Now Reading: Why Your M365 Security Fails Against Social Engineering
-
01
Why Your M365 Security Fails Against Social Engineering
1
00:00:00,000 –> 00:00:03,840
Attention, valued knowledge workers.
2
00:00:03,840 –> 00:00:06,320
By order of the Productivity Council,
3
00:00:06,320 –> 00:00:10,720
your Microsoft 365 defenses are failing precisely
4
00:00:10,720 –> 00:00:14,280
where humans decide and policies equivocate.
5
00:00:14,280 –> 00:00:18,080
Most believe MFA, EDR, and Secure Score suffice.
6
00:00:18,080 –> 00:00:19,400
They do not.
7
00:00:19,400 –> 00:00:23,720
They do not arrest consent abuse, device code fraud,
8
00:00:23,720 –> 00:00:27,520
or teams pretexting conducted under your own brand.
9
00:00:27,520 –> 00:00:29,720
Here is what actually happens.
10
00:00:29,720 –> 00:00:32,360
Attackers operate inside official channels
11
00:00:32,360 –> 00:00:35,240
and harvest trust at line speed.
12
00:00:35,240 –> 00:00:38,240
The council will present five incident case files
13
00:00:38,240 –> 00:00:40,960
and the exact corrective doctrine.
14
00:00:40,960 –> 00:00:45,120
Policies, detections, user protocols, and tooling.
15
00:00:45,120 –> 00:00:49,440
One misconfiguration currently nullifies your MFA.
16
00:00:49,440 –> 00:00:50,400
Remember it.
17
00:00:50,400 –> 00:00:52,680
Its name will be issued shortly.
18
00:00:52,680 –> 00:00:56,120
Case file Y, Teams Fishing Authority Theater
19
00:00:56,120 –> 00:00:57,640
inside the perimeter.
20
00:00:57,640 –> 00:01:01,200
This is an official account of Authority Theater.
21
00:01:01,200 –> 00:01:04,840
The adversary enters through Teams External Federation.
22
00:01:04,840 –> 00:01:08,120
A profile named IT Support Priority
23
00:01:08,120 –> 00:01:11,280
appears with a Microsoft colored avatar.
24
00:01:11,280 –> 00:01:14,000
The message declares an authentication irregularity
25
00:01:14,000 –> 00:01:15,960
and promises rapid resolution.
26
00:01:15,960 –> 00:01:17,520
A number prompt follows.
27
00:01:17,520 –> 00:01:20,840
Approval fatigue is engaged, moments later,
28
00:01:20,840 –> 00:01:23,200
an attacker in the middle relay kit
29
00:01:23,200 –> 00:01:25,760
captures the session token.
30
00:01:25,760 –> 00:01:29,480
The mailbox changes, the SharePoint site syncs,
31
00:01:29,480 –> 00:01:33,360
compliance evaporates.
32
00:01:33,360 –> 00:01:36,400
Failure analysis is direct.
33
00:01:36,400 –> 00:01:41,000
External access defaults remain permissive.
34
00:01:41,000 –> 00:01:44,440
Tennis allow any federated domain to message any user.
35
00:01:44,440 –> 00:01:47,280
Message visibility, governance is weak.
36
00:01:47,280 –> 00:01:49,840
Unsolicited DMs are not rate limited
37
00:01:49,840 –> 00:01:51,920
or quarantined for review.
38
00:01:51,920 –> 00:01:54,720
User risk policies exist, but are not aligned
39
00:01:54,720 –> 00:01:58,560
to block risky sessions from chat-initiated elevations.
40
00:01:58,560 –> 00:02:00,760
Citizens, this is not adversary genius.
41
00:02:00,760 –> 00:02:02,720
This is policy ambiguity.
42
00:02:02,720 –> 00:02:04,840
Now the corrective doctrine.
43
00:02:04,840 –> 00:02:07,720
External Federation must be disabled or narrowed
44
00:02:07,720 –> 00:02:09,400
to an allow list.
45
00:02:09,400 –> 00:02:13,680
Use scoped external access with explicit domains only.
46
00:02:13,680 –> 00:02:17,520
In Teams Admin Center, configure external access,
47
00:02:17,520 –> 00:02:21,160
deny by default, allow approved partners.
48
00:02:21,160 –> 00:02:25,680
For collaboration needs, use shared channels with verified tenants,
49
00:02:25,680 –> 00:02:27,960
not open DMs.
50
00:02:27,960 –> 00:02:31,760
Apply saffelings in Teams and enable URL detonation.
51
00:02:31,760 –> 00:02:34,760
This removes the convenience of blind trust
52
00:02:34,760 –> 00:02:37,920
and replaces it with controlled exchange.
53
00:02:37,920 –> 00:02:42,880
Conditional access must assume that Teams is an elevation vector.
54
00:02:42,880 –> 00:02:45,080
Require compliant device and phishing
55
00:02:45,080 –> 00:02:47,080
resistant authentication strengths
56
00:02:47,080 –> 00:02:50,200
for any Teams initiated step-up, including access
57
00:02:50,200 –> 00:02:53,000
to admin portals, exchange and sharepoint
58
00:02:53,000 –> 00:02:54,920
with download permissions.
59
00:02:54,920 –> 00:02:58,760
Implement session controls for risky sign-ins.
60
00:02:58,760 –> 00:03:02,040
If sign-in-risk is medium or greater,
61
00:03:02,040 –> 00:03:06,200
restrict to web only, restrict download,
62
00:03:06,200 –> 00:03:10,160
and require reauthentication for sensitive operations,
63
00:03:10,160 –> 00:03:12,200
sign-in frequency should be shortened
64
00:03:12,200 –> 00:03:15,640
for elevated roles to minimize durable exposure.
65
00:03:15,640 –> 00:03:19,400
Detection changes the tempo, deploy anomaly rules
66
00:03:19,400 –> 00:03:23,240
focused on graph and Teams admin APIs.
67
00:03:23,240 –> 00:03:27,560
Citizens will monitor for unusual spikes in new tenant chats
68
00:03:27,560 –> 00:03:31,560
or new external contacts added within a short interval.
69
00:03:31,560 –> 00:03:35,720
Correlate unusual MFA prompt bursts occurring
70
00:03:35,720 –> 00:03:38,280
within five minutes of inbound Teams,
71
00:03:38,280 –> 00:03:41,080
DMs from previously unseen tenants.
72
00:03:41,080 –> 00:03:45,560
Flag device context shifts, where a chat originates
73
00:03:45,560 –> 00:03:50,200
from a consumer IP, while the target signs in
74
00:03:50,200 –> 00:03:52,520
from a corporate IP and then elevates.
75
00:03:52,520 –> 00:03:55,400
The butt therefore pattern must be formalized.
76
00:03:55,400 –> 00:03:58,280
A message appears, therefore a prompt occurs,
77
00:03:58,280 –> 00:04:00,200
therefore elevation is attempted.
78
00:04:00,200 –> 00:04:01,880
That chain is the alarm.
79
00:04:01,880 –> 00:04:04,120
Training is mandatory and procedural.
80
00:04:04,120 –> 00:04:07,320
Establish a verification phrase protocol.
81
00:04:07,320 –> 00:04:10,600
Every IT outreach must include a rotating phrase
82
00:04:10,600 –> 00:04:13,720
verifiable on an authoritative intranet banner.
83
00:04:13,720 –> 00:04:15,560
No phrase, no action.
84
00:04:15,560 –> 00:04:19,480
Introduce a code over voice prohibition.
85
00:04:19,480 –> 00:04:22,760
No employee is authorized to read numbers,
86
00:04:22,760 –> 00:04:27,400
codes or device codes into chat, voice or voice mail.
87
00:04:27,400 –> 00:04:31,400
Mandate escalation via a known channel only.
88
00:04:31,400 –> 00:04:33,720
The service desk number on the badge,
89
00:04:33,720 –> 00:04:36,200
not the number in the message.
90
00:04:36,200 –> 00:04:41,560
The pause rule applies, stop, verify, proceed or report.
91
00:04:41,560 –> 00:04:45,480
A micro story is now entered for instructional value.
92
00:04:45,480 –> 00:04:51,240
A finance analyst received a Teams DM at 0812 labeled Payroll Lock.
93
00:04:51,240 –> 00:04:54,440
The adversary requested approval of an MFA prompt
94
00:04:54,440 –> 00:04:56,840
to unlock the payroll run.
95
00:04:56,840 –> 00:05:00,440
The analyst declined, invoked the mandatory pause,
96
00:05:00,440 –> 00:05:04,440
called the posted service desk number and reported the event.
97
00:05:04,440 –> 00:05:08,120
Security correlated the DM with a burst of device
98
00:05:08,120 –> 00:05:12,600
all end point hits and blocked access through conditional access.
99
00:05:12,600 –> 00:05:13,880
A breach was averted.
100
00:05:13,880 –> 00:05:17,480
This is the power of a rule that removes improvisation.
101
00:05:17,480 –> 00:05:19,960
Tooling must operationalize the doctrine.
102
00:05:19,960 –> 00:05:23,400
Enable defender for office safe links in Teams.
103
00:05:23,400 –> 00:05:25,960
In Defender for Cloud Apps, create policies
104
00:05:25,960 –> 00:05:28,600
to detect mass external messaging.
105
00:05:28,600 –> 00:05:32,120
Suspicious OAuth consent attempts seated from Teams
106
00:05:32,120 –> 00:05:34,280
and risky session downloads.
107
00:05:34,280 –> 00:05:38,840
Feed Microsoft 365 audit logs into your CM.
108
00:05:38,840 –> 00:05:44,200
Build UBA baselines for chat frequency, external contact ratio,
109
00:05:44,200 –> 00:05:47,160
and time of day message posture per department.
110
00:05:47,160 –> 00:05:49,400
Orchestrate an automatic response.
111
00:05:49,400 –> 00:05:53,560
Isolate the user session, require reauthentication with Vido2
112
00:05:53,560 –> 00:05:58,200
and alert the security desk when the Teams to MFA pattern appears.
113
00:05:58,200 –> 00:06:00,760
Citizens remember Teams is not a chat room.
114
00:06:00,760 –> 00:06:02,680
It is an identity elevator.
115
00:06:02,680 –> 00:06:05,240
Therefore supervision is compulsory.
116
00:06:05,240 –> 00:06:09,000
If external messaging is business critical, confine it with governance.
117
00:06:09,000 –> 00:06:12,600
If it is not, disable it categorically.
118
00:06:12,600 –> 00:06:16,600
Failure to do so will be recorded as a preventable oversight.
119
00:06:16,600 –> 00:06:18,360
But here is where it gets interesting.
120
00:06:18,360 –> 00:06:22,360
When chat pretext stalls under verification friction,
121
00:06:22,360 –> 00:06:24,280
adversaries pivot.
122
00:06:24,280 –> 00:06:27,720
They abandon the theater and pursue device code flows,
123
00:06:27,720 –> 00:06:30,280
harvesting cooperation without a password,
124
00:06:30,280 –> 00:06:32,120
and often without suspicion.
125
00:06:32,120 –> 00:06:34,760
The next case file will document that transition.
126
00:06:34,760 –> 00:06:39,080
The council will show how a six-character code
127
00:06:39,080 –> 00:06:44,440
read aloud in good faith becomes a durable OAuth grant
128
00:06:44,440 –> 00:06:48,520
that survives MFA and persists beyond a password change.
129
00:06:48,520 –> 00:06:51,720
Mandatory compliance is appreciated.
130
00:06:51,720 –> 00:06:53,240
Case file 2.
131
00:06:53,240 –> 00:06:54,840
Device code flow.
132
00:06:54,840 –> 00:06:58,040
MFA resilient token laundering.
133
00:06:58,040 –> 00:07:00,360
Citizens, the pivot has occurred.
134
00:07:00,840 –> 00:07:05,640
The adversary discards protected chats and engages the device code flow.
135
00:07:05,640 –> 00:07:09,960
A trusted Microsoft page displays a six or eight-character code.
136
00:07:09,960 –> 00:07:14,680
A voice call, a text, or a polished IVR informs the target
137
00:07:14,680 –> 00:07:17,800
that verification assistance is in progress.
138
00:07:17,800 –> 00:07:19,720
The user reads the code aloud.
139
00:07:19,720 –> 00:07:23,160
The attacker inputs the code at device login.
140
00:07:23,160 –> 00:07:26,120
OAuth completes without a password exchange.
141
00:07:26,120 –> 00:07:27,320
Token’s are minted.
142
00:07:27,320 –> 00:07:29,400
Persistence is achieved.
143
00:07:29,400 –> 00:07:31,400
This is not a breach of cryptography.
144
00:07:31,400 –> 00:07:33,160
It is a breach of ceremony.
145
00:07:33,160 –> 00:07:37,720
Device code is designed for devices without keyboards.
146
00:07:37,720 –> 00:07:41,560
The attacker repurposes it for social extraction.
147
00:07:41,560 –> 00:07:43,000
No password is requested.
148
00:07:43,000 –> 00:07:46,920
MFA can be neutralized because the consent ceremony occurs
149
00:07:46,920 –> 00:07:49,080
outside the victim’s frame of reference.
150
00:07:49,080 –> 00:07:53,080
The human provides the only missing artifact,
151
00:07:53,080 –> 00:07:54,200
the code itself.
152
00:07:54,200 –> 00:07:57,480
Failure analysis is precise.
153
00:07:58,120 –> 00:08:01,720
Permissive device code policies remain unbounded
154
00:08:01,720 –> 00:08:03,320
by network or risk.
155
00:08:03,320 –> 00:08:06,120
High-privileged scopes, male,
156
00:08:06,120 –> 00:08:09,800
read, write, files, dull, read,
157
00:08:09,800 –> 00:08:15,080
all offline access are not gated by step-up authentication.
158
00:08:15,080 –> 00:08:18,840
Sign-in-risk evaluation is not enforced at the device,
159
00:08:18,840 –> 00:08:20,360
auth, and point.
160
00:08:20,360 –> 00:08:22,760
Citizens are permitting a low-friction path
161
00:08:22,760 –> 00:08:26,760
to durable refresh tokens with no posture verification.
162
00:08:27,560 –> 00:08:30,680
Controls must become non-negotiable.
163
00:08:30,680 –> 00:08:33,560
Block user consent for device code
164
00:08:33,560 –> 00:08:36,600
flows originating from untrusted networks.
165
00:08:36,600 –> 00:08:41,560
Implement named locations with strict IP hygiene.
166
00:08:41,560 –> 00:08:45,240
Require administrator consent for high-risk
167
00:08:45,240 –> 00:08:49,560
graph scopes and any request including offline access.
168
00:08:49,560 –> 00:08:53,080
Enforced publisher verification,
169
00:08:53,080 –> 00:08:56,040
unverified publishers must be barred from requesting
170
00:08:56,040 –> 00:08:57,560
sensitive permissions.
171
00:08:57,560 –> 00:08:59,800
Where device code is truly required,
172
00:08:59,800 –> 00:09:03,800
confine it to managed networks with conditional access
173
00:09:03,800 –> 00:09:07,160
and require phishing-resistant authentication strengths,
174
00:09:07,160 –> 00:09:11,160
such as FIDO2 or certificate-based authentication
175
00:09:11,160 –> 00:09:13,080
during scope elevation.
176
00:09:13,080 –> 00:09:15,400
Conditional access is the metronome.
177
00:09:15,400 –> 00:09:19,560
Configure policies that evaluate client app,
178
00:09:19,560 –> 00:09:21,560
equals other clients,
179
00:09:21,560 –> 00:09:24,120
and device platform equals unknown.
180
00:09:25,080 –> 00:09:27,800
If sign-in-risk is medium or higher,
181
00:09:27,800 –> 00:09:30,440
block or force password change,
182
00:09:30,440 –> 00:09:32,520
then require a compliant device.
183
00:09:32,520 –> 00:09:37,080
Set sign-in frequency to short intervals for privileged roles
184
00:09:37,080 –> 00:09:39,640
and for cloud apps that can exfiltrate,
185
00:09:39,640 –> 00:09:41,720
exchange online, sharepoint,
186
00:09:41,720 –> 00:09:43,560
one-drive, teams, graph,
187
00:09:43,560 –> 00:09:45,400
apply session controls.
188
00:09:45,400 –> 00:09:48,040
Restrict downloads,
189
00:09:48,040 –> 00:09:51,640
require reauthentication on sensitive operations
190
00:09:51,640 –> 00:09:56,040
and enforce continuous access evaluation to revoke sessions
191
00:09:56,040 –> 00:09:57,640
when risk changes.
192
00:09:57,640 –> 00:10:00,600
Detection turns shadows into shape.
193
00:10:00,600 –> 00:10:03,800
Citizens will monitor the device.
194
00:10:03,800 –> 00:10:07,240
Auth endpoint for bursts by user,
195
00:10:07,240 –> 00:10:09,080
tenant, and IP.
196
00:10:09,080 –> 00:10:12,200
Track the client app signal.
197
00:10:12,200 –> 00:10:15,400
Other clients combined with offline access grants
198
00:10:15,400 –> 00:10:17,800
issued outside named locations
199
00:10:17,800 –> 00:10:20,760
correlate impossible travel linked specifically
200
00:10:20,760 –> 00:10:22,680
to device code grants,
201
00:10:22,680 –> 00:10:24,760
not interactive logins.
202
00:10:24,760 –> 00:10:27,960
Alert on A typical combinations.
203
00:10:27,960 –> 00:10:30,760
Service principles requesting male items
204
00:10:30,760 –> 00:10:33,880
accessed immediately after a device code grant.
205
00:10:33,880 –> 00:10:38,040
Graph Delta queries appearing seconds after consent.
206
00:10:38,040 –> 00:10:41,320
Build UEBA profiles for device code use.
207
00:10:41,320 –> 00:10:44,520
In most organizations, normal frequency is near zero.
208
00:10:44,520 –> 00:10:47,640
Remediation must be swift and exhaustive.
209
00:10:48,280 –> 00:10:52,280
Revoque refresh tokens for impacted identities.
210
00:10:52,280 –> 00:10:56,520
Invalidate sessions through Azure AD PowerShell or Graph.
211
00:10:56,520 –> 00:10:58,760
Review enterprise app grants
212
00:10:58,760 –> 00:11:01,560
and remove newly authorized service principles.
213
00:11:01,560 –> 00:11:04,840
Rotate app secrets and certificates
214
00:11:04,840 –> 00:11:07,400
for any app targeted or used as cover.
215
00:11:07,400 –> 00:11:11,000
Enforced a forced password reset with key rotation
216
00:11:11,000 –> 00:11:13,320
for synchic accounts and require re-enrollment
217
00:11:13,320 –> 00:11:14,840
of phishing resistant factors.
218
00:11:15,560 –> 00:11:18,600
Audit mailbox rules and inbox delegates.
219
00:11:18,600 –> 00:11:22,040
Device code compromises often pair with silent forwarding
220
00:11:22,040 –> 00:11:23,400
and hidden rules.
221
00:11:23,400 –> 00:11:25,960
A formal micro story follows.
222
00:11:25,960 –> 00:11:29,400
An operations manager reported a compliance verification
223
00:11:29,400 –> 00:11:32,760
robo-call instructing them to read a Microsoft device code
224
00:11:32,760 –> 00:11:35,080
for expedited ticket closure.
225
00:11:35,080 –> 00:11:36,440
They complied.
226
00:11:36,440 –> 00:11:39,640
Within minutes audit logs show device auth activity
227
00:11:39,640 –> 00:11:43,640
from a residential ASN, followed by graph files.
228
00:11:44,600 –> 00:11:50,680
Read all enumeration and share point download spikes at 0211
229
00:11:50,680 –> 00:11:54,440
because name locations and risk-based blocks were active.
230
00:11:54,440 –> 00:11:58,680
Downstream access was constrained to web only with no download.
231
00:11:58,680 –> 00:12:02,440
Security revoked tokens disabled the malicious app
232
00:12:02,440 –> 00:12:05,400
and issued a tenant-wide admin consent review.
233
00:12:05,400 –> 00:12:08,680
Exposure was contained to metadata.
234
00:12:08,680 –> 00:12:12,440
The doctrine worked because risk and session controls were aligned
235
00:12:12,440 –> 00:12:14,840
to the client app pattern.
236
00:12:14,840 –> 00:12:17,400
Training is an order, not a suggestion.
237
00:12:17,400 –> 00:12:22,360
Institute the code overvoice prohibition universally.
238
00:12:22,360 –> 00:12:26,120
No codes, no numbers, no device codes in any channel.
239
00:12:26,120 –> 00:12:28,440
Teach the ceremony a code is consent.
240
00:12:28,440 –> 00:12:33,800
Inform staff that legitimate IT will never request a device code
241
00:12:33,800 –> 00:12:35,400
verbally or via chat.
242
00:12:35,400 –> 00:12:40,200
Deploy quarterly simulations featuring device code laws
243
00:12:40,200 –> 00:12:42,200
delivered by voice and SMS.
244
00:12:42,200 –> 00:12:48,680
Require the pause rule, stop, verify through the published service desk number
245
00:12:48,680 –> 00:12:52,040
and report tooling must operationalize vigilance.
246
00:12:52,040 –> 00:12:57,880
Defender for cloud apps will create policies for anomalous OAuth consent,
247
00:12:57,880 –> 00:13:01,560
device auth spikes and other clients anomalies.
248
00:13:01,560 –> 00:13:07,080
CM correlation will bind teams, DMs, voice events and
249
00:13:07,080 –> 00:13:10,280
device code grants into a single timeline.
250
00:13:10,280 –> 00:13:15,080
SOAR will revoke tokens automatically when a device code grant originates
251
00:13:15,080 –> 00:13:17,320
outside named locations.
252
00:13:17,320 –> 00:13:21,320
App governance will flag broad graph scopes requested
253
00:13:21,320 –> 00:13:23,320
by unverified publishers.
254
00:13:23,320 –> 00:13:26,120
Citizens understand the analogy.
255
00:13:26,120 –> 00:13:28,280
Device code is a service elevator.
256
00:13:28,280 –> 00:13:30,280
It bypasses the lobby and the guard.
257
00:13:30,280 –> 00:13:33,640
Therefore the guard must relocate to the elevator door.
258
00:13:33,640 –> 00:13:35,160
Place your controls there.
259
00:13:35,160 –> 00:13:37,560
Mandatory compliance is appreciated.
260
00:13:37,560 –> 00:13:39,720
Case file three OAuth.
261
00:13:39,720 –> 00:13:44,600
App consent persistent access without passwords.
262
00:13:44,600 –> 00:13:49,720
Citizens persistence now arrives cloaked in legitimacy.
263
00:13:49,720 –> 00:13:53,800
The adversary abandons device codes and presents an application that appears
264
00:13:53,800 –> 00:13:54,760
orderly.
265
00:13:54,760 –> 00:13:56,360
The publisher logo is polished.
266
00:13:56,360 –> 00:13:58,440
The name implies productivity.
267
00:13:58,440 –> 00:14:00,680
The consent screen lists familiar scopes.
268
00:14:00,680 –> 00:14:02,200
Read your mail.
269
00:14:02,200 –> 00:14:04,680
Access your files.
270
00:14:04,680 –> 00:14:07,160
The link is a real Microsoft domain.
271
00:14:07,160 –> 00:14:09,160
The ceremony feels official.
272
00:14:09,160 –> 00:14:10,840
The user clicks accept.
273
00:14:10,840 –> 00:14:16,360
At that moment durable access is conferred without a password
274
00:14:16,360 –> 00:14:19,480
and beyond the reach of routine MFA.
275
00:14:19,480 –> 00:14:22,120
Here is what actually happens.
276
00:14:22,120 –> 00:14:27,320
A malicious app sometimes verified requests mail.
277
00:14:27,320 –> 00:14:33,400
Read right, files, read, all and offline access.
278
00:14:33,400 –> 00:14:35,480
The tenant allows user consent.
279
00:14:35,480 –> 00:14:36,920
The victim grants.
280
00:14:36,920 –> 00:14:40,360
An OAuth service principle is created in your directory.
281
00:14:40,360 –> 00:14:42,120
Refresh tokens are issued.
282
00:14:42,120 –> 00:14:48,840
The attacker harvests quietly through graph using delta queries to enumerate only what changed.
283
00:14:48,840 –> 00:14:50,840
There is no inbox login to alert on.
284
00:14:50,840 –> 00:14:53,160
There is no brute force to block.
285
00:14:53,160 –> 00:14:56,280
There is only sanctioned access operating as designed.
286
00:14:56,280 –> 00:14:59,960
Failure analysis exposes a governance vacuum.
287
00:15:00,600 –> 00:15:03,480
User consent remains enabled tenant-wide.
288
00:15:03,480 –> 00:15:06,600
Permission reviews are weak or nonexistent.
289
00:15:06,600 –> 00:15:11,880
High-risk scopes, including mailbox and file access
290
00:15:11,880 –> 00:15:16,120
at tenant breadth, are not gated by administrator review.
291
00:15:16,120 –> 00:15:19,000
Publisher verification is not enforced,
292
00:15:19,000 –> 00:15:21,880
allowing deceptive branding to pass casual inspection.
293
00:15:21,880 –> 00:15:27,320
No app governance solution inspects unusual data access patterns.
294
00:15:27,320 –> 00:15:30,760
Citizens have delegated trust to a screen.
295
00:15:30,760 –> 00:15:32,920
Controls must be absolute.
296
00:15:32,920 –> 00:15:35,400
Disable user consent globally.
297
00:15:35,400 –> 00:15:40,680
Enforce an administrator consent workflow for all third-party applications.
298
00:15:40,680 –> 00:15:47,480
In Entra, configure permission grant policies so that high-impact scopes,
299
00:15:47,480 –> 00:15:55,800
mail, read right, files, read, all sites, read, all offline access.
300
00:15:55,800 –> 00:15:59,640
Are blocked from user grant under any circumstance,
301
00:15:59,640 –> 00:16:05,800
require verified publishers for any app allowed to request organizational data
302
00:16:05,800 –> 00:16:08,520
and still require admin approval.
303
00:16:08,520 –> 00:16:11,480
Implement least-privileged app access policies
304
00:16:11,480 –> 00:16:13,320
if a function only needs files.
305
00:16:13,320 –> 00:16:14,600
Read.
306
00:16:14,600 –> 00:16:17,160
It will not receive files.
307
00:16:17,160 –> 00:16:19,800
Read.all.
308
00:16:19,800 –> 00:16:24,440
Conditional access can constrain app misuse, apply app enforced restrictions
309
00:16:24,440 –> 00:16:25,160
were available.
310
00:16:25,160 –> 00:16:31,160
Use cloud app filters to limit access paths for graph to the intended operations
311
00:16:31,160 –> 00:16:35,800
and apply session controls that restrict download and cut and paste for apps
312
00:16:35,800 –> 00:16:37,480
touching sensitive resources.
313
00:16:37,480 –> 00:16:44,920
For sensitive actions, message send on behalf, file export, permission changes,
314
00:16:44,920 –> 00:16:49,400
require step-up with phishing resistant authentication strengths.
315
00:16:49,400 –> 00:16:54,440
If sign-in-risk elevates block consent events and require administrator review.
316
00:16:54,440 –> 00:16:57,560
Detection is your x-ray.
317
00:16:57,560 –> 00:17:01,720
Monitor for creation of new service principles, especially with broad scopes
318
00:17:01,720 –> 00:17:04,120
or immediate delta query usage.
319
00:17:04,120 –> 00:17:08,520
Alert on sudden mail items accessed spikes from an application identity
320
00:17:08,520 –> 00:17:11,160
tied to a newly created service principle.
321
00:17:11,160 –> 00:17:16,200
Track graph patterns that jump directly to me messages delta drives root children
322
00:17:16,200 –> 00:17:19,800
or sites root drives with high pagination counts.
323
00:17:19,800 –> 00:17:26,440
Build queries to surface apps with offline access plus read all scopes granted in the last 24 hours.
324
00:17:26,440 –> 00:17:32,840
Correlate consent events with subsequent mailbox rule creation,
325
00:17:32,840 –> 00:17:37,000
external forwarding and unusual team’s file access.
326
00:17:37,000 –> 00:17:40,680
Your response playbook must be surgical and complete.
327
00:17:40,680 –> 00:17:43,720
Disable the application in Entra immediately.
328
00:17:44,360 –> 00:17:46,520
Revoque user and tenant consents.
329
00:17:46,520 –> 00:17:51,480
Invalidate tokens associated with the app and the impacted identities.
330
00:17:51,480 –> 00:17:56,280
Conduct e-discovery and content search for scope impact windows.
331
00:17:56,280 –> 00:18:02,600
Identify files read, messages accessed, and data exported.
332
00:18:02,600 –> 00:18:07,000
Audit mailboxes for hidden inbox rules, forwarding and delegates.
333
00:18:07,000 –> 00:18:07,640
Remove them.
334
00:18:07,640 –> 00:18:11,480
Review service principle roles and privileges and
335
00:18:11,480 –> 00:18:16,200
strip any unintended directory read or role assignment abilities.
336
00:18:16,200 –> 00:18:20,920
Document the app’s request origin, domains, and IPs for future blocking.
337
00:18:20,920 –> 00:18:23,960
A micro story for clarity.
338
00:18:23,960 –> 00:18:28,680
A sales executive received a consent prompt for calendar optimizer pro
339
00:18:28,680 –> 00:18:32,360
with a verified looking publisher and a Microsoft URL.
340
00:18:32,360 –> 00:18:34,520
They accepted.
341
00:18:34,520 –> 00:18:36,520
Over the next six hours,
342
00:18:36,520 –> 00:18:41,560
graph delta queries harvested recent email threads and proposal attachments.
343
00:18:41,560 –> 00:18:48,920
The SOC observed a new service principle requesting mail items accessed with steady cadence.
344
00:18:48,920 –> 00:18:53,400
No interactive sign-ins and files enumerated via me drive.
345
00:18:53,400 –> 00:18:58,200
Admin consent enforcement was absent, user consent was allowed.
346
00:18:58,200 –> 00:19:01,240
Once detected, the team disabled the app,
347
00:19:01,240 –> 00:19:06,040
revoked consents, tenant-wide, and ran mailbox rule audits.
348
00:19:06,600 –> 00:19:12,440
They then implemented admin consent workflows and blocked unverified publishers.
349
00:19:12,440 –> 00:19:15,960
Data loss was finite because time to detection was short.
350
00:19:15,960 –> 00:19:19,880
The breach vector existed because governance seeded trust to ceremony.
351
00:19:19,880 –> 00:19:23,800
Training must recalibrate instincts,
352
00:19:23,800 –> 00:19:28,840
teach that a Microsoft URL and a clean logo do not equal safety.
353
00:19:28,840 –> 00:19:31,000
A consent screen is a contract.
354
00:19:31,000 –> 00:19:33,880
Staff must know for bidsn scopes by name.
355
00:19:33,880 –> 00:19:34,200
Mail.
356
00:19:34,200 –> 00:19:35,160
Read.
357
00:19:35,800 –> 00:19:37,160
Write files.
358
00:19:37,160 –> 00:19:38,760
Read.
359
00:19:38,760 –> 00:19:40,920
All sites.
360
00:19:40,920 –> 00:19:42,280
Read.
361
00:19:42,280 –> 00:19:45,240
All offline access.
362
00:19:45,240 –> 00:19:50,040
Require the pause rule for any unexpected consent prompt.
363
00:19:50,040 –> 00:19:53,000
Publish the sanctioned app catalog.
364
00:19:53,000 –> 00:19:55,880
Only those apps may be approved.
365
00:19:55,880 –> 00:19:59,880
Rout all others to the administrator consent queue,
366
00:19:59,880 –> 00:20:05,560
conduct quarterly simulations that present realistic consent prompts and score teams
367
00:20:05,560 –> 00:20:07,400
on refusal and escalation.
368
00:20:07,400 –> 00:20:10,760
Tooling and configuration close the loop.
369
00:20:10,760 –> 00:20:17,640
Enable app governance in Microsoft Defender for cloud apps to baseline app behavior,
370
00:20:17,640 –> 00:20:22,440
flag over permissive scopes, and auto-remediate anomalous access.
371
00:20:22,440 –> 00:20:26,840
Integrate consent events into seam with high fidelity alerts.
372
00:20:26,840 –> 00:20:32,120
Automate SOAR playbooks to disable new apps with risky scopes pending review.
373
00:20:32,840 –> 00:20:38,040
Enforce publisher verification and consent grant policies in Entra.
374
00:20:38,040 –> 00:20:42,680
Expand audit log retention to preserve consent and mail items,
375
00:20:42,680 –> 00:20:45,560
access telemetry for at least one year.
376
00:20:45,560 –> 00:20:48,680
Citizens understand the doctrine.
377
00:20:48,680 –> 00:20:50,760
Passwords can be rotated.
378
00:20:50,760 –> 00:20:54,840
Token’s expire, but a granted permission remains until you revoke it.
379
00:20:54,840 –> 00:20:59,160
Therefore, revoke by default, consent by exception,
380
00:20:59,160 –> 00:21:03,320
and record every exception. Mandatory compliance is appreciated.
381
00:21:03,320 –> 00:21:06,200
Case file 4. SharePoint link abuse.
382
00:21:06,200 –> 00:21:08,760
Silent exfiltration through collaboration.
383
00:21:08,760 –> 00:21:09,800
Citizens.
384
00:21:09,800 –> 00:21:12,120
The corridor of convenience is now open.
385
00:21:12,120 –> 00:21:14,680
It is labeled “anyone with the link.”
386
00:21:14,680 –> 00:21:16,440
No account.
387
00:21:16,440 –> 00:21:17,960
No verification.
388
00:21:17,960 –> 00:21:22,040
Just a URL generated inside your collaboration fabric
389
00:21:22,040 –> 00:21:24,840
carried outside the border by email or chat.
390
00:21:25,960 –> 00:21:29,880
At 0237, an external IP begins mass downloads.
391
00:21:29,880 –> 00:21:34,600
Minutes later, the same actor pivots to encrypt mapped one-drive folders.
392
00:21:34,600 –> 00:21:39,320
Collaboration has been converted into an egress channel and a detonator.
393
00:21:39,320 –> 00:21:41,320
The incident pattern is consistent.
394
00:21:41,320 –> 00:21:47,400
A project site spawns a handful of innocuous shares to expedite a vendor review.
395
00:21:47,400 –> 00:21:49,320
The default link type is anonymous.
396
00:21:49,320 –> 00:21:51,160
Exploration is disabled.
397
00:21:51,160 –> 00:21:52,760
Passwords are not required.
398
00:21:53,400 –> 00:21:56,360
The link circulates beyond the intended recipient.
399
00:21:56,360 –> 00:22:00,520
A credential stuffed mailbox forward leaks it further.
400
00:22:00,520 –> 00:22:06,360
The adversary arrives with no authentication ceremony to betray them.
401
00:22:06,360 –> 00:22:10,440
Telemetry shows SharePoint file operation surges.
402
00:22:10,440 –> 00:22:13,320
Predominantly, download file and get file.
403
00:22:13,320 –> 00:22:17,560
The window closes only when quotas are reached or attention awakens.
404
00:22:17,560 –> 00:22:22,280
Failure analysis identifies legacy gravity.
405
00:22:23,240 –> 00:22:28,120
Tenant level sharing policies remain permissive to maintain business agility.
406
00:22:28,120 –> 00:22:34,120
Unmanaged devices are permitted to access content with full download rights.
407
00:22:34,120 –> 00:22:37,640
Session controls are absent. Access is binary.
408
00:22:37,640 –> 00:22:38,520
Allow or block.
409
00:22:38,520 –> 00:22:40,920
Audit coverage is incomplete.
410
00:22:40,920 –> 00:22:45,880
Administrators cannot reconstruct which files left the environment,
411
00:22:45,880 –> 00:22:49,000
because log retention is short and enrichment is thin.
412
00:22:49,720 –> 00:22:52,040
Citizens have traded provenance for speed.
413
00:22:52,040 –> 00:22:55,400
Controls must re-impose sovereignty.
414
00:22:55,400 –> 00:22:59,560
Set the default sharing link type to specific people.
415
00:22:59,560 –> 00:23:03,080
Disable anyone links tenant-wide.
416
00:23:03,080 –> 00:23:08,440
Retaining them only for explicitly scoped sites with documented justification.
417
00:23:08,440 –> 00:23:11,000
Enforce link expiration by policy.
418
00:23:11,000 –> 00:23:13,000
30 days or less.
419
00:23:13,000 –> 00:23:16,200
And require password protection for external shares.
420
00:23:16,920 –> 00:23:23,560
Apply sensitivity labels that enforce encryption and block anonymous sharing at the document level.
421
00:23:23,560 –> 00:23:28,840
Confidential content must never inherit permissive site settings.
422
00:23:28,840 –> 00:23:34,360
Require recipients to authenticate with the invited identity.
423
00:23:34,360 –> 00:23:37,480
No email forward daisy chains.
424
00:23:37,480 –> 00:23:43,160
Conditional access must govern the act of taking, not merely the act of seeing.
425
00:23:43,800 –> 00:23:50,120
Require compliant or hybrid joint devices for download from SharePoint and OneDrive.
426
00:23:50,120 –> 00:23:57,800
For unmanaged devices, enforce web only with download, print, and sync,
427
00:23:57,800 –> 00:24:01,400
blocked via conditional access app control.
428
00:24:01,400 –> 00:24:07,560
Deny legacy protocols and legacy authentication paths that bypass modern session controls.
429
00:24:07,560 –> 00:24:11,240
Tie sign in risk to session posture.
430
00:24:11,240 –> 00:24:17,960
If risk is medium or higher, restrict to view only, require reauthentication to elevate
431
00:24:17,960 –> 00:24:23,880
and invoke continuous access evaluation to cut session’s midstream when risk changes.
432
00:24:23,880 –> 00:24:26,360
Detection must be quantitative and skeptical.
433
00:24:26,360 –> 00:24:31,800
Monitor SharePoint file operation for bursts per user, site, and IP.
434
00:24:31,800 –> 00:24:37,640
Create thresholds per role, and engineers normal differs from finance.
435
00:24:38,520 –> 00:24:44,520
Alert on downloads exceeding baseline by an order of magnitude within a short interval,
436
00:24:44,520 –> 00:24:50,280
especially from new IP ranges or autonomous system numbers, not seen for that user.
437
00:24:50,280 –> 00:24:56,280
Surface external user creation spikes and link sharing events clustered in rapid succession.
438
00:24:56,280 –> 00:25:03,400
Bind anomalous egress from SharePoint to contemporaneous or author grants or device code activity.
439
00:25:04,040 –> 00:25:09,560
Exfiltration rarely operates alone. Remediation requires containment and proof.
440
00:25:09,560 –> 00:25:13,160
Break permission inheritance on affected libraries.
441
00:25:13,160 –> 00:25:15,400
Revoque extent, anonymous links.
442
00:25:15,400 –> 00:25:23,320
Rotate site collection, app permissions, and revoke unused app registrations associated with the site.
443
00:25:23,320 –> 00:25:27,560
Quarantine impacted sites to read only while you assess exposure.
444
00:25:27,560 –> 00:25:32,520
Perge local sync caches on endpoints through MDM to prevent offline leakage.
445
00:25:33,240 –> 00:25:39,320
Enforce password resets and reauthentication for any account that created large anonymous links
446
00:25:39,320 –> 00:25:41,560
or initiated anomalous downloads.
447
00:25:41,560 –> 00:25:47,880
Expand audit retention now. Absence of evidence is not evidence of absence.
448
00:25:47,880 –> 00:25:51,960
A brief, micro story clarifies causality.
449
00:25:51,960 –> 00:25:55,880
A design team enabled anonymous links for a vendor handoff.
450
00:25:55,880 –> 00:25:59,160
Weeks later, a paste site posted the link.
451
00:25:59,960 –> 00:26:09,560
At 0109, an external ASN pulled 9.2 GGB across 1,800 files, then deployed ransomware through a
452
00:26:09,560 –> 00:26:14,280
compromised partner account. Because the tenant had conditional access app control
453
00:26:14,280 –> 00:26:19,720
with download blocks for unmanaged devices, the actor could view previews but not retrieve
454
00:26:19,720 –> 00:26:27,000
originals. UEBA flagged the anomaly. The SOC revoked links, quarantined the site,
455
00:26:27,000 –> 00:26:33,320
and forced device compliance for contributors. The event became an inconvenience, not a catastrophe.
456
00:26:33,320 –> 00:26:40,120
Training must correct habits. Citizens will treat anyone with the link as an exception,
457
00:26:40,120 –> 00:26:43,800
requiring written justification and manager approval.
458
00:26:43,800 –> 00:26:51,800
Teach the lexicon. Specific people is standard. Passwords and expiration are mandatory.
459
00:26:51,800 –> 00:26:57,960
Recipients must authenticate. Institute the pause rule before external sharing.
460
00:26:57,960 –> 00:27:02,440
Confirm classification. Confirm recipient identity. Confirm necessity.
461
00:27:02,440 –> 00:27:08,120
Conduct quarterly drills that simulate link leakage and score teams on revocation speed.
462
00:27:08,120 –> 00:27:11,560
Tooling must institutionalize restraint.
463
00:27:11,560 –> 00:27:19,960
In Defender for Cloud Apps, deploy policies that block anonymous link creation for labeled content,
464
00:27:19,960 –> 00:27:26,600
alert on mass external sharing and session enforce web only for unmanaged devices.
465
00:27:26,600 –> 00:27:34,280
Implement automated workflows in your SOC to revoke links exceeding safe thresholds
466
00:27:34,280 –> 00:27:41,560
and notify site owners with remediation guidance. Expand CM parsers for SharePoint file operation,
467
00:27:41,560 –> 00:27:45,400
link created, and anonymous link used events.
468
00:27:46,760 –> 00:27:51,800
Extend retention to a year. Investigation without history is theater.
469
00:27:51,800 –> 00:27:58,840
Citizens’ collaboration is a public square when links are anonymous, converted back into a controlled
470
00:27:58,840 –> 00:28:05,880
workspace. If sharing must cross the border, insist on identity, time limits, and revocation discipline.
471
00:28:05,880 –> 00:28:14,360
Mandatory compliance is appreciated. As case file v, token theft, AITM, and session replay at scale,
472
00:28:14,360 –> 00:28:20,440
Citizens, the adversary now removes the mask. A reverse proxy interposes between the user
473
00:28:20,440 –> 00:28:25,400
and the Microsoft sign in page. The URL looks plausible. The page is pixel perfect,
474
00:28:25,400 –> 00:28:31,240
the password and MFA succeed. However, the proxy siphons the session cookie and the refresh token.
475
00:28:31,240 –> 00:28:36,120
The attacker replays the session from a different host. Mailbox rules appear.
476
00:28:36,120 –> 00:28:42,200
O-auth refresh is reused. Persistence is renewed with each silent refresh.
477
00:28:42,200 –> 00:28:47,240
This is not a failure of prompts. It is a failure of binding, authentication occurred.
478
00:28:47,240 –> 00:28:50,920
But the artifact of trust was not anchored to the device or the client.
479
00:28:50,920 –> 00:28:56,360
Therefore, the artifact travels where the cookie goes, access follows.
480
00:28:56,360 –> 00:28:59,640
The result is account action without account presence.
481
00:28:59,640 –> 00:29:07,000
Failure analysis isolates four defects. First, fishing resistant MFA is absent,
482
00:29:07,000 –> 00:29:13,720
enabling approval fatigue and AITM success. Second, token protection is disabled.
483
00:29:13,720 –> 00:29:18,680
The session token is not bound to the device’s hardware or the client key. Third,
484
00:29:18,680 –> 00:29:25,080
refresh token lifetimes are long, allowing adversaries to rehydrate access for days.
485
00:29:25,080 –> 00:29:33,400
Fourth, session revocation is inconsistent. Stale tokens persist after password changes and
486
00:29:33,400 –> 00:29:39,640
factor resets. Controls must become structural, not ceremonial. Enforce authentication
487
00:29:39,640 –> 00:29:45,880
strengths that require fishing resistant factors for privileged roles and for data exfiltration
488
00:29:45,880 –> 00:29:53,640
parts. Fido2 security keys and certificate-based authentication deprive proxies of reusable artifacts.
489
00:29:53,640 –> 00:30:01,720
Enable continuous access evaluation, so risk, device compliance and sign-in location changes
490
00:30:01,720 –> 00:30:07,480
invalidate access, mid-session, activate token protection for windows to cryptographically
491
00:30:07,480 –> 00:30:13,960
bind tokens to device keys. A stolen cookie will not validate off the original device.
492
00:30:13,960 –> 00:30:20,280
Shorten sign-in frequency and idle timeouts for high-risk apps, exchange online,
493
00:30:20,280 –> 00:30:26,520
SharePoint, OneDrive teams and Graph. Conditional access is your perimeter of consequence.
494
00:30:26,520 –> 00:30:33,080
Require device compliance for privileged workloads and for download operations. Block legacy
495
00:30:33,080 –> 00:30:40,040
protocols that ignore modern auth controls. If sign-in risk reaches high, block access and require
496
00:30:40,040 –> 00:30:47,640
secure reauthentication. Demand step-up for sensitive actions. Mailbox permissions changes.
497
00:30:47,640 –> 00:30:54,680
External forwarding, creation of inbox rules, SharePoint permission elevation, app consent events,
498
00:30:55,480 –> 00:31:01,960
tie these actions to fishing resistant strengths to frustrate session replay. Detection
499
00:31:01,960 –> 00:31:08,840
must assume the adversary looks legitimate. Alert on new user agents reusing an existing session
500
00:31:08,840 –> 00:31:16,360
identifier shortly after an interactive sign-in from a different ASN or geography. Monitor for mailbox
501
00:31:16,360 –> 00:31:22,920
rule creation patterns. Auto-forward to external, mark as read, delete, move to hidden folders.
502
00:31:22,920 –> 00:31:28,520
Surface unfamiliar token signing key identifiers or claims anomalies compared to the user’s
503
00:31:28,520 –> 00:31:34,680
baseline. Detect concurrent access where one session performs administrative actions while the
504
00:31:34,680 –> 00:31:43,320
legitimate user’s device remains idle. Correlate. AITM infrastructure indicators known proxy ASN
505
00:31:43,320 –> 00:31:50,360
blocks, free TLS cert issuers and short-lived domains observed in referers or link paths
506
00:31:50,360 –> 00:31:57,160
proceeding sign-ins. Response procedures must be ruthless. Revoke refresh tokens for the user
507
00:31:57,160 –> 00:32:03,480
and disable session’s tenant-wide if lateral movement is suspected. Force reauthentication with
508
00:32:03,480 –> 00:32:09,240
fishing resistant strengths. Rotate app secrets and certificates for any app identities
509
00:32:09,240 –> 00:32:15,960
implicated in the session chain. Hunt for mailbox rules and delegates. Remove unauthorized entries
510
00:32:15,960 –> 00:32:22,520
in enable anti-auto-forward policies. Query recent mail items accessed and share point file
511
00:32:22,520 –> 00:32:29,480
operation to delineate exposure. Block identified ITM infrastructure at the proxy and firewall
512
00:32:29,480 –> 00:32:36,680
require device attestation or rejoin for non-compliant endpoints. A short microstory clarifies the doctrine.
513
00:32:36,680 –> 00:32:43,400
Original manager authenticated successfully after receiving a prompt then reported unusual scent
514
00:32:43,400 –> 00:32:50,760
items. Telemetry showed a new chromium variant user agent reusing the same session within minutes
515
00:32:50,760 –> 00:32:58,040
from a foreign ASN. Mailbox rules redirected invoices to an external account. Because token
516
00:32:58,040 –> 00:33:03,640
protection was active on managed Windows devices the stolen cookie failed off device. Continuous
517
00:33:03,640 –> 00:33:12,120
access evaluation cut the replayed session when sign-in risk spiked. The SOC revoked tokens perched rules
518
00:33:12,120 –> 00:33:18,760
and imposed step-up for mailbox permission changes. Losses were prevented because the artifact
519
00:33:18,760 –> 00:33:25,320
was bound and the session was reactive to risk. Training must be unambiguous. Teach that a perfect
520
00:33:25,320 –> 00:33:32,920
looking page can still be an imposter. Require URL verification rituals and the pause rule when prompted
521
00:33:32,920 –> 00:33:40,440
unexpectedly. Prohibit approval on unknown prompts and mandate immediate reporting of any unexplained
522
00:33:40,440 –> 00:33:48,440
MFA event. Simulate AITM scenarios quarterly and measure refusal rates. Tooling completes enforcement,
523
00:33:48,440 –> 00:33:55,720
deployed defender for office, anti-fishing with real-time URL detonation. Enable defender for cloud
524
00:33:55,720 –> 00:34:04,040
app session control to block downloads on risky sessions. Integrate sign-in logs, mail items access
525
00:34:04,040 –> 00:34:12,120
and unified audit into CM and automate SOAR to revoke tokens on high-confidence AITM signals. Mandatory
526
00:34:12,120 –> 00:34:22,520
compliance is appreciated. Corrective doctrine policy baseline detections training tools citizens
527
00:34:22,520 –> 00:34:30,040
the office now issues the corrective doctrine policy replaces improvisation detection replaces
528
00:34:30,040 –> 00:34:38,760
surprise training replaces hesitation tooling replaces folklore policy baseline is mandatory
529
00:34:38,760 –> 00:34:46,360
first disable user consent tenant wide enforce administrator consent workflow for all third party
530
00:34:46,360 –> 00:34:56,760
applications configure permission grant policies to block high risk scopes mail read write files read
531
00:34:57,560 –> 00:35:10,920
all sites read all mail send offline access from any user grant require verified publishers for
532
00:35:10,920 –> 00:35:17,800
any app allowed to request organizational data even then approval is administrative only
533
00:35:17,800 –> 00:35:25,880
second restrict external teams communications in teams admin center set external access to deny
534
00:35:25,880 –> 00:35:33,320
by default maintain an explicit allow list of verified partner domains for shared channels and
535
00:35:33,320 –> 00:35:42,520
federation prohibit open DMs from unknown tenants apply safe links in teams and enable real-time URL
536
00:35:42,520 –> 00:35:49,560
detonation third enforce least privilege sharing rigor set tenant default sharing links to specific
537
00:35:49,560 –> 00:35:55,160
people disable anyone links reserving exceptions for control sites with documented justification
538
00:35:55,160 –> 00:36:02,440
expiration and passwords require recipients to authenticate as themselves apply sensitivity labels
539
00:36:02,440 –> 00:36:09,560
that block anonymous sharing and encrypt confidential content by policy fourth publisher verification
540
00:36:09,560 –> 00:36:16,520
is compulsory only verified publishers may request organizational scopes combine with admin
541
00:36:16,520 –> 00:36:24,440
consent and app governance to constrain post consent behavior fifth governance of audit is non-negotiable
542
00:36:25,160 –> 00:36:32,360
expand unified audit log retention to at least 365 days ensure mail items accessed sharepoint
543
00:36:32,360 –> 00:36:38,760
file operation app consent grant service principle created and conditional access evaluation
544
00:36:38,760 –> 00:36:45,560
events are ingested into your cm with full fidelity conditional access pack is the perimeter of
545
00:36:45,560 –> 00:36:51,960
consequence define authentication strengths and require phishing resistant methods
546
00:36:51,960 –> 00:36:59,560
vital to or certificate based authentication for privileged roles and all data exfiltration paths
547
00:36:59,560 –> 00:37:07,720
exchange online sharepoint one drive teams and graph set sign in frequency tighter for privileged
548
00:37:07,720 –> 00:37:15,320
and high impact apps reduce durable sessions without crippling operations implement name locations
549
00:37:15,320 –> 00:37:22,040
with strict ip hygiene treat residential as ends and hosting providers as untrusted by default
550
00:37:22,040 –> 00:37:29,400
if sign in risk is medium restrict to web only and block download if high block access and require
551
00:37:29,400 –> 00:37:35,880
secure reauthentication apply session controls through conditional access app control to restrict
552
00:37:35,880 –> 00:37:42,360
download cut and paste print and sync on unmanaged devices require device compliance for file
553
00:37:42,360 –> 00:37:48,680
download and admin operations block legacy protocols universally everything changes when session
554
00:37:48,680 –> 00:37:55,560
awareness is continuous enable continuous access evaluation to invalidate sessions on risk
555
00:37:55,560 –> 00:38:03,080
device compliance changes token revocation and location drift activate token protection for
556
00:38:03,080 –> 00:38:09,880
windows to bind tokens to device keys a stolen cookie will not validate off the issuing endpoint
557
00:38:10,520 –> 00:38:17,480
detection catalog converts telemetry into verdicts deploy high signal KQL queries
558
00:38:17,480 –> 00:38:25,960
app grants surface new service principles created in the last 24 hours with read all scopes
559
00:38:25,960 –> 00:38:32,360
or offline access correlate immediate graph delta queries and mail items access spikes
560
00:38:32,360 –> 00:38:39,960
mail items access to anomalies alert on sudden increases by application identity or user
561
00:38:39,960 –> 00:38:47,400
context outside named locations or baseline time windows device code spikes monitor device
562
00:38:47,400 –> 00:38:56,360
all endpoint bursts by user ip and client app equals other clients correlate with impossible travel
563
00:38:56,360 –> 00:39:05,480
absent interactive sign in teams anomalies flag rapid creation of external contacts new tenant
564
00:39:05,480 –> 00:39:12,120
chats from unseen domains and MFA prompt clusters within minutes of inbound dms
565
00:39:12,120 –> 00:39:20,120
SharePoint egress detect SharePoint file operation download surges above roll baselines new ip ranges
566
00:39:20,120 –> 00:39:26,680
and anonymous link usage events tied to labeled content feed all detections into ueba
567
00:39:26,680 –> 00:39:33,720
baseline per department chat frequency consent cadence device code rarity download norms
568
00:39:33,720 –> 00:39:41,160
and after hours activity remember a single rare event is suspicious clustered rare events are hostile
569
00:39:41,160 –> 00:39:49,240
training program is compulsory civic education conduct quarterly simulations that rotate vectors
570
00:39:49,240 –> 00:39:57,160
teams pretext device code vishing o auth consent prompts and anonymous link bait
571
00:39:58,520 –> 00:40:04,840
enforce the verification protocol every legitimate it outreach includes a rotating phrase
572
00:40:04,840 –> 00:40:10,600
posted on the internet banner no phrase no action establish the code over voice prohibition
573
00:40:10,600 –> 00:40:17,880
no codes no numbers no device codes transmitted over chat voice SMS or voicemail teach the ceremony
574
00:40:17,880 –> 00:40:27,000
a code is consent institute the mandatory pause rule stop verify through the published service
575
00:40:27,000 –> 00:40:36,200
desk number proceed only after verification or report mandate deep fake awareness train citizens
576
00:40:36,200 –> 00:40:43,080
to challenge unexpected voice or video instructions with an out of band callback using no numbers
577
00:40:43,080 –> 00:40:50,280
require secondary verification for any request that affects identity permissions payments or
578
00:40:50,280 –> 00:40:58,040
data movement define escalation paths by role publish a sanctioned app catalog require administrator
579
00:40:58,040 –> 00:41:06,200
consent requests for any non catalog app enable a one click report suspicious in teams and outlook
580
00:41:06,200 –> 00:41:14,200
that preserves headers urls and consent artifacts record response time publish compliance scores
581
00:41:14,200 –> 00:41:21,560
tooling updates harden the apparatus in defender for cloud apps enable app governance to baseline
582
00:41:21,560 –> 00:41:28,040
third party app behavior auto quarantine apps with over permissive scopes and revoke risky
583
00:41:28,040 –> 00:41:34,840
consents automatically create policies for mass external sharing anonymous link creation
584
00:41:34,840 –> 00:41:41,480
unlabeled content device or the normalies and other clients grants outside named locations
585
00:41:42,360 –> 00:41:49,560
enable defender for office safe links and safe attach across exchange and teams integrate
586
00:41:49,560 –> 00:41:58,920
Microsoft defender telemetry enter sign in logs graph audit logs and m365 unified audit into your
587
00:41:58,920 –> 00:42:06,520
cm normalized entities to tie a consent event to downstream mailbox rule changes and sharepoint
588
00:42:06,520 –> 00:42:14,520
downloads automate with soar when high confidence signals fire new service principle with files read
589
00:42:14,520 –> 00:42:24,680
all plus offline access or device off grant from untrusted as revoked tokens disabled the app
590
00:42:24,680 –> 00:42:30,200
force reauthentication with phishing resistant methods and open a ticket within rich context
591
00:42:31,080 –> 00:42:37,720
governance is the metronome establish a monthly review cadence for conditional access policies
592
00:42:37,720 –> 00:42:45,240
app consent requests and high risk detections and force change control with peer review for identity
593
00:42:45,240 –> 00:42:52,200
policy modifications maintain emergency break glass accounts protected with hardware keys stored
594
00:42:52,200 –> 00:42:59,240
offline and audited quarterly expand audit coverage verify that critical workloads log at full
595
00:42:59,240 –> 00:43:06,200
fidelity this is the final warning the null configuration that erases your mf a gains is broad
596
00:43:06,200 –> 00:43:13,000
user consent enabled for graph scopes disable it replace it with administrator consent verified
597
00:43:13,000 –> 00:43:20,920
publishers and app governance the office has spoken compliance order and next action citizens
598
00:43:21,720 –> 00:43:29,160
here is the single directive social engineering prevails wherever identity consent and
599
00:43:29,160 –> 00:43:36,360
collaboration policies permit ambiguity proceed now subscribe to receive the full KQL detection
600
00:43:36,360 –> 00:43:42,440
pack baseline policy templates and the red team simulation guide then report to the linked
601
00:43:42,440 –> 00:43:49,080
briefing for live detections and deployment steps the named misconfiguration broad user consent
602
00:43:49,080 –> 00:43:53,240
is to be disabled immediately. Mandatory compliance is appreciated.
