{
	"id": "74ef80fe-db26-45eb-b942-16ecb80f1aec",
	"created_at": "2026-04-06T00:18:09.648137Z",
	"updated_at": "2026-04-10T03:23:52.241976Z",
	"deleted_at": null,
	"sha1_hash": "397cb39757b6b68f4dacdeafea12ce36d59abe07",
	"title": "Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 74250,
	"plain_text": "Shmoocon 2019 - BECS and beyond: Investigating and Defending\r\nOffice 365\r\nArchived: 2026-04-05 23:11:58 UTC\r\n1.\r\nBECs and Beyond:Investigating and Defending Office 365 January 19, 2019\r\n2.\r\n©2018 FireEye |Private \u0026 Confidential Roadmap 2 ◆Introduction ◆Office 365 in Practice ◆Business\r\nEmail Compromise ◆Nation State Actors ◆Bonus Time ◆Conclusion\r\n3.\r\n©2018 FireEye |Private \u0026 Confidential Introduction Doug Bienstock - @DoughSec 3 ◆Principal\r\nConsultant – 4.5 years with Mandiant ◆Incident Response and Red Team leader ◆Love/hate relationship\r\nwith Office 365 ◆Lifelong Green Bay Packers fan\r\n4.\r\n©2018 FireEye |Private \u0026 Confidential Introduction Josh Madeley - @MadeleyJosh 4 ◆Principal\r\nConsultant – 3 years with Mandiant ◆Incident Repsonse Lead ◆Office 365 Connoisseur ◆Canadian\r\n5.\r\n6.\r\n©2018 FireEye |Private \u0026 Confidential Email in the cloud… and much, much more ◆Office 365 is a suite\r\nof cloud-based applications ◆Exchange Online is basically just Exchange Server ported to the cloud\r\n◆User identity is backed by Azure AD ▶ just Active Directory in the cloud\r\n7.\r\n©2018 FireEye |Private \u0026 Confidential Authentication Identity is the new perimeter ◆ Cloud\r\nAuthentication ▶ Authentication happens within Azure AD ▶ Simple, easy to setup and maintain ▶\r\nlimited MFA and account settings ◆Federated Authentication ▶ Authentication passed off to a trusted\r\nthird-party ▶ AD FS, Okta, Ping, etc ▶ Higher level of control and advanced authentication options ▶\r\nMore difficult to implement and maintain\r\n8.\r\n©2018 FireEye |Private \u0026 Confidential Modern vs Legacy Authentication ◆Modern Authentication ▶\r\nThe standard and recommended sign-in mechanism ▶ Uses OAuth behind the scenes ▶ Supports\r\nadvanced security – MFA and Conditional Access Policies ◆Legacy Authentication (enabled by default)\r\nhttps://www.slideshare.net/slideshow/shmoocon-2019-becs-and-beyond-investigating-and-defending-office-365/128744511\r\nPage 1 of 7\n\n▶ Can be used with several protocols – POP, IMAP, MAPI/HTTP – PowerShell, EWS, AutoDiscover ▶\r\nDoes not support MFA 8\r\n9.\r\n©2018 FireEye |Private \u0026 Confidential Core Logs ◆Three main official log sources ▶ Unified Audit Log\r\n▶ Mailbox Audit Log ▶ Admin Audit Log  Bonus (sometimes) ▶ Azure AD Audit logs ◆Extras ▶\r\nMail trace ▶ Security \u0026 Compliance reports ▶ Activities API\r\n10.\r\n©2018 FireEye |Private \u0026 Confidential Unified Audit Log ◆Contains log entries from multiple data\r\nsources, and continues to grow as the platform matures ◆Stored in JSON ◆Searchable via PowerShell,\r\nSearch-UnifiedAuditLog ▶ Search by User, IP address, Operation (event type), free text ◆Query results\r\nlimited to 5000 entries at a time ◆3060 Character Length per record ▶ Truncates records that exceed this\r\n▶ Results in malformed JSON documents or trimmed entries ◆Maintained for 90 days ◆Events are not\r\nimmediately available\r\n11.\r\n©2018 FireEye |Private \u0026 Confidential Anatomy of a UAL Entry Key Name Description CreationTime\r\nWhen the event occurred Id Unique identifier of the log entry (not a session ID) Operation What action\r\noccurred – UserLoggedIn, New-InboxRule Workload The Office 365 Product that generated the log entry\r\n(RecordType) UserId User Id that performed the operation or made the request ClientIP Source IP address\r\nof the request (Most Workloads) ClientIpAddress Source IP address of the request (Exchange Online)\r\nObjectId Identifier of the object that was modified or accessed Parameters Array of of key/value pairs that\r\nare event entry specific\r\n12.\r\n©2018 FireEye |Private \u0026 Confidential Unified Audit Log Workload Operation Description\r\nAzureActiveDirectory UserLoggedIn Login to Office 365 *not just Exchange* Exchange New-InboxRule\r\nInbox rule created Exchange Set-InboxRule Inbox rule modified OneDrive FileAccessed File in OneDrive\r\nwas accessed 12 Examples\r\n13.\r\n©2018 FireEye |Private \u0026 Confidential Mailbox Audit Log Action Admin Delegate Owner Copy – Any\r\nitem is copied to another folder Create – an item is created in Calendar, Contacts, Notes, Tasks Folder Bind\r\n– A mailbox folder is accessed Mailbox Login – The user signed into their mailbox (not Office 365)\r\nMessage Bind – An item was displayed in the reading pane Attacks usually happen here with valid\r\ncredentials\r\n14.\r\n©2018 FireEye |Private \u0026 Confidential Admin Audit Logs ◆Records actions taken by administrators\r\nbased on Exchange Online PowerShell cmdlets ▶ Most admin interfaces (even the WebUI) are wrappers\r\nhttps://www.slideshare.net/slideshow/shmoocon-2019-becs-and-beyond-investigating-and-defending-office-365/128744511\r\nPage 2 of 7\n\nfor PowerShell cmdlets ◆Returns results as PowerShell objects via Search-AdminAuditLog ◆Retains\r\nevents for 90 days ◆Some (not all) events get sent to the Unified Audit Log\r\n15.\r\n16.\r\n©2018 FireEye |Private \u0026 Confidential BEC defined ◆Business Email Compromise (BEC) – Fraud where\r\nan attacker gains access to a mailbox of an employee with access to company finances and tricks them or\r\nuses them to trick others into wiring money to attacker-controlled accounts. ◆Has cost companies over\r\n$12 Billion ◆Mechanism of deception can vary between cases ▶ CEO/CFO impersonation ▶ Vendor\r\nimpersonation ◆Tend to follow a set playbook\r\n17.\r\n©2018 FireEye |Private \u0026 Confidential Gaining access Initial phishing\r\n18.\r\n©2018 FireEye |Private \u0026 Confidential Gains Access ◆Start-HistoricalSearch –ReportTitle\r\nInitialPhishSearch –StartDate 2019/01/01 –EndDate 2019/01/10 – ReportType MessageTraceDetail -\r\nDirection Received –RecipientAddress joe@victim.org ▶ Returns report in CSV format ▶ Can search up\r\nto 90 days back ▶ Searches can take several hours to complete 18 Mail trace Date_time Message_id\r\nRecipient _address Total_bytes Message _subject Sender_ address Return_p ath Original_client _ip 2019-\r\n01- 02T22:30:0 1 \u003c09d1e730 8c55e8cacc 98c42d833 36d67@exa mple.com\u003e joe@victi m.org 31358234\r\nQuick Review hr@exa mple.co m hr@exam ple.com 1.1.1.1\r\n19.\r\n©2018 FireEye |Private \u0026 Confidential Gaining access ◆Search-UnifiedAuditLog –StartDate (Get-Data).addDays(-90) -EndDate Get-Date –UserIds joe@victim.org ◆UserLoggedIn events record auths to\r\nOffice 365 ◆Don’t be fooled by “ResultStatus:Succeeded” ◆LogonError attribute says otherwise ▶ Error\r\ncodes indicate different failure conditions ◆Initial authentication attempts failed due to MFA requirement\r\n19 UserLoggedIn Events\r\n20.\r\n©2018 FireEye |Private \u0026 Confidential Sidetrack... ◆Applications objects exist in the tenant where they\r\nwere created ◆Service Principals are local copies of the application in the consuming tenant ◆Office 365\r\ncomponents (e.g. Exchange Online) follow this model too! ◆ApplicationId and Target ID tell us the apps\r\nthat were used and targeted ▶ Service Principal IDs ◆Get-AzureADServicePrincipal 20 Azure Service\r\nPrincipals\r\n21.\r\n©2018 FireEye |Private \u0026 Confidential Sidetrack.. ◆A single interactive logon may generate several login\r\nevents in the audit log ◆Accessing each component of Office 365 (exchange, azure, sharepoint) is a\r\nunique authentication ◆Logging in to portal.office.com generates at least 6 login events: 1. 12:00:00 -\r\nhttps://www.slideshare.net/slideshow/shmoocon-2019-becs-and-beyond-investigating-and-defending-office-365/128744511\r\nPage 3 of 7\n\nOffice 365 Portal application targeting Azure Active Directory 2. 12:00:20 - Office Suite UX application\r\ntargeting Azure Active Directory 3. 12:00:25 - Exchange Online application targeting Exchange Online 4.\r\n12:00:25 - Office 365 Shell targeting \"Unknown\" 5. 12:00:27- Office 365 Shell targeting a hidden\r\napplication 6. 12:00:27 - Office 365 Shell targeting Sharepoint Online 21 Service Principals\r\n22.\r\n©2018 FireEye |Private \u0026 Confidential Gaining access ◆Attacker switched to a protocol that supports\r\nlegacy (i.e. basic) authentication ◆ExchangeServiceClient/0.0.0.0 ▶ EWS client library ▶ Available on\r\ngithub ◆Programmatic access to the mailbox ◆No MFA required! 22 UserLoggedIn Events\r\n23.\r\n©2018 FireEye |Private \u0026 Confidential Remain undetected ◆Created two inbox rules to keep fraud\r\nattempt hidden ▶ Rule #1: hide any signs of compromise detection – Match messages with “phish”,\r\n“hack”, “undeliverable”, “spam” and move them to trash ▶ Rule #2: hide any legitimate communications\r\nfrom spoofed vendor – The real vendor is going to wonder why they aren’t getting paid – move any\r\nmessages from the real vendor to the trash\r\n24.\r\n©2018 FireEye |Private \u0026 Confidential Find the rules! ◆Searching the Unified Audit Log for Inbox rules\r\nis not fun for two main reasons 1. IP addresses for some events have the TCP port appended to them \u003cIP\u003e:\r\n\u003cport\u003e ▶ Search-UnifiedAuditLog -IpAddress 1.1.1.1 ▶ 1.1.1.1:10596 ▶ Searching for inbox rules by an\r\nattacker IP address is impossible because of this 2. When an inbox rule is modified, you cannot identify the\r\nrule that was modified ▶ Only the changed conditions are recorded ◆Search-UnifiedAuditLog -Operation\r\nNew-InboxRule, Set-InboxRule 24\r\n25.\r\n26.\r\n©2018 FireEye |Private \u0026 Confidential Change banking information\r\n27.\r\n28.\r\n©2018 FireEye |Private \u0026 Confidential APT Intrusions 1. Attacker password sprayed an AD FS Proxy to\r\nfind valid credentials 2. Accessed the network via backdoor 3. Elevated creds with Mimikatz and collected\r\nExchange Admin credentials 4. Searched mailboxes with eDiscovery searches 5. Used delegation to gain\r\nfull control over key mailboxes ◆Unified Audit Log ◆Admin Audit Log Attack Summary Logs Required\r\n29.\r\n©2018 FireEye |Private \u0026 Confidential Password sprays and AD FS ◆Authentication handled on-premise\r\n◆Failed authentications don’t make it past the AD FS server  Failed authentications are not recorded in\r\nthe Unified Audit Log ◆AD FS records events in the Security Event Log ▶ Logs can roll very quickly\r\n◆Without advanced auditing you won’t see IP addresses 29\r\nhttps://www.slideshare.net/slideshow/shmoocon-2019-becs-and-beyond-investigating-and-defending-office-365/128744511\r\nPage 4 of 7\n\n30.\r\n©2018 FireEye |Private \u0026 Confidential Password sprays and AD FS 30\r\n31.\r\n©2018 FireEye |Private \u0026 Confidential Attacker logs in ◆The victim used Conditional Access Policies to\r\nrestrict logins from non-US IP addresses ◆Initial sign-in by the attacker occured from a US-based IP\r\naddress ▶ Maps to a virtual private network provider ◆Subsequent logins are recorded from a\r\nNetherlands-based IP address ▶ Access tokens are refreshed at least once an hour, sometimes generating\r\nlog events ▶ Access policies are only checked at the initial authentication, not on subsequent refreshes\r\n◆“Remember me” gives attacker access for 90 days or until password is changed 31\r\n32.\r\n©2018 FireEye |Private \u0026 Confidential What is eDiscovery ◆Process of identifying and delivering\r\nelectronic information that can be used as evidence in legal cases. ◆Search for content in: ▶ Exchange\r\nOnline mailboxes ▶ Office 365 Groups ▶ Microsoft Teams ▶ SharePoint Online (the file contents,\r\nOneNote, Word, Excel, etc) ▶ OneDrive for Business sites ▶ Skype for Business conversations.\r\n33.\r\n©2018 FireEye |Private \u0026 Confidential Operation: SearchCreated ◆Attacker creates a new E-Discovery\r\nSearch ▶ Looking for emails with RSA SDTID files ▶ CreationTime – When the attacker created this\r\nsearch ▶ ObjectId – name of the case viewable in the GUI ▶ Parameters – Cmdlet that was executed and\r\nthe supplied parameters (this is what the GUI executes behind the scenes) ◆ClientIP - ….Wait... this event\r\ndoesn't record an IP!\r\n34.\r\n©2018 FireEye |Private \u0026 Confidential PreviewItemRendered (Truncated) Critical Details ◆An individual\r\nobject was rendered in the eDiscovery UI ◆ObjectId – text reference to the object that is rendered ▶\r\nAttacker can view data in existing searches that they did not create ▶ \u003cCASENAME\u003e\r\n\u003cCASENAME\u003e_Preview\u003cObjectName\u003e ◆ExchangeLocations – list of locations that the object  List\r\ncan be quite large for messages that were forwarded to the entire company  List often exceeds maximum\r\nsize of a UAL event  Results in malformed JSON that can be overlooked by some scripts\r\n35.\r\n©2018 FireEye |Private \u0026 Confidential Operation: SearchExportDownloaded ◆Indicates that the attacker\r\ndownloaded results of a search ◆ SearchIDs maps to GUID from SearchCreated event ◆ Only indicates\r\nthat the download started, not finished ◆Up until recently messages were delivered in a PST format and\r\nSharePoint objects download individually ◆Large downloads fail regularly and are not recorded as failed\r\n◆To date – no way to determine the contents of an archive without re-running the search\r\n36.\r\nhttps://www.slideshare.net/slideshow/shmoocon-2019-becs-and-beyond-investigating-and-defending-office-365/128744511\r\nPage 5 of 7\n\n©2018 FireEye |Private \u0026 Confidential Access other Mailboxes Add-MailboxPermission ◆Assigns an\r\naccount permissions to another account ◆Different levels of access ▶ FullAccess ▶ SendAs ▶\r\nSendOnBehalf  Parameters: ▶ User : Account receiving the new permissions ▶ AccessRights : Type of\r\naccess being granted ▶ Identity : The account being modified\r\n37.\r\n38.\r\n©2018 FireEye |Private \u0026 Confidential Azure AD PowerShell ◆Unlike Exchange Online PowerShell, this\r\ncan’t be turned off! ◆You can’t apply Conditional Access Policies to it ▶ It uses Microsoft Graph\r\n¯_(ツ)_/¯ ◆ Any user (even unlicensed) can access PS \u003e Connect-AzureAD PS \u003e Get-AzureADUser\r\nObjectId DisplayName UserPrincipalName UserType --------- ------------ ------------------ ---------- Xxxx-xxxx John Doe John.Doe@example.com Member 38\r\n39.\r\n©2018 FireEye |Private \u0026 Confidential OAuth Abuse 39 ◆ Cloud service providers allow users to\r\nintegrate third-party applications in order to drive synergy and enhance productivity ▶ G Suite, Office\r\n365, Box ◆ Once installed, the applications can access users’ data on their behalf at any time ▶ Bypasses\r\nMFA requirements by design ▶ Valid for 90 days Enhance productivity!\r\n40.\r\n©2018 FireEye |Private \u0026 Confidential OAuth Abuse 40 ◆A user “consents” to allow an application\r\naccess to her account ◆Attacker receives an access token they can supply to Office 365 to access data\r\n◆Unified Audit Log records user consent events\r\n41.\r\n42.\r\n©2018 FireEye |Private \u0026 Confidential Exchange Online message read auditing ◆Currently, Mailbox\r\nAudit logs don’t record when an owner of a mailbox views or accesses a message ◆Changing in 1H 2019!\r\n42 Action Admin Delegate Owner Copy – Any item is copied to another folder Create – an item is created\r\nin Calendar, Contacts, Notes, Tasks Folder Bind – A mailbox folder is accessed Mailbox Login – The user\r\nsigned into their mailbox (not Office 365) Message Bind – An item was displayed in the reading pane\r\n43.\r\n©2018 FireEye |Private \u0026 Confidential Exchange Online message read auditing ◆Messages read by an\r\nowner and delegate will now be recorded ◆Audited events are recorded in the mailbox audit log ▶ counts\r\nagainst mailbox quota storage (you have 100GB by default, it’s ok) ▶ logs 90 days of accessed messages\r\nby default 43 Action Admin Delegate Owner Copy – Any item is copied to another folder Create – an item\r\nis created in Calendar, Contacts, Notes, Tasks Folder Bind – A mailbox folder is accessed Mailbox Login –\r\nThe user signed into their mailbox (not Office 365) Message Bind – An item was displayed in the reading\r\npane\r\nhttps://www.slideshare.net/slideshow/shmoocon-2019-becs-and-beyond-investigating-and-defending-office-365/128744511\r\nPage 6 of 7\n\n44.\r\n©2018 FireEye |Private \u0026 Confidential Exchange Online message read auditing ◆Each\r\nMailitemsAccessed event will record a 2-minute activity period ◆New events within a period will be\r\ngenerated if ▶ new client IP address ▶ new User Principal Name doing the read/access ▶ New parent\r\nmailbox folder ▶ new logon type ▶ new mailbox session ID ▶ new user agent string 44 How does it\r\nwork\r\n45.\r\n©2018 FireEye |Private \u0026 Confidential Exchange Online message read auditing ◆Covers access to a\r\nmailbox via Modern Auth AND legacy protocols (IMAP, POP, etc) ◆Messages directly accessed or read\r\nwithin Outlook on the Web ▶ Messages in a thread are recorded only if the individual message is\r\nexplicitly clicked ◆Messages directly accessed via API calls (PowerShell, EWS, etc) ◆Messages synced\r\nusing a client application ▶ Mobile and other clients log explicit messages synced because it is a partial\r\nsync ▶ Desktop clients will only record that a sync has occurred, not the individual messages (because it is\r\na full sync) 45 What is being recorded\r\n46.\r\n©2018 FireEye |Private \u0026 Confidential Exchange Online Sessions ◆Previously there was no way to\r\ncorrelate disparate events to a single user session ▶ Difficult to track attackers coming from TOR, VPNs,\r\ninside the organization ◆Mailbox Audit Logs now have “SessionId” attribute to track user sessions ▶\r\nSurvives token refreshes ◆Only applicable to sessions established with Modern Authentication 46\r\n47.\r\n©2018 FireEye |Private \u0026 Confidential What did we learn? ◆Make sure all your auditing options are on\r\n▶ Send your logs to a SIEM to avoid 90-day limits and PowerShell needs ▶ Additional licensing means\r\nadditional log sources ◆Authentication is not straightforward ▶ Turn off legacy authentication ▶ Events\r\ncan be misleading and stored in different places ◆Attackers are becoming Office 365 experts ▶ Many\r\nways to access an environment ▶ Many ways to manipulate it, too 47\r\n48.\r\nSource: https://www.slideshare.net/slideshow/shmoocon-2019-becs-and-beyond-investigating-and-defending-office-365/128744511\r\nhttps://www.slideshare.net/slideshow/shmoocon-2019-becs-and-beyond-investigating-and-defending-office-365/128744511\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.slideshare.net/slideshow/shmoocon-2019-becs-and-beyond-investigating-and-defending-office-365/128744511"
	],
	"report_names": [
		"128744511"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434689,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/397cb39757b6b68f4dacdeafea12ce36d59abe07.pdf",
		"text": "https://archive.orkl.eu/397cb39757b6b68f4dacdeafea12ce36d59abe07.txt",
		"img": "https://archive.orkl.eu/397cb39757b6b68f4dacdeafea12ce36d59abe07.jpg"
	}
}