User Profile
RobYoung
Iron Contributor
Joined 9 years ago
User Widgets
Recent Discussions
Cleanup Intune profiles and policies
We have come across an issue where a desktop support person was logging into each windows device that they were deploying which assigned them as the primary user on the device. I ran a script to switch the primary user to the last logged on user which cleaned up the devices and assigned them corrcetly but now the polcies and profiles are a mess. Most of our polcies and profiles are user based and when I changed the primary user, it left his polcies and profiles on the device. How do I purge their policies and profiles on these devices. could it be his work profile is also still assigned on this device?Re: Recieving increasing number of phishing attempts mimicking Microsoft MFA QR Codes
I think I am going to look at building a homegrown solution for scanning images for QR codes and building some rules around alerting on it (uncommon senders and from public email domains). Shouldnt be too difficult to do. Nice little side project.Re: New Outlook opens security hole
drogu-kangaroo Just an update, I performed the following test again and it did work: Create a test owa policy using powershell: New-OwaMailboxPolicy TestOWAPolicy Then I disabled personal accounts: Set-OwaMailboxPolicy -PersonalAccountsEnabled -$false -identity TestOWAPolicy Then I applied the policy to a test user: Set-CASMailbox <email address removed for privacy reasons> -OwaMailboxPolicy TestOWAPolicy I then tried to add my personal mailbox to my outlook. It goes through the motions and just as it is about to sync, I get this:Missing data from the Office Activity logs
I run a query on a daily basis that uses the OfficeActivity table and filters the term Send within the operation field. I started to notice that my results were decreasing so I ran a summary for the past month and noticed a huge decrease in OfiiceActivity capturing the send activity. Any thoughts on what would be the cause of this? PS it is not sentinel missing data, because when I check the activity in Defender for cloud, the results are the same. Here is the query I ran: OfficeActivity | where TimeGenerated > ago(30d) | where Operation contains "Send" | summarize count() by bin(TimeGenerated, 1d) And here are the results: TimeGenerated [UTC] count_ 8/25/2023 417 8/24/2023 66 8/23/2023 93 8/22/2023 77 8/21/2023 73 8/20/2023 16 8/19/2023 17 8/18/2023 326 8/17/2023 2978 8/16/2023 3175 8/15/2023 4106 8/14/2023 3632 8/13/2023 466 8/12/2023 527 8/11/2023 2516 8/10/2023 3187 8/9/2023 3143 8/8/2023 3289 Now today it is looking like it is starting to climb back but I need to rely on this data so I wouldn't mind knowing why it stopped for almost a week. (no changes that would impact our environment were made btw)Re: New Outlook opens security hole
Just an FYI, I am just in the process of testing the OWA polices which seem to apply to both Outlook on the Web and "New Outlook". I have setup a test OWA policy: New-OwaMailboxPolicy TestOWAPolicy Then I disabled personal accounts: Set-OwaMailboxPolicy -PersonalAccountsEnabled -$false -identity TestOWAPolicy Then I applied the policy to a test user: Set-CASMailbox email address removed for privacy reasons -OwaMailboxPolicy TestOWAPolicy Just waiting for the policy to kick-in. Here is the link for reference: https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-on-the-web/apply-or-remove-outlook-web-app-mailbox-policyRe: Attachment Count for Exchange Online Traffic
All I can think of is if you use Sentinel and create an alert with a playbook to block the user when the attachment count exceeds 20. For example, the query will list all the records of users who sent attachments with a count of 20 or higher: OfficeActivity | where RecordType contains "exchange" | where Operation contains "send" | extend InternetMessageId_ = tostring(parse_json(Item).InternetMessageId) | join kind=innerunique EmailEvents on $left.InternetMessageId_ == $right.InternetMessageId | extend Attachments_ = tostring(parse_json(Item).Attachments) |where AttachmentCount >= 20 (sorry, query is not polished but it gets the job done)Issue collecting files in M365 Defender
We are having an issue using the "Collect Files" option within M365 Defender. We perform a search for a file, select the option to "collect file" and it does nothing. When I go back to check 24hrs later. The collect files is greyed out and if I check manual actions, it states "For file to be uploaded, a device that has the file must be connected to the network." I have tried this scenario on several files on several machines with the same result. I have also confirmed the hash to be sure I am grabbing the correct file. Any thoughts?
