Professional Documents
Culture Documents
NOBELIUM attacks
www.microsoft365managerplus.com
Table of contents
Introduction 2
Step 2: Stop the dormant accounts from getting synced with Azure AD 8
Conclusion 11
www.microsoft365managerplus.com 1
Introduction
Initially, network security depended on perimeter security. But
when the world moved towards the cloud infrastructure, many
security measures that secured on-premises setups proved to be
useless. These notions became stronger as the hybrid work
environment gained a stronger foothold, and the threat attackers
became more sophisticated. Attackers either gain access to the
cloud accounts directly or move laterally from the on-premises
setup.
www.microsoft365managerplus.com 2
1. Enhance mailbox auditing
Enabling mailbox auditing for users provides greater visibility into potentially suspicious activity.
Mailbox auditing provides organizations with visibility related to logon events for mailboxes, as well as
specific actions that occurred based upon either the mailbox owner, delegate, or an administrator. With
optimized audit logging in Microsoft 365, organizations are empowered to enhance detection,
monitoring, and investigative activities.
1. Connect-ExchangeOnline
2. Get-Mailbox -Resultsize Unlimited -Filter {(RecipientTypeDetails
3. -eq “UserMailBox”) -and (SKUAssigned -eq “True”)} | Set-Mailbox
4. -AuditEnabled $True
1. Connect-ExchangeOnline
2. Get-Mailbox -Resultsize Unlimited -Filter {(RecipientTypeDetails
3. -eq “UserMailBox”) -and (SKUAssigned -eq “True”)} | Set-Mailbox
4. -AuditLogAgeLimit 90
Note:
Before applying verbose Mailbox Auditing settings, an organization should verify that their centralized
log or SIEM platform can handle the increased logging volume.
www.microsoft365managerplus.com 3
Verbose E3 Licensing Auditing Settings
At a minimum, the MailboxLogin action for the Owner Logon Type should be added to each mailbox’s
audit settings. The PowerShell command given below will add the MailBoxLogin auditing setting to the
AuditOwner logon type for each mailbox:
1. Connect-ExchangeOnline
2. Get-Mailbox -Resultsize Unlimited -Filter {(RecipientTypeDetails-eq “UserMailBox”)
-and (SKUAssigned -eq “True”)} | Set-Mailbox -AuditOwner @{Add="MailBoxLogi"}
To enable the highest level of logging available with E3 licensing, the PowerShell command given below
can be run on each mailbox to replace auditing settings for each logon type,
1. Connect-ExchangeOnline
2. Set-Mailbox -Identity <UPN> `
3. -AuditAdmin MoveToDeletedItems,SoftDelete,HardDelete,SendAs,SendOnBehalf,
4. UpdateFolderPermissions,UpdateInboxRules,UpdateCalendarDelegation `
5. -AuditDelegate MoveToDeletedItems,SoftDelete,HardDelete,SendAs,
6. SendOnBehalf,UpdateFolderPermissions,UpdateInboxRules `
7. -AuditOwner MoveToDeletedItems,SoftDelete,HardDelete,MailboxLogin,
8. UpdateFolderPermissions,UpdateInboxRules,UpdateCalendarDelegation
To enable the highest level of logging available for E5 licensing, the PowerShell command given below
can be run on each mailbox to replace auditing settings for each logon type.
1. Connect-ExchangeOnline
2. Set-Mailbox -Identity <UPN> `
3. -AuditAdmin MoveToDeletedItems,SoftDelete,HardDelete,SendAs,
4. SendOnBehalf,UpdateFolderPermissions,UpdateInboxRules,
5. UpdateCalendarDelegation,MailItemsAccessed `
6. -AuditDelegate MoveToDeletedItems,SoftDelete,HardDelete,SendAs, SendOnBehalf,
UpdateFolderPermissions,UpdateInboxRules,MailItemsAccessed `
7. -AuditOwner MoveToDeletedItems,SoftDelete,HardDelete,MailboxLogin,UpdateFolder
Permissions,UpdateInboxRules,UpdateCalendarDelegation,MailItemsAccessed
www.microsoft365managerplus.com 4
Note:
If Microsoft releases new auditing settings, the new settings will not be automatically applied to
mailboxes where custom audit settings have previously been configured. New auditing settings will
need to be manually applied.
1. Connect-MsolService
2. $Result=@()
3. $users = Get-MsolUser -All
4. $users | ForEach-Object {
5. $user = $_
6. $mfaStatus = $_.StrongAuthenticationRequirements.State
7. $phoneApp = $_.StrongAuthenticationPhoneAppDetails
8. $methodTypes = $_.StrongAuthenticationMethods
9. if ($mfaStatus -ne $null -or $methodTypes -ne $null)
10. {
11. if($mfaStatus -eq $null)
12. {
13. $mfaStatus=’Enabled (Conditional Access)’
www.microsoft365managerplus.com 5
14. }
15. $authMethods = $methodTypes.MethodType
16. $defaultAuthMethod = ($methodTypes | Where{$_.IsDefault -eq “True”}).
17. MethodType
18. $verifyEmail = $user.StrongAuthenticationUserDetails.Email
19. $phoneNumber = $user.StrongAuthenticationUserDetails.PhoneNumber
20. $alternativePhoneNumber = $user.StrongAuthenticationUserDetails.
21. AlternativePhoneNumber
22. }
23. Else
24. {
25. $mfaStatus = “Disabled”
26. $defaultAuthMethod = $null
27. $verifyEmail = $null
28. $phoneNumber = $null
29. $alternativePhoneNumber = $null
30. }
31.
32. $Result += New-Object PSObject -property @{
33. UserName = $user.DisplayName
34. UserPrincipalName = $user.UserPrincipalName
35. MFAStatus = $mfaStatus
36. AuthenticationMethods = $authMethods
37. DefaultAuthMethod = $defaultAuthMethod
38. MFAEmail = $verifyEmail
39. PhoneNumber = $phoneNumber
40. AlternativePhoneNumber = $alternativePhoneNumber
41. DeviceName = $phoneApp.DeviceName
42. }
43. }
44. $Result | Select
45. UserName,UserPrincipalName,MFAStatus,DefaultAuthMethod,MFAEmail,
46. PhoneNumber,AlternativePhoneNumber,DeviceName | export-csv MFAReport.CSV
One of the drawbacks of using PowerShell scripts is that you have to execute it manually, often a slow
and tedious process. However, M365 Manager Plus provides a better option.
www.microsoft365managerplus.com 6 6
5. Filter accounts synced to Azure AD
On-premises Active Directory user accounts that are synced to Azure AD should follow the concept of
least privilege. Only the accounts that utilize cloud services should be synced using AD Connect, and
the rest of the accounts should not be synced and assigned permissions in Azure AD.
In order to accomplish this, we need to find the dormant user accounts that never use Microsoft 365
cloud services and remove any Azure AD permissions assigned to them.
Using PowerShell, these users can be filtered using the Azure AD Connect command, where three
options are available. The users can be filtered based on user principal name, organizational unit, and
security group. The respective PowerShell scripts are listed below.
Script 1: The PowerShell script to retrieve sign-in logs based on user principal name:
1. Connect-AzureAD
2. Get-AzureADAuditSignInLogs -Filter “UserPrincipalName eq <UPN>” | SelectObject
UserPrincipalName, CreatedDateTime, AppDisplayName, AppId, IpAddress |
3. Export-csv signins.csv -Append
www.microsoft365managerplus.com 7
Script 3: The PowerShell script to retrieve sign-in logs based on security
group membership:
Step 2: Stop the dormant accounts from getting synced with Azure AD.
This can be accomplished using AD Connect sync filtering, where four options are available,
1. Filter by Domain
2. Filter by OU
3. Filter by Security Group
4. Filter by Attribute
Please refer to this article to learn how to configure Azure AD Connect filtering.
www.microsoft365managerplus.com 8
Enhance mailbox auditing and enable verbose mailbox auditing settings
With only the native tools in your arsenal, enhancing mailbox auditing is a tedious and time-consuming
task. To enhance mailbox auditing as recommended by the CISA, you have to execute custom
PowerShell scripts based on the license. But with ManageEngine M365 Manager Plus, all you have to do
is enable mailbox auditing. Everything else is preconfigured.
1. Enable audit logging for all mailboxes: Once you install M365 Manager Plus, just toggle the mailbox
audit setting to enable auditing for all the available mailboxes in your organization.
2. Set mailbox audit logging retention: Unlike the native portal, M365 Manager Plus retains all the
audit logs from the day of installation without any restriction. As a backup plan, you can set the
Microsoft 365 audit logging retention period as high as possible.
3. Enable verbose mailbox auditing settings: Once mailbox auditing is enabled, create custom audit
profiles with the required actions, and M365 Manager Plus pulls audit logs and presents them in
report format. These audit reports can be scheduled to be mailed at specific intervals, so that you
can always have an eye on the activities going on in your Microsoft 365 setup.
MFA Enabled Users: Lists all the user accounts for which MFA has been enabled and configured.
MFA Disabled Users: Lists all the user accounts for which MFA has been disabled.
All reports provided by M365 Manager Plus can be scheduled to be generated at specific intervals and
emailed. With this feature, you don't have to utilize the tool every time to review the settings. The reports
can also be exported to CSV, PDF, XLS, or HTML formats for periodic review.
www.microsoft365managerplus.com 9
Added advantage:
The reports can be exported to CSV format and can be uploaded in the Management module for
appropriate action. For example, the MFA Disabled Users report can be exported in bulk to CSV and
uploaded in the Management module to enforce MFA for users.
You can also create automation policies with M365 manager Plus to enforce MFA whenever a user
account is created or MFA is disabled.
If you don't want go through the entire export and import process, simply select the users on the
reports and manage them. For example, select the users in the MFA Disabled Users report and use
the management option available in the data table to enforce MFA.
Synced Users: Provides a list of all the on-premises AD users synced with Azure AD.
Last User Activity by Service: You can verify whether a particular AD user is accessing Microsoft
365 services or not.
Last User Activity by Date: View the date when a AD user has accessed a M365 service.
All of the above mentioned reports can be exported to CSV, PDF, XLS, and HTML formats. Export the
required data to CSV and import it into the management module to block, manage permissions, or
delete them.
www.microsoft365managerplus.com 10
Conclusion
To make use of the advanced and essential security features offered by Microsoft, you have to own the
premium license. Sometimes those features also have shortcomings, especially when handling users
and mailboxes in bulk. Relying on PowerShell is not preferred by most IT admins, as it is time consuming
and requires a high level of expertise. To overcome these drawbacks, choose a tool like ManageEngine
M365 Manager Plus which brings management and security features for the major Microsoft 365
services like Exchange Online, Azure Active Directory, Microsoft Teams, OneDrive for Business, and
more under a single screen.
M365 Manager Plus is an extensive Microsoft 365 tool used for reporting, managing,
monitoring, auditing, and creating alerts for critical incidents. With its user-friendly interface,
you can easily manage Exchange Online, Azure Active Directory, Skype for Business, OneDrive
for Business, Microsoft Teams, and other Microsoft 365 services from a single console.
11