Resisting Organisation Email Compromise Attacks on Office 365 Users

Some Security FUD About an Undocumented API

Last week I discussed how to utilize the Office 365 edition of Microsoft Cloud App Security(CAS)to acquire higher insight into the security profile of an Office 365 tenant. If you currently have Office 365 E5 subscriptions, using CAS is a no-brainer due to the fact that it is included in your strategy. If not, CAS is available as an add-on for $36/user/year and all accounts in the renter have to be certified to make the CAS analytics effective.Since I wrote the post, a number of people have asked me about the & ldquo; undocumented & rdquo; API for Outlook mailbox activity reported in a blog composed by a security forensics company called CloudStrike on June 18. Apparently, the security neighborhood discovered the brand-new API through a video published by the for your organization. & rdquo; Simply puts, disabling the audit log search doesn & rsquo; t stop Microsoft gathering activity information about exactly what takes place in a renter and occupying the Workplace 365 audit log. That details is readily available through the Management Activity API. Security items created by ISVs utilize the API to gather and examine activity information when authorized by tenants.Although they utilize the same data, ISVs contend with Microsoft with lower expenses and some various performance(like identifying Workplace 365 accounts with compromised passwords).

Telemetry

It’& rsquo; s also the case that Microsoft gathers a great deal of telemetry information about how people utilize Workplace 365 apps. Microsoft uses their telemetry to find and fix problems, to understand exactly what the most greatly used functions are, and as a guide for future development. The data winds up in the Microsoft Graph. Some state that this is proof that Microsoft spies on what people do inside Office 365. If so, it’& rsquo; s the exact same kind of thing that power business do when they keep track of the delivery of an electricity supply to a house.The Activity API that the fuss has to do with belongs to the Outlook API. I bet the reason why Activities are not exposed in the exact same method as the other parts of the Outlook API is that the use is primarily internal (telemetry).

Resisting Organisation Email Compromise Attacks

The more pertinent question is whether the data exposed through the API can assist to highlight and prevent potential alert policies in the Security and Compliance Center to search for particular events in the Office 365 audit log and alert when these events occur. The notifies can only sound after an occasion happens, it is still beneficial to know when something happens.Use Azure Info Protection to encrypt communications You can set up design templates so that known recipients outside your domain can check out secured details,

and any Office 365 user can now encrypt messages to any location. Even better, you can configure a transport rule to encrypt all email sent to selected domains.Stay Calm and Stay Focused It & rsquo; s easy to become delighted when a blog site exposes some brand-new information that seems crucial in the beginning glimpse. Workplace 365 is a complicated suite of applications and its management is complicated too (something that Microsoft might enhance), however there & rsquo; s lots of ways to utilize the data already readily available to you to withstand the kind of attacks contemplated in the recent revelations. Remember, being proactive is always much better than being reactive when it pertains to security.Follow Tony on Twitter @ 12Knocksinna. Would like to know more about the best ways to handle Workplace 365? Discover what you require to know in & ldquo; Workplace 365 for IT Pros & rdquo;, the most thorough eBook covering all elements of Workplace 365. Offered in PDF and EPUB formats (ideal

for iBooks)or for Amazon Kindle. Tagged with,,,,,,,