Finding 365 bugs in Microsoft Office 365

Microsoft 365 is used by over a billion users worldwide, so attackers are naturally deeply invested in compromising its security. One of the ways of making sure this suite of products is as secure as possible, is a bug bounty program.

During an upcoming presentation at HITB CyberWeek 2020, Ashar Javed, a security engineer at Hyundai AutoEver Europe, will share stories from his journey towards discovering 365 valid bugs in Microsoft Office 365. We took this opportunity to ask him about his work.

bugs Microsoft Office 365

What are some of the most surprising findings of your bug hunting endeavor with Microsoft Office 365?

I found literally hundreds of bugs in Office 365 but my favourite are All your Power Apps Portals belong to us and Cross-tenant privacy leak in Office 365. In the earlier one, I was able to control the Power Portal sites via Insecure Direct Object Reference (IDOR) while in the later one, as an attacker you can reveal the Lync (Skype for business) status in a cross-tenant manner. An attacker could see that a particular user is online or be right back while at the same time also can reveal the custom location set by the victim.

How would you rate Microsoft Office 365 security in general?

Finding a bug in Microsoft 365 is a challenging task given Microsoft follows a Security Development Lifecycle. Furthermore, Office 365 receives a third-party vulnerability assessment every year.

Microsoft has a public bug bounty program for Office 365 open to anyone, so you could say security is built into the heart of Office 365.

What type of bugs did you find? What was the severity of the discovered issues?

I found all sorts of bugs ranging from a simple rate limiting issue to a critical SQLi in Dynamics 365. Further, I found hundreds of XSS issues in SharePoint. I also reported dozens of XSS issues in Outlook. Furthermore, I also found privilege escalation, SSRF and CSRF.

When it comes to the severity of the discovered bugs, it varies from a low severity issue to a critical one. Most of my bugs were rated high by Microsoft.

What’s your take on modern bug hunting in general? Do you work on your own or use a service for disclosure?

Bug hunting is still in early ages as a field. I would call it an amateur field where both parties (a bug hunter and a bug receiver) are learning.

Today’s hostile web environment makes it imperative for organizations to boost their security, and allowing bug hunters to inspect products is a win-win situation for both parties.

When it comes to my work, I directly report security issues to Microsoft instead of reporting via a service.

78% of Microsoft 365 admins don’t activate MFA

On average, 50% of users at enterprises running Microsoft 365 are not managed by default security policies within the platform, according to CoreView.

Microsoft 365 MFA

Microsoft 365 administrators fail to implement basic security like MFA

The survey research shows that approximately 78% of Microsoft 365 administrators do not have multi-factor authentication (MFA) activated.

According to SANS, 99% of data breaches can be prevented using MFA. This is a huge security risk, particularly during a time when so many employees are working remotely.

Microsoft 365 admins given excessive control

Microsoft 365 administrators are given excessive control, leading to increased access to sensitive information. 57% of global organizations have Microsoft 365 administrators with excess permissions to access, modify, or share critical data.

In addition, 36% of Microsoft 365 administrators are global admins, meaning these administrators can essentially do whatever they want in Microsoft 365. CIS O365 security guidelines suggests limiting the number of global admins to two-four operators maximum per business.

Investing in productivity and operation apps without considering security implications

The data shows that US enterprises (on average, not collectively) utilize more than 1,100 different productivity and operations applications, which indicates a strong dedication to the growing needs of business across departments, locations, and time zones.

While increased access to productivity and operations apps helps fuel productivity, unsanctioned shadow IT apps have varying levels of security, while unsanctioned apps represent a significant security risk.

Shadow IT is ripe for attack and according to a Gartner prediction, this year, one-third of all successful attacks on enterprises will be against shadow IT resources.

Many orgs underestimate security and governance responsibilities

Many businesses underestimate the security and governance responsibilities they take on when migrating to Microsoft 365. IT leaders often assume that Microsoft 365 has built-in, fool-proof frameworks for critical IT-related decisions, such as data governance, securing business applications, and prioritizing IT investments and principles.

The research disprove this by revealing that many organizations struggle with fundamental governance and security tasks for their Microsoft 365 environment. Today’s remote and hybrid working environment requires IT leaders to be proactive in prioritizing security and data governance in Microsoft 365.

Microsoft releases new encryption, data security enterprise tools

Microsoft has released (in public preview) several new enterprise security offerings to help companies meet the challenges of remote work.

Microsoft enterprise security

Double Key Encryption for Microsoft 365

Secure information sharing is always a challenge, and Microsoft thinks it has the right solution for organizations in highly regulated industries (e.g., financial services, healthcare).

“Double Key Encryption (…) uses two keys to protect your data—one key in your control, and a second key is stored securely in Microsoft Azure. Viewing data protected with Double Key Encryption requires access to both keys. Since Microsoft can access only one of these keys, your protected data remains inaccessible to Microsoft, ensuring that you have full control over its privacy and security,” the company explained.

“You can host the Double Key Encryption service used to request your key, in a location of your choice (on-premises key management server or in the cloud) and maintain it as you would any other application.”

This Microsoft enterprise security solution allows organizations to migrate sensitive data to the cloud or share it via a cloud platform without relying solely on the provider’s encryption. Also, it makes sure that the cloud provider or collaborating third parties can’t have access to the sensitive data.

Microsoft Endpoint Data Loss Prevention

“Data Loss Prevention solutions help prevent data leaks and provide context-based policy enforcement for data at rest, in use, and in motion on-premises and in the cloud,” Alym Rayani, Senior Director, Microsoft 365, noted.

“Built into Windows 10, Microsoft Edge, and the Office apps, Endpoint DLP provides data-centric protection for sensitive information without the need for an additional agent, enabling you to prevent risky or inappropriate sharing, transfer, or use of sensitive data in accordance with your organization’s policies.”

Organizations can use it to prevent copying sensitive content to USB drives, printing of sensitive documents, uploading a sensitive file to a cloud service, an unallowed app accessing a sensitive file, etc.

When users attempt to do a risky action, they are alerted to the dangers and provided with a helpful explanation and guidance.

Insider Risk Management and Communication Compliance

Insider Risk Management is not a new offering from Microsoft, but has been augmented by new features that deliver new, quality insights related to the obfuscation, exfiltration, or infiltration of sensitive information.

“For those using Microsoft Defender Advanced Threat Protection (MDATP), we can now provide insights into whether someone is trying to evade security controls by disabling multi-factor authentication or installing unwanted software, which may indicate potentially malicious behavior,” explained Talhar Mir, Principal PM at Microsoft.

“Finally, one of the key early indicators as to whether someone may choose to participate in malicious activities is disgruntlement. In this release, we are further enhancing our native HR connector to allow organizations to choose whether they want to use additional HR insights that might indicate disgruntlement to initiate a policy.”

Communication Compliance has also been introduced earlier this year, but now offers enhanced insights and improved actions to help foster a culture of inclusion and safety within the organization.

Microsoft releases Defender ATP for Android and Linux

Microsoft has added support for Linux and Android to Microsoft Defender ATP, its unified enterprise endpoint security platform.

Microsoft Defender Advanced Threat Protection is designed to help enterprises prevent, detect, investigate, and respond to advanced cyber threats on company endpoints from one central point.

Microsoft Defender ATP for Linux

Microsoft Defender ATP initially offered protection only for Windows devices (it was called Windows Defender APT at the time), but the protection was extended to macOS devices in mid-2019.

Microsoft Defender Android Linux

“Adding Linux into the existing selection of natively supported platforms by Microsoft Defender ATP marks an important moment for all our customers. It makes Microsoft Defender Security Center a truly unified surface for monitoring and managing security of the full spectrum of desktop and server platforms that are common across enterprise environments (Windows, Windows Server, macOS, and Linux),” noted Helen Allas, a principal program manager at Microsoft.

Microsoft Defender ATP for Linux supports the most recent versions of CentOS Linux, Debian, Oracle Linux, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES) and Ubuntu.

“This initial release delivers strong preventive capabilities, a full command line experience on the client to configure and manage the agent, initiate scans, manage threats, and a familiar integrated experience for machines and alert monitoring in the Microsoft Defender Security Center,” Allas explained.

Microsoft Defender ATP for Linux requires the Microsoft Defender ATP for Servers license and can be deployed and configured using the Puppet or Ansible configuration management tool or the organization’s existing Linux configuration management tool.

Further requirements and info about deployment and use are available here.

Microsoft Defender ATP for Android

Microsoft has also announced on Tuesday the public preview of Defender ATP for Android.

Microsoft Defender ATP for Android will automatically block access to unsafe/phishing websites from SMS/text, WhatsApp, email, browsers, and other apps, as well as block unsafe network connections that apps might make on the user’s behalf.

Microsoft Defender Android Linux

Users will be informed about it and asked if they want to proceed, report the block, or dismiss the notification.

Microsoft Defender ATP for Android is also capable of detecting malicious apps, potentially unwanted applications and malicious files on the protected device.

“Additional layers of protection against malicious access to sensitive corporate information is offered by integrating with Microsoft Endpoint Manager, which includes both Microsoft Intune and Configuration Manager,” explained Kanishka Srivastava, a senior program manager at Microsoft.

“For example, a compromised device would be blocked from accessing Outlook email. When Microsoft Defender ATP for Android finds that a device has malicious apps installed, it will classify the device as ‘high risk’ and will flag it in the Microsoft Defender Security Center. Microsoft Intune uses the device’s risk level in conjunction with pre-defined compliance polices to activate Conditional Access rules that block access to corporate assets from the high risk device. (…) Once the malicious app is uninstalled, access to corporate assets is restored automatically for the mobile device.”

Enterprise admins will be able to see the alerts, threats and activities in the Microsoft Defender Security Center and make appropriate decisions.

Srivastava added that more capabilities for Android will be rolled our in the coming months and that Microsoft Defender ATP for iOS will be released later this year.

Blackpoint Cyber launches 365 Defense, a Microsoft 365 security add-on for its MDR service

Blackpoint Cyber released 365 Defense – a Microsoft 365 security add-on for its true Managed Detection and Response (MDR) service. With 365 Defense, Blackpoint adds 24/7 monitoring, threat detection, and security policy enforcement for Microsoft 365 environments. The add-on is available to existing and new clients and provides an additional offering for Blackpoint partners, including Managed Service Providers (MSPs). There’s been an alarming increase in Microsoft 365 account takeover (ATO) attacks according to a report … More

The post Blackpoint Cyber launches 365 Defense, a Microsoft 365 security add-on for its MDR service appeared first on Help Net Security.

Box builds interoperability within Microsoft 365 environments to transform the way users work

Box, a leader in cloud content management, announced new integrations with Microsoft 365, building on Box’s interoperability within Microsoft environments. These include the integration of Box within Microsoft Teams, which will be generally available on March 31, as well as an updated Box add-in for Microsoft Outlook on mobile and new security and identity integrations.

“Tens of thousands of customers across every industry and in every region are using Box together with Microsoft,” said Jeetu Patel, Chief Product Officer at Box. “That is why we are working to make the Box experience in Microsoft 365 as seamless as possible, providing users with a powerful combination to transform the way they work.”

“With Microsoft 365, we are committed to delivering solutions that promote collaboration and productivity among all our customers,” said Kirk Koenigsbauer, Corporate Vice President for Microsoft 365.

“We are proud to support a vibrant ecosystem through an open and interoperable platform that allows companies like Box to create tailored and integrated experiences for their users.”

Box and Microsoft share a community of customers across the globe, including Western Union and Rodan + Fields to government agencies, nonprofit organizations and tens of thousands of small and medium businesses.

“Our workforce collaborates daily in Box and Microsoft and they benefit from the ability to seamlessly access, create and share content wherever they are, in real-time,” said Evan Wayne, Vice President, Corporate & Shared Services at Rodan + Fields.

“Box and Microsoft’s integrated platform allows for secure, efficient and frictionless collaboration around the globe.”

Users within Box can already easily and securely open and edit files using Microsoft’s Office 365 editors, while users in Outlook can readily share Box content within email.

Additionally, Box works seamlessly with Azure Active Directory for identity and access management, Intune for mobile device management, and Microsoft Cloud App Security for cloud security. Box is also a member of Microsoft’s Intelligent Security Association.

Microsoft Teams

The all-new Box and Microsoft Teams integration will be generally available starting March 31, 2020. This integration enables users to access and share Box content directly in Teams channels or chats.

All channel content will be available with the new Box Files Tab. In addition, team level deployment will be available with automated folder creation and permission mapping between Box and Teams.

Mobile products

The new Box Add-in for Microsoft Outlook will now support saving email attachments to Box for both iOS and Android. This builds on the existing support for the Outlook app on Windows, Mac or web with Box for Outlook.

This comes on the heels of the February general availability of Microsoft’s new unified mobile Office app, which supports Box. This integration enables users to open, edit and save Box files directly within the new Office app.

Security and identity products

Admins can use Box Shield to restrict printing and downloads of files in Box from Office 365 web editors (Word, PowerPoint, Excel) based on Box security classifications. Later this year, a new Azure AD integration will provide one-click single-sign-on (SSO), enabling customers to set up the configuration with minimal effort.

In addition, Box will be adding support for Microsoft Authenticator for 2-factor authentication of managed users and external collaborators via time-based OTP (one-time password). Box will also extend Intune support for additional use cases such as Mobile Application Management (MAM) with Mobile Device Management (MDM) enrollment for Android devices.

Finally, Box will be investing to build a new Azure Information Protection (AIP) integration to read and enforce AIP classification labels using Box Shield in the second half of 2020.

Microsoft demystifies email attack campaigns targeting organizations

Email is attackers’ preferred method for gaining a foothold into organizations. Campaign views, a new type of report available to some Microsoft enterprise customers, allows security teams to see how successful specific email attack campaigns have been at compromising their organization and to thwart future ones.

email attack campaigns

About Campaign views

Campaign views is accessible through the Threat Explorer dashboard of Office 365 ATP, Microsoft’s cloud-based email filtering service.

“Within a single campaign, attackers may change the sending infrastructure, sending IPs, sending domains, sender names and addresses, URLs, and even the hosting infrastructure for these attack sites. They use these changes or ‘morphs’ to try and get around defenses,” Girish Chander, Microsoft’s Group Program Manager of Office 365 Security, explained.

Security teams can explore details of email attack campaigns their organization has been targeted with and:

  • See summary details about each campaign, including when the campaign started, the sending pattern and timeline, how big the campaign was and how many users fell prey to it.
  • See the list of IP addresses and senders used to orchestrate the attack.
  • Assess which messages were blocked, ZAPped, delivered to junk or quarantine, or allowed into the inbox.
  • See all the URLs that were manifested in the attack
  • Learn if there are users that have fallen prey to any attacks and clicked on the phish URL.

This allows them to identify users who have fallen prey to the attack and take remediation steps faster, spot and remediate configuration flaws that allow the attack to be successful, use the indicators of compromise to investigate related campaigns and hunt and track threats so they can thwart future attacks.

Positive effects on multiple levels

Chander says that customers who’ve already used the feature are very satisfied, as it allowed them to, for example, identify configuration flaws that resulted in 34% of the phishing messages detected by ATP being rescued and delivered into user inboxes.

“One pleasantly surprising learning for us through these conversations with customers is how almost all of them have told us that these campaign views also allow security teams to more effectively represent to the CISO and business peers, the protection value security teams bring to the organization. They do this by enumerating the campaigns blocked, adding color by describing the type of key campaigns, the improvements made to the defenses and the users remediated,” he added.

Campaign views is currently in public preview and available to business customers on the Office 365 ATP Plan 2, as well as those who have opted for the most comprehensive (i.e., E5) Office 365, Microsoft 365 Security and Microsoft 365 plans.