longer recommended or sufficient).

Roger Grimes of KnowBe4 gave a wildly popular presentation at the 2019 RSA Security Conference (requiring overflow seating) which listed 12 methods to bypass MFA (PDF download here). Some of these techniques require the attacker to invest a lot of time and sometimes money and risk (sim swapping) or be adept at social engineering (phone number porting). However, this all changed when Kuba Gretzky (@mrgretzky) released EvilGinx in 2017. Kuba showed how attackers can reduce their risk, cost, and effort through “network session hijacking proxy theft.” Grimes mentioned this technique among the 12 MFA bypass methods in his RSA presentation, and included a video showing how Kuba’s updated EvilGinx2, successfully bypasses the 2FA of Gmail and LinkedIN. At that time, there was no Office 365 phishlet available, but it was later added by @JamesCullum. 

In January at a Microsoft event, I asked Microsoft if Office 365 defended or detected network session hijacking proxy theft, specifically EvilGinx2. They stated that Office 365 would prevent this technique. [See part two of this blog series to see how]

Enter Aidan Holland (@thehappydinoa), who recently verified that EvilGinx2 can successfully bypass Office 365’s 2FA. Aidan also solved a vexing problem for Troy Hunt, who was trying to get a list of the Fortune 500 for his security research. Read about his solution to solve that problem here.

Aidan’s video is the first showing a successful bypass of Office 365 MFA:

https://www.youtube.com/watch?v=k4bq5A-icBw

(Credit to @thehappydinoa)

It’s worth noting that the phishing link generated by EvilGinx2 is not blocked by MSFT EOP, Office ATP, Microsoft Defender ATP, or Windows Defender SmartScreen.

In the next blog post (here), I will discuss ways to protect against EvilGinx2.

Analysis of DNS Recon of the Fortune 500 (Part 1 of 3)

In this three-part blog series, I will be writing about interesting trends amongst the Fortune 500 using public DNS reconnaissance posted in open source github repositories. This first post is focused on the email security providers used by the Fortune 500. The other posts will analyze adoption trends in DMARC and IdP Federation.

One of the favorite people I follow on twitter is Daniel Streefkerk (@dstreefkerk) from Sydney, Australia. Daniel tweeted on February 11th about a script he published to github (here) that performs DNS reconnaissance He posted a graph (here) of which email security providers were used by the top 250 Australian Companies.

 

Then a few days later he posted (here) how he updated the script to check for federation information (ex: Does the domain federate with OKTA, ADFS, Ping, OneLogin, etc?) and other interesting things like whether Office 365 was detected, the tenant name discovered (typically it is publicly listed in the DKIM DNS record).

I was curious how his findings in Australia compared to companies in the United States, but I couldn’t think of a simple way of finding the fortune 500 email domain names. Turns out, I was not alone. One of Daniel’s fellow Auzzies, Troy Hunt, a Microsoft Regional Director (a title similar to an MVP) recently asked a similar question (here) on March 31st:

Everyone seemed to have ideas but Troy seemed frustrated at one point that there wasn’t a simple list available somewhere. That’s when Aidan Holland (@thehappydinoa) came to the rescue and wrote an elegant 152-line python script (here) to gather about 455 of the 500 from a JSON query against hifld data. He then took that data and queried virus total, threat crowd, crt.sh, and finally validated it was a valid DNS domain for email by querying the MX record in DNS. All in 152 lines of Python. Impressive.

His JSON query the initial data set came from ARCGIS.COM with this code:

FORTUNE_500_JSON
=
“https://opendata.arcgis.com/datasets/a4d813c396934fc09d0b801a0c491852_0.geojson”


Aidan published the resulting list of 455 domain names (here). Then using PowerShell, we can pipe that into Daniel’s DNS recon script, to produce a report showing the email filtering systems used by the Fortune 500.

Get-Content fortune_455_emails.txt | .\Invoke-EmailRecon.ps1 | Export-Csv 455.csv


Raw Table Results:

Email Security Vendor

Count

Proofpoint

141

Self-Hosted

91

Microsoft Exchange Online Protection (EOP)

83

Other/Undetermined

59

Symantec.Cloud

36

Cisco Email Security (Formerly IronPort Cloud)

27

Google

11

Forcepoint (Formerly Websense)

4

Trend Micro

2

FireEye Email Security Cloud

1

 

The results indicate that most are using ProofPoint, Exchange Online Protection, or they are self-hosting their own service of some type.

Comparing the results to Australia, we can see that the US Market is consolidated to a few big players, whereas Australia is reasonably diversified. The significance of this is that malware should theoretically spread slower in Australia, because malware authors would have to work significantly harder to find vulnerabilities across multiple email security solutions if they wanted to infect the majority of the top 250 companies in Australia, whereas in the USA the malware authors just need to find a flaw in ProofPoint and Exchange Online Protection to infect 50% of America’s Fortune 500.

What surprised me was to see ProofPoint has a 6% penetration into the Australian market, compared to 28% in the United States (no surprise since ProofPoint HQ is in the USA).

These results could also be helpful for smaller or mid-size businesses who sometimes look at the decisions made by members of the Fortune 500 as a standard, ex: “good enough for them, good enough for me.”

Universities, think tanks, and research firms like Gartner and Forrester can now take periodic snapshots of this data to determine trends of email security vendors (or IdP federation vendors). Companies could use this data to find out which markets to expand into. And unfortunately Malware authors have most likely already figured out that targeting flaws in ProofPoint and Exchange Online will net them 50% of the Fortune 500.

In the next blog post, I will examine DMARC and IdP adoption trends.

Top 10 Fixes for troubleshooting free/busy between Exchange on-premises and Exchange Online in Office 365

Free/busy often fails to work out-of-the-box after configuring Hybrid Exchange with Office 365. Here are my top ten fixes:

 

  1. Set the sharing policy to match on-premises and cloud.

    First, Connect to Exchange Online Remote Powershell and run get-sharingpolicy

    Then connect to on-premises Exchange Management Shell and run get-sharing policy

    Then make the two match on both sides.

 

Set-SharingPolicy -Identity SharingPolicy01 -Domains ‘contoso.com: CalendarSharingFreeBusySimple’, ‘atlanta.contoso.com: CalendarSharingFreeBusyReviewer’, ‘beijing.contoso.com: CalendarSharingFreeBusyReviewer’

 

  1. Set the organization relationship domains to include all accepted domains on both on-premises and cloud (always requires an IISRESET for it to take effect)
    This script helps identify missing domains in an existing relationship:

     

    if ( (Get-OrganizationRelationship).DomainNames -contains (Get-Mailbox user).PrimarySmtpAddress.Domain) { write-host “The domain was found” -ForegroundColor Green } else { write-host (Get-Mailbox user).PrimarySmtpAddress.Domain “was not found” -ForegroundColor Yellow}

     

    $OrgRel = Get-OrganizationRelationship Contoso

    $OrgRel.DomainNames += “contoso.com”

    Set-OrganizationRelationship $OrgRel.Name -DomainName $OrgRel.DomainNames

     

     

    1. If the autodiscover DNS name is not published in external DNS, and if the client doesn’t want to do that, then manually configure TargetSharingEpr to use the published EWS path

      Get-OrganizationRelationship -Identity “O365 to On-premises – (GUID)” | Set-OrganizationRelationship -TargetSharingEpr https://mail.contoso.com/ews/exchange.asmx

    4) For ‘401 errors’ try disabling the IOC connector in Exchange 2013 to have oAuth fall back to dAuth


    5) Sometimes it’s necessary to set the on-premises EWS virtual directory “WSSecurityAuthentication” value back to defaults (some clients change this if they do load balanced CAS)
    (this is commonly a last resort)

    Need to change WSSecurityAuthentication to False for EWS Virtual directory.

        a.       Set-WebServicesVirtualDirectory “Exch CAS\ews*” –WSSecurityAuthentication $false

        b.      Need to Stop MSExchangeServicesAppPool.

        c.       Need to Start  MSExchangeServicesAppPool.

     

      Need to change WSSecurityAuthentication to True again for EWS Virtual Directory.

        a.       Set-WebServicesVirtualDirectory “Exch CAS\ews*” –WSSecurityAuthentication $True

        b.      Need to Stop MSExchangeServicesAppPool.

        c.       Need to Start  MSExchangeServicesAppPool.

     

      Need to change WSSecurityAuthentication to False for Autodiscover Virtual directory.

        a.       Set-AutodiscoverVirtualDirectory “Exch CAS\Auto*” –WSSecurityAuthentication $false

        b.      Stop MSExchangeAutodiscoverAppPool.

        c.       Start  MSExchangeAutodiscoverAppPool.

     

      Change WSSecurityAuthentication to True again for Autodiscover Virtual Directory.

        a.       Set-AutodiscoverVirtualDirectory “Exch CAS\Auto*” –WSSecurityAuthentication $true

        b.      Stop MSExchangeAutodiscoverAppPool.

        c.       Start  MSExchangeAutodiscoverAppPool.

     

    6) If the Exchange Server is behind a web proxy then it is usually necessary to configure InternetWebProxy Set-ExchangeServer <Server Name> -InternetWebProxy:http://<Proxy Address>:<Proxy Port>

     

    7)  Verify the availability address space and see required SMTP domain with access method.

        Get-AvailabilityAddressSpace (Run this on-prem)

     

    8) Try running diagnostic commands:
    You can also use the Test-FederationTrust (on prem only) and Test-OrganizationRelationship  (run this both on prem and in cloud too)

    And you can also use this website to run tests: https://www.testexchangeconnectivity.com/

    9) Make sure that the cloud user you are searching for has a valid (tenant).mail.onmicrosoft.com alias on their target mailbox (make sure Azure AD Connect is properly replicating that attribute, and/or, that the Exchange Address Policy is not blocking inheritance on that particular user/object).

     

    10) Run these commands to gather diagnostic information:

    Onpremises:

    Start-Transcript

    Get-FederationTrust | fl

    Get-FederatedOrganizationIdentifier | fl

    Get-OrganizationRelationship | fl

    Get-WebServicesVirtualDirectory | Export-Clixml C:\temp\WebVdir.xml

    Get-AutoDiscoverVirtualDirectory | Export-Clixml C:\temp\AutoDVdir.xml

    Get-RemoteMailbox bobc_sync | fl

    Get-Mailbox “on-premises John Doe User” | fl

    Test-FederationTrust -UserIdentity user@domain.com | fl

    Test-FederationTrustCertificate | fl

    Get-IntraOrganizationConnector | fl

    Stop-Transcript

     

    Online:

    Start-Transcript

    Get-FederationTrust | fl

    Get-FederatedOrganizationIdentifier | fl

    Get-OrganizationRelationship | fl

    Get-MailUser “on-premises John Doe User” | fl

    Get-Mailbox “Cloud user” | fl

    Get-IntraOrganizationConnector | fl

    get-OrganizationRelationship | Test-OrganizationRelationship -UserIdentity “cloud user”

    Stop-Transcript

     

     

     

    And when all else fails I reference these two blog articles:

    https://blogs.technet.microsoft.com/exchange/2018/02/06/demystifying-hybrid-freebusy-what-are-the-moving-parts/

    and

    https://blogs.technet.microsoft.com/exchange/2018/03/02/demystifying-hybrid-freebusy-finding-errors-and-troubleshooting/