https://gallery.technet.microsoft.com/office365/Office-365-Reporting-Tool-7987b4c2
https://github.com/renisac/O365-Management-and-Log-Scripts/tree/master/source/O365_IR_Toolbox
- https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide
- https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/secure-your-business-data?view=o365-worldwide
- https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/secure-your-business-data?view=o365-worldwide#setup
- (videos) https://support.microsoft.com/en-us/office/set-up-multi-factor-authentication-in-microsoft-365-business-a32541df-079c-420d-9395-9d59354f7225?ui=en-US&rs=en-US&ad=US
- screens and guid3: https://www.howtogeek.com/410055/enforce-mfa-for-anyone-who-uses-your-o365-subscription/
https://docs.microsoft.com/en-us/office365/securitycompliance/anti-spoofing-protection
https://docs.microsoft.com/en-us/office365/securitycompliance/anti-phishing-protection
https://docs.microsoft.com/en-us/office365/securitycompliance/set-up-anti-phishing-policies
https://docs.microsoft.com/en-us/office365/securitycompliance/turn-audit-log-search-on-or-off
https://docs.microsoft.com/en-us/office365/securitycompliance/enable-mailbox-auditing
Get-OrganizationConfig | FL AuditDisabled
Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
Set-OrganizationConfig -AuditDisabled $false
Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -DefaultAuditSet Admin,Delegate,Owner
- Determine if a 3rd party is logging into the email account and take appropriate action (change password, block access)
- Examine suspicious message details to determine whether it is send from the user account or it is external source spoofing.
- Remediate comprimised account.
- check risky signing via AzureAD -
https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RiskySignIns
Look for unusual IPs (locations, time-of-day)
This interface should highlight unusual activity
- check Unified Audit Log
filter for user account, user name.
review IPs, login times, etc.
IOC is access to the account (ie: login to OWA, SMTP/POP authentication)
- EXAMINE MESSAGE: Is the message an external spoof, or is it sent from the user account.
Check Message Trace in Exchange Admin
Look for the sender/source IP - is it coming from the outside? Then it is a spoofed message.
If it appears internal (from the user account) - review account access above: is it sent via OWA/SMTP remotely or is the user PC/Phone comprimised.
https://protection.office.com/?rfr=AdminCenter#/messagetrace
https://outlook.office365.com/ecp/?rfr=Admin_o365&exsvurl=1&mkt=en-US&Realm=[CLIENT EMAIL DOMAIN]
- Check Unified Audit Log: searching for this specific message
https://protection.office.com/?rfr=AdminCenter#/unifiedauditlog
- (E3 with archiving) check message headers (via content search/original message download)
https://protection.office.com/?ContentOnly=1#/contentsearchbeta