User Profile
JeremyTBradshaw
Steel Contributor
Joined 8 years ago
User Widgets
Recent Discussions
Incidents from Custom Detection Rules never have Emails for Evidence
let ignoreAddresses = datatable(address:string) [@'email address removed for privacy reasons',@'email address removed for privacy reasons']; let ignoreSpamSubjects = datatable(address:string) [@'ignored subject 1',@'ignored subject 2']; // Time range needs to be set in the UI dropdown in order for LatestDeliveryLocation filter to work (i.e., live table vs streaming API). EmailEvents | where SenderFromDomain in~ (_getEXOAcceptedDomains) | where DetectionMethods has_any('URL detonation reputation', 'URL malicious reputation') and not(RecipientEmailAddress in~ (ignoreAddresses) or SenderFromAddress in~ (ignoreAddresses)) | where not (Subject has_any (ignoreSpamSubjects)) | where (parse_json( AuthenticationDetails).DMARC =~ 'Pass' and EmailDirection =~ 'Inbound') or (EmailDirection =~ 'Intra-org') | where (LatestDeliveryLocation in~ ('Quarantine', 'Junk folder') and not (LatestDeliveryAction =~ 'Quarantine release')) and parse_json(ConfidenceLevel).Phish in~ ('Normal','High') | join kind=inner ( EmailUrlInfo | summarize Urls = make_list(Url) by NetworkMessageId ) on NetworkMessageId I've got the above query saved as a detection rule, which works fine except for one thing - the emails are never present in the Evidence tab of the generated incidents. Meanwhile the Recipients show up in the Mailbox and User assets as I'm using Entity mapping to mapping the RecipientEmailAddress / RecipientObjectId to those 2 entity types. The only thing I can find about Emails is that for Actions to be possible on the Emails in the query results - "The columns NetworkMessageId and RecipientEmailAddress must be present in the output results of the query to apply actions to email messages." (ref) - which is being satisfied. The Evidence available is the IP of the sender, and an empty email cluster, like this: In the incident above there are 2 emails, and the 4 assets are the user and mailbox for each of the 2 emails' Recipient. I can successfully just use the query manually to find and manage those emails, but a big part of the goal with these detection rules, at least in my opinion, is to be able to easily manage the evidence. In this exact case, I'm looking for inbound emails coming from our own Accepted Domains in the SenderFromAddress, which pass DMARC, but are in Quarantine, detected as Phish. The idea is to watch out for false positives due to URL detonation reputation since most of the messages fitting this criteria are coming in from various emailing services (e.g., Constant Contact, MailChimp, SendGrid, etc.) and these services tend to end up on the reputation lists a few times per month. Just wondering if there are any tricks anyone knows about to help me populate the emails into my resulting incidents.Bad actors impersonating Microsoft Billing using rogue on-prem. Exchange > M365 tenants
Everyone should be aware and watch out for these very believable spoofs coming from microsoft-noreply_at_microsoft.com. If you have Threat Explorer (Defender Portal > Email & Collaboration > Explorer) or Advanced Hunting (EmailEvents table) available, you can find these messages by looking for these criteria: - Sender From Address:microsoft-noreply_at_microsoft.com (note the@ / _at_ swap) - Sender MailFrom Domain: Not equal to Microsoft.com (will be <something>.onmicrosoft.com) If you're getting these, you'll notice the MailFrom domain is an ever-changing long list of rogue tenants (e.g., <rogueTenant123>.onmicrosoft.com). The MailFrom address will be starting with "bounces+srs", like this "bounces+srs=<12345567890abcxyz>@<rogueTenant123>.onmicrosoft.com", letting us see that these bad actors are using an on-premises Exchange server, SMTP receive Connector and then a Send Connector up to and out via EXO/EOP. These things pass SPF, DKIM, and DMARC and so only get detected via General/Advanced filter and/or Fingerprint Matching (which only means loose match, there's no specific fingerprint/ID involved). The subject seems to always be "Your Microsoft order on September 23, 2024", and will be for the current date. Some people have raised this on Reddit, for example:email address removed for privacy reasons - Suspicious email : r/DefenderATP (reddit.com) I've been working with MS Support to try and get this addressed. We're seeing a lot of these, and so far it's be many many different rogue tenants, so it seems like the bad actors are working overtime and successfully standing up tenant after tenant to get these things out successfully.Repost: Important Announcement: Deprecation of Search-AdminAuditLog and New-AdminAuditLogSearch cmdl
In case you get your Exchange blog posts from the Exchange Team's EHLO blog, you may have missed this doozy: Important Announcement: Deprecation of Search-AdminAuditLog and New-AdminAuditLogSearch cmdlets - Microsoft Community Hub It has been posted in the Security, Compliance and Identity blog instead.Why does Windows NOT tell me *which* account needs to be "Fix now"?
I find it troubling that we have to click "Fix now" and watch windows cycle through all of our various added accounts to figure out which one has a problem that needs the "Fix now" button treatment. Does anyone know - is there any way to just cut to the chase and see what account it is that has the supposed problems? Years and years of this, I have no idea, but the internet is filthy with unrelated search results.Looking for Subject and InternetMessageHeaders from messages (neither part of EmailEvents)
I'm successfully doing queries with Start-MgSecurityHuntingQuery to find messages which are from a particular sender domain, and which have failed DMARC. I would like to get these messages' Subject and InternetMessageHeaders. I can't seem to find a Delegated permission way to get this done other than Mail.ReadBasic.Shared with FullAccess permission also granted. Same could be done with Mail.Read and FullAccess, but I'm trying to avoid FullAccess, and I would like to do this with Delegated permissions. Seems like some kind of Mail.ReadBasic.All but for delegated would be perfect, but don't see anything available. Is anyone aware of a delegated permissions approach to getting the message subject and message headers? If EmailEvents table would just get Subject and InternetMessageHeaders added, that would be fantastic. Barring that, Mail.ReadBasic.Shared and some new AccessRight that I can add via Add-MailboxPermission could be another option. Or just a flavor of Mail.ReadBasic.All that magically works with delegated. When I use Defender's Threat Explorer, it seems like all this stuff is possible (minus message headers, which can be retrieved from the email's entity page.Anti-Phishing > Impersonation Insights inaccuracy
Working with a client who are piloting Standard Preset Policies. We have not added any Users to Protect. We have added "owned domains" to the Domains to Protect list. No other anti-phish policies in the tenant have any users listed in Users to Protect. I repeat, zero policies have any users listed in Users to Protect, none, zero. In Impersonation Insights (https://security.microsoft.com > Email & Collaboration > Threat Policies > Anti-Phishing > Impersonation Insights, we have 2 listed in the "Users" tab: And in the details pane for either message, we see this: I can't find anywhere in documentation that explains why this would happen. It seems as though our user is being treated as a "Protected User", yet we've not added this user to any Anti-Phish policy's "Users to Protect" list. We DO have mailbox and impersonation intelligence enabled on the policies. When I read up on Mailbox Impersonation setting,I see this note: The question I have is this - when Mailbox Intelligence identity's a message as impersonation, and when the impersonated user is NOT a protected user, is this enough to trick Impersonation Insight into pretending as though the impersonated user is aProtected User?Disable-Mailbox -Archive in EXO with M365 Retention Policies assigned
Hello, working with a client that has 3 M365 retention policies assigned org-wide: 1. For All EXO mailboxes and all SPO/OneDrive's 2. For Teams Chats - all users/Teams 3. For Teams everything else - all users/Teams I'm unable to exclude a mailbox from #2 or #3 via Set-RetentionCompliancePolicy -AddExchangeLocationException, due to error TL;DR: this policy controls teams and Exchange settings are not allowed to be changed. I'm unable to do Disable-Mailbox -Archive, as the error tells me about the Teams policy #3 above being assigned (which indeed shows up in Get-OrganizationConfig). User's InPlaceHolds properly shows -mbx<guidOfPolicy#1Above>, and DelayHoldApplied/DelayReleaseHoldApplied both set to False. I'm unable to do Set-Mailbox -ExcludeFromAllOrgHolds, because that is only allowed on Inactive Mailboxes. Same goes for Set-Mailbox -ExcludeFromOrgHolds. My use case - UserMailbox which was enabled with an online Archive is now converted to a SharedMailbox, only requires <50GB, and no Archive. Archive is not even allowed per the EXO Service Descriptions for an un-licensed SharedMailbox. I find no way to drop the Archive mailbox successfully. This is fine, except the hypothetical scenario where the users of this SharedMailbox start to place items into the Archive, and then Microsoft invents something which takes away Archive mailboxes from un-licensed accounts. Not sure if that will ever happen, but I see no way to get this done and be on the right side of the license terms. Any ideas?
Recent Blog Articles
Re: Announcing OAuth 2.0 Client Credentials Flow support for POP and IMAP protocols in Exchange Onli
FYI, I received confirmation from MS Support case that we can indeed safely assume that only the mailboxes which have granted FullAccess/Send-As will be accessible to these application permission ver...
