Forum Widgets
Latest Discussions
User app registration - exploitable for BEC?
Hello. Recently dealt with a case of BEC. I'm not trained in forensics, but doing my best. Appears the hacker used an application called eM Client for their attack, getting access to a user's mailbox and hijacking a thread. I can see the login from two weeks ago (the incident was only noticed a couple days ago, however) - from a European country that SHOULD have been blocked by Conditional Access. Come to find out, the tenant conditional access was unassigned from everyone. We're not sure how - we re-enabled it, and audited changes, but the only change that appears was us re-enabling it. Which I thought indicates it was never configured right, except we've got a ticket documenting a change to Conditional Access a couple days after the hack that ALSO does not appear in the logs. So... it's likely it was changed, yet I have no record of that change (atleast, not through Entra > Monitoring > Auditing). If anyone knows any other ways of checking this, please advise - but I can't seem to even access our Diagnostic settings, the page tells me I need an Azure Active Directory subscription (I'm on Entra ID P1, which includes AAD.... this might be related to being global admin, and not Security Admin - we don't use that role in this relationship) ANYWAY, my amateur forensic skills have found that the attacker used an app called eM Client to get access. I'm not sure yet how they obtained the password, and got past MFA... But quick research shows this application (esp it's pro version) is known for use in BEC. The app was registered in Entra, and granted certain read permissions in Entra ID for shared mailboxes, presumably to find a decent thread to hijack. I'm not 100% sure yet there was any actual exploit done using this app, but it's popularity amongst hackers implies it does SOMETHING useful (i think remember that it authenticates using Exchange Web Services instead of Exchange Online, or something similar? Will update when I have the chance to check). We're in the process of improving our Secure Score, and this incident makes me think user's ability to register apps should be locked down. Checked Secure Score for this, and while there ARE recommendations around apps, disabling user app registration is NOT one of them. Just curious about people's thoughts. I just barely understand App Registration in Entra, but if this is a known attack vector, I would think disabling app registration would be a security recommendation?underQualifriedJan 13, 2025Copper Contributor74Views0likes6CommentsHow Can I Remove Password from Windows 11 PC?
I have a home pc that changed the password two week ago. Unfortunately, I forgot to save the password like I did in the past. Now, I can't login the PC and unable to get to the Windows 11 desktop. Is there any way to remove password from Windows 11 without losing data? I tried Ophcrack password recovery tool but it does not work on a Windows 11 PC.SolvedYarisyoyoJan 13, 2025Iron Contributor628KViews1like14CommentsAuthenticator not displaying numbers on MacOS
I'm have an issue with MFA on a Mac (all the latest versions). We have conditional access policies in place, so once a day I'm prompted for MFA (I work off-site) and the Office app (e.g. Outlook, Teams) will create the pop-up window that 'should' display a number that I then match on my phone. My phone see's the push notification, but the Mac never creates the numbers in the first place. The pop-up is there, just no number. The workaround is: Answer 'its not me' on the phone On the Mac, select 'I can't use Authenticator right now' Tell the Mac to send a new request This time it creates the number and I can authenticate on the phone. It only appears to happen for the installed Office applications i.e. if I'm accessing applications/admin-centre via the browser, then the pop-up is within the browser and everything works first time. Is this a known issue?Scott2000Jan 13, 2025Copper Contributor28Views1like1CommentGet $25 USD for reviewing a Microsoft Security product on Gartner Peer Insights in 2025
Turn your expertise into impact—and $25—by sharing your review of Microsoft Security products on Gartner Peer Insights. Your feedback helps other decision-makers confidently choose the right solutions and provides valuable input to improve products and services. Select a product to review: Security Copilot Microsoft Defender Microsoft Entra Microsoft Intune Microsoft Purview Microsoft Sentinel Here’s all you need to do: To submit a product review, log in to your Gartner Peer Insights account or create a free account in seconds. Once you have completed your review, Gartner Peer Insights will prompt you to choose a gift card option. Gift cards are valued at $25 USD and are available in multiple currencies worldwide. As soon as your review is approved, the gift card will be sent to you digitally via email What makes a successful review? Choose a Product You Know Well: Pick a product you’ve used extensively to provide detailed feedback. Share Your Experience: Describe your specific user experience with the product and any outcomes you realized. Highlight Features: Note any features and capabilities that made an impact. Terms & Conditions: Only Microsoft customers are eligible; partners and MVPs are not. Offer valid for reviews on Gartner Peer Insights as linked on this page. Non-deliverable gifts will not be re-sent. Microsoft may cancel, change, or suspend the offer at any time without notice. Non-transferable and cannot be combined with other offers. Offer runs through June 30, 2025, or while supplies last. Not redeemable for cash. Taxes are the recipient's responsibility. Not applicable to customers in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and China. Please see the below for more information Microsoft Privacy Statement Gartner’s Community Guidelines & Gartner Peer Insights Review GuideTrevorRusherJan 10, 2025Community Manager215Views1like0CommentsNew additions in Compliance manager
Hi everyone, I was just marveling about the addition of custom regulations in Compliance manager but apparently very few users seem to be using this particular module in Purview , at least I can't seem to find any user forum for it. Can anyone point me in the right direction or am I the only user of Compliance manager in the know universe 🙃 Regards, GuðjónGudjon_VidarJan 10, 2025Copper Contributor3Views0likes0CommentsAnomalies with Conditional Access Policy "Terms of Use" Failures
Hello Microsoft Community, I'm reaching out with a bit of a puzzle regarding our "Terms of Use" Conditional Access policy, and I'm eager to tap into the collective wisdom here for some insights. In our Entra ID User Sign-In logs, we've identified intermittent "failure" entries associated with the "Terms of Use" Conditional Access policy. Interestingly, even for users who had previously accepted the "Terms of Use". There appears to be no discernible impact, and they continue their tasks without interruption. This observation became apparent during the troubleshooting of unrelated Surface Hub and Edge Sync issues at some client sites. What adds to the complexity of the situation is that for the same users, both before and after these "failure" entries, the Conditional Access policy is marked as "success". Hence, it doesn't seem to be a straightforward case of the policy erroneously detecting non-acceptance of the "Terms of Use". The mystery lies in understanding why these intermittent "failure" entries occur for users who have already accepted the terms, especially when the policy consistently reports "success" for the same users. Furthermore, the Insights for the "Terms of Use" Conditional Access policy show around 1.48k successes and 1.43k failures in the last 90 days, yet there's no discernible impact on user functionality. Observations: "Failure" entries in Sign-In logs don't seem to disrupt users' day-to-day activities. The ratio of successes to failures is balanced, yet users experience no noticeable problems. The issue complicates troubleshooting efforts but doesn't significantly affect the user experience. I'm turning to the community for guidance on interpreting and resolving this discrepancy between "failure" entries in the Conditional Access policy logs and the seemingly unaffected user experience. Any insights into why these failures occur without user impact would be greatly appreciated. For additional context, I've attached screenshots of a user's Sign-In log entry and the insight chart from the Conditional Access policy. Sign-In log of a user (failure): Sign-In log of same user (success): Current Conditional Access insights: Thank you in advance for your time and assistance. I look forward to any guidance or solutions you can provide. Best regards, Leon TüpkerLeonTuepkerJan 10, 2025Copper Contributor856Views1like1CommentMicrosoft Security Community in 2025
Hey all! As your community manager, I wanted to kick off 2025 by asking you all: What you want to see more of on the Security Tech Community in the next year? What makes this platform most helpful to you? Is it more online events? Is it more community-based games or giveaways? We know this new platform UI update has come with a lot of overwhelming changes and challenges, so I wanted to check in on how everyone is doing. Please comment down below! Any and all feedback is appreciated. Let's have a conversation. Thank you!Trevor_RusherJan 09, 2025Community Manager81Views0likes3CommentsSensitivity Labels applied to email attachments versus directly on the document
I've noticed that the encryption applied to email attachments via sensitivity labels behaves differently than if the encryption is applied directly to the document. Example 1: I create an email and choose a sensitivity label that encrypts contents based on the specified users. I attach a Word document that does not have a sensitivity label applied. The email and attachment are encrypted. The email is sent to an external user Example 2:I create an email and attach a Word document that has already been assigned a sensitivity label that includes encryption.The email is sent to an external user. In Example 1, the recipient can view the attachment in Outlook Web. In Example 2, the document can't be viewed in Outlook Web. You will see a message "Sorry, Word can't open this document in a browser because it's protected by Information Rights Management". In example 1, the recipient can forward the email to someone in a separate tenant. They can also view the email and attachment. Is this expected behavior?IvanWilsonDec 31, 2024Iron Contributor332Views0likes1CommentBlocking Personal Outlook and Gmail Accounts on Corporate Device
Hello Community, In my organization, we use the Microsoft 365 environment. We have a hybrid infrastructure, but we aim to deploy as many policies as possible through Microsoft 365 (Intune, Purview, Defender, etc.). One of our goals is to limit the use of corporate devices for personal purposes. We use Outlook as our corporate email service, and we would like to block employees from signing into their personal email accounts (either via web or desktop application). Additionally, we would like to block access to other email services, such as Gmail, both via web and desktop apps. Could you provide guidance on how to achieve this? I would greatly appreciate any help or suggestions. Thank you very much! Juan RojasJuanRojasCamposDec 31, 2024Copper Contributor665Views0likes3Comments
Resources
Tags
- cloud security981 Topics
- security758 Topics
- microsoft information protection516 Topics
- azure496 Topics
- information protection and governance480 Topics
- Microsoft 365413 Topics
- compliance388 Topics
- microsoft sentinel335 Topics
- Azure Active Directory239 Topics
- data loss prevention211 Topics