CISA's 5 security hardening

strategies to defend Microsoft 365 from

NOBELIUM attacks

www.microsoft365managerplus.com
 Table of contents

Introduction 2

Enhance mailbox auditing 3

Enable verbose mailbox auditing settings 3

Enforce MFA for accounts 5

Review all MFA-enabled accounts 5

Filter accounts synced to Azure AD 7

Step 1: Find the dormant AD accounts synced with Azure AD 7

Step 2: Stop the dormant accounts from getting synced with Azure AD 8

How ManageEngine helps 8

Conclusion 11

www.microsoft365managerplus.com 1
 Introduction
Initially, network security depended on perimeter security. But
when the world moved towards the cloud infrastructure, many
security measures that secured on-premises setups proved to be
useless. These notions became stronger as the hybrid work
environment gained a stronger foothold, and the threat attackers
became more sophisticated. Attackers either gain access to the
cloud accounts directly or move laterally from the on-premises
setup.

CISA, the Cybersecurity and Infrastructure Security Agency of

the United States, helps to understand, manage and reduce the
risk of cyberattacks. The CISA is engaged in strengthening
cybersecurity as noted in incident and third-party reports.

The CISA's capabilities were challenged in 2021 by NOBELIUM,

the threat actor behind a major supply chain fiasco that gained
worldwide scrutiny from its malicious campaigns targeting
government organizations, non-government organizations,
think tanks, military, IT service providers, health technology and
research, and telecommunications providers. NOBELIUM
designed a unique infrastructure and tooling for each target
which increased its ability to remain undetected for a longer
period of time. Being the most adopted cloud platform,
Microsoft 365 remains one of the most targeted cloud platforms.

In this e-book we cover the five most important security

hardening settings recommended by the CISA that must be
implemented to secure Microsoft 365 from NOBELIUM.

www.microsoft365managerplus.com 2
 1. Enhance mailbox auditing
Enabling mailbox auditing for users provides greater visibility into potentially suspicious activity.
Mailbox auditing provides organizations with visibility related to logon events for mailboxes, as well as
specific actions that occurred based upon either the mailbox owner, delegate, or an administrator. With
optimized audit logging in Microsoft 365, organizations are empowered to enhance detection,
monitoring, and investigative activities.

Step 1: Enable Audit logging for all Mailboxes

1. Connect-ExchangeOnline
2. Get-Mailbox -Resultsize Unlimited -Filter {(RecipientTypeDetails
3. -eq “UserMailBox”) -and (SKUAssigned -eq “True”)} | Set-Mailbox
4. -AuditEnabled $True

Step 2: Set Mailbox audit logging retention

1. Connect-ExchangeOnline
2. Get-Mailbox -Resultsize Unlimited -Filter {(RecipientTypeDetails
3. -eq “UserMailBox”) -and (SKUAssigned -eq “True”)} | Set-Mailbox
4. -AuditLogAgeLimit 90

2. Enable verbose mailbox auditing

settings
Verbose mailbox logging is saving all the possible logs of users irrespective of their role. Audit logs of
owners, admins and other privileged role holders should also be saved for security purposes.

Note:
Before applying verbose Mailbox Auditing settings, an organization should verify that their centralized
log or SIEM platform can handle the increased logging volume.

www.microsoft365managerplus.com 3
 Verbose E3 Licensing Auditing Settings

At a minimum, the MailboxLogin action for the Owner Logon Type should be added to each mailbox’s
audit settings. The PowerShell command given below will add the MailBoxLogin auditing setting to the
AuditOwner logon type for each mailbox:

1. Connect-ExchangeOnline
2. Get-Mailbox -Resultsize Unlimited -Filter {(RecipientTypeDetails-eq “UserMailBox”)
-and (SKUAssigned -eq “True”)} | Set-Mailbox -AuditOwner @{Add="MailBoxLogi"}

To enable the highest level of logging available with E3 licensing, the PowerShell command given below
can be run on each mailbox to replace auditing settings for each logon type,

1. Connect-ExchangeOnline
2. Set-Mailbox -Identity <UPN> `
3. -AuditAdmin MoveToDeletedItems,SoftDelete,HardDelete,SendAs,SendOnBehalf,
4. UpdateFolderPermissions,UpdateInboxRules,UpdateCalendarDelegation `
5. -AuditDelegate MoveToDeletedItems,SoftDelete,HardDelete,SendAs,
6. SendOnBehalf,UpdateFolderPermissions,UpdateInboxRules `
7. -AuditOwner MoveToDeletedItems,SoftDelete,HardDelete,MailboxLogin,
8. UpdateFolderPermissions,UpdateInboxRules,UpdateCalendarDelegation

To enable the highest level of logging available for E5 licensing, the PowerShell command given below
can be run on each mailbox to replace auditing settings for each logon type.

1. Connect-ExchangeOnline
2. Set-Mailbox -Identity <UPN> `
3. -AuditAdmin MoveToDeletedItems,SoftDelete,HardDelete,SendAs,
4. SendOnBehalf,UpdateFolderPermissions,UpdateInboxRules,
5. UpdateCalendarDelegation,MailItemsAccessed `
6. -AuditDelegate MoveToDeletedItems,SoftDelete,HardDelete,SendAs, SendOnBehalf,
UpdateFolderPermissions,UpdateInboxRules,MailItemsAccessed `
7. -AuditOwner MoveToDeletedItems,SoftDelete,HardDelete,MailboxLogin,UpdateFolder
Permissions,UpdateInboxRules,UpdateCalendarDelegation,MailItemsAccessed

www.microsoft365managerplus.com 4
 Note:
If Microsoft releases new auditing settings, the new settings will not be automatically applied to
mailboxes where custom audit settings have previously been configured. New auditing settings will
need to be manually applied.

3. Enforce MFA for accounts

Configuring MFA for only administrative or privileged accounts is a basic requirement. The CISA
recommends that MFA be enabled for all user accounts, irrespective of the permissions they hold.
Utilizing the Microsoft 365 Admin Center, you can enable or disable MFA for multiple users at a time. But
when you configure the verification modes and other security settings, your capabilities are hindered.
MFA configuration can be accomplished only for a single account at a time. IT admins have to spend
literally hours and hours to secure their organization with MFA using Microsoft's native tools. The other
option is a PowerShell script which, again, is time-consuming and complex to accomplish on a large
scale.

4. Review all MFA-enabled accounts

Configuring MFA is one thing, but reviewing the settings is another. The CISA suggests that once MFA
has been configured, it is advisable to review all the registered devices periodically.

The PowerShell script to identify all MFA accounts in Azure AD.

1. Connect-MsolService
2. $Result=@()
3. $users = Get-MsolUser -All
4. $users | ForEach-Object {
5. $user = $_
6. $mfaStatus = $_.StrongAuthenticationRequirements.State
7. $phoneApp = $_.StrongAuthenticationPhoneAppDetails
8. $methodTypes = $_.StrongAuthenticationMethods
9. if ($mfaStatus -ne $null -or $methodTypes -ne $null)
10. {
11. if($mfaStatus -eq $null)
12. {
13. $mfaStatus=’Enabled (Conditional Access)’

www.microsoft365managerplus.com 5
 14. }
15. $authMethods = $methodTypes.MethodType
16. $defaultAuthMethod = ($methodTypes | Where{$_.IsDefault -eq “True”}).
17. MethodType
18. $verifyEmail = $user.StrongAuthenticationUserDetails.Email
19. $phoneNumber = $user.StrongAuthenticationUserDetails.PhoneNumber
20. $alternativePhoneNumber = $user.StrongAuthenticationUserDetails.
21. AlternativePhoneNumber
22. }
23. Else
24. {
25. $mfaStatus = “Disabled”
26. $defaultAuthMethod = $null
27. $verifyEmail = $null
28. $phoneNumber = $null
29. $alternativePhoneNumber = $null
30. }
31.
32. $Result += New-Object PSObject -property @{
33. UserName = $user.DisplayName
34. UserPrincipalName = $user.UserPrincipalName
35. MFAStatus = $mfaStatus
36. AuthenticationMethods = $authMethods
37. DefaultAuthMethod = $defaultAuthMethod
38. MFAEmail = $verifyEmail
39. PhoneNumber = $phoneNumber
40. AlternativePhoneNumber = $alternativePhoneNumber
41. DeviceName = $phoneApp.DeviceName
42. }
43. }
44. $Result | Select
45. UserName,UserPrincipalName,MFAStatus,DefaultAuthMethod,MFAEmail,
46. PhoneNumber,AlternativePhoneNumber,DeviceName | export-csv MFAReport.CSV

One of the drawbacks of using PowerShell scripts is that you have to execute it manually, often a slow
and tedious process. However, M365 Manager Plus provides a better option.

www.microsoft365managerplus.com 6 6
 5. Filter accounts synced to Azure AD
On-premises Active Directory user accounts that are synced to Azure AD should follow the concept of
least privilege. Only the accounts that utilize cloud services should be synced using AD Connect, and
the rest of the accounts should not be synced and assigned permissions in Azure AD.

In order to accomplish this, we need to find the dormant user accounts that never use Microsoft 365
cloud services and remove any Azure AD permissions assigned to them.

Step 1: Find the dormant AD accounts synced with Azure AD.

We need to review the logon time to find the users who have not logged in for a long time or never logged
on.

Using PowerShell, these users can be filtered using the Azure AD Connect command, where three
options are available. The users can be filtered based on user principal name, organizational unit, and
security group. The respective PowerShell scripts are listed below.

Script 1: The PowerShell script to retrieve sign-in logs based on user principal name:

1. Connect-AzureAD
2. Get-AzureADAuditSignInLogs -Filter “UserPrincipalName eq <UPN>” | SelectObject
UserPrincipalName, CreatedDateTime, AppDisplayName, AppId, IpAddress |
3. Export-csv signins.csv -Append

Script 2: The PowerShell script to retrieve sign-in logs based on AD OU:

1. #Export members of AD OU to CSV

2. Get-ADUser -Filter * -SearchBase “<OU PATH>” | Select-object
3. UserPrincipalName | Export-csv OUMembers.csv
4. #Import CSV into variable
5. $Users = Import-csv OUMembers.csv
6. #Review OU member logins against Azure AD Sign-in logs
7. Connect-AzureAD
8. Foreach ($user in $users) { $u = $user.UserPrincipalName GetAzureADAuditSignInLogs -Filter
“UserPrincipalName eq ‘$u’” | Select-Object
9. UserPrincipalName, CreatedDateTime, AppDisplayName, AppId, IpAddress |
10. Export-csv signins.csv -Append
11. }

www.microsoft365managerplus.com 7
 Script 3: The PowerShell script to retrieve sign-in logs based on security
group membership:

1. #Export members of AD Security Group to CSV

2. Get-ADGroupMember -Identity <Group Name> -Recursive | Select-object
3. UserPrincipalName | Export-csv GroupMembers.csv
4. #Import CSV into variable
5. $Users = Import-csv GroupMembers.csv
6. #Review Group member logins against Azure AD Sign-in logs
7. Connect-AzureAD
8. Foreach ($user in $users) { $u = $user.UserPrincipalName GetAzureADAuditSignInLogs -Filter
“UserPrincipalName eq ‘$u’” | Select-Object
9. UserPrincipalName, CreatedDateTime, AppDisplayName, AppId, IpAddress |
10. Export-csv signins.csv -Append
11. }

Step 2: Stop the dormant accounts from getting synced with Azure AD.

This can be accomplished using AD Connect sync filtering, where four options are available,

1. Filter by Domain
2. Filter by OU
3. Filter by Security Group
4. Filter by Attribute

Please refer to this article to learn how to configure Azure AD Connect filtering.

How ManageEngine helps

In this section we cover, how M365 Manager Plus, ManageEngine's Microsoft 365 management and
security solution helps to implement all the security recommendations of CISA covered in the previous
sections without using PowerShell scripts.

www.microsoft365managerplus.com 8
 Enhance mailbox auditing and enable verbose mailbox auditing settings
With only the native tools in your arsenal, enhancing mailbox auditing is a tedious and time-consuming
task. To enhance mailbox auditing as recommended by the CISA, you have to execute custom
PowerShell scripts based on the license. But with ManageEngine M365 Manager Plus, all you have to do
is enable mailbox auditing. Everything else is preconfigured.

1. Enable audit logging for all mailboxes: Once you install M365 Manager Plus, just toggle the mailbox
audit setting to enable auditing for all the available mailboxes in your organization.

2. Set mailbox audit logging retention: Unlike the native portal, M365 Manager Plus retains all the
audit logs from the day of installation without any restriction. As a backup plan, you can set the
Microsoft 365 audit logging retention period as high as possible.

3. Enable verbose mailbox auditing settings: Once mailbox auditing is enabled, create custom audit
profiles with the required actions, and M365 Manager Plus pulls audit logs and presents them in
report format. These audit reports can be scheduled to be mailed at specific intervals, so that you
can always have an eye on the activities going on in your Microsoft 365 setup.

Enforce MFA for Accounts:

With M365 Manager Plus, you simply have to upload a CSV file with the required user account details and
configure the settings once. You can enable, disable, select the mode of second factor authentication,
and everything pertaining to the MFA configuration. No redundant actions and lengthy PowerShell
scripts are required.

Review all MFA-enabled accounts:

M365 Manager Plus features more than 700 built-in reports that can be generated in a single click. To
review MFA settings, see the Multi Factor Authentication Status report. This report lists all the users in
your organization, their MFA status, and mode of authentication. Other MFA related reports provided by
M365 Manger Plus include:

MFA Enabled Users: Lists all the user accounts for which MFA has been enabled and configured.
MFA Disabled Users: Lists all the user accounts for which MFA has been disabled.

All reports provided by M365 Manager Plus can be scheduled to be generated at specific intervals and
emailed. With this feature, you don't have to utilize the tool every time to review the settings. The reports
can also be exported to CSV, PDF, XLS, or HTML formats for periodic review.

www.microsoft365managerplus.com 9
 Added advantage:
The reports can be exported to CSV format and can be uploaded in the Management module for
appropriate action. For example, the MFA Disabled Users report can be exported in bulk to CSV and
uploaded in the Management module to enforce MFA for users.

You can also create automation policies with M365 manager Plus to enforce MFA whenever a user
account is created or MFA is disabled.

If you don't want go through the entire export and import process, simply select the users on the
reports and manage them. For example, select the users in the MFA Disabled Users report and use
the management option available in the data table to enforce MFA.

Filter accounts synced to Azure AD:

Instead of running complex PowerShell scripts to find the dormant user accounts, you can retrieve the
required list of user accounts in a single click. M365 Manager Plus' User Logon report is all you need. Use
the appropriate filter settings to discover the AD users who have not logged in during the specified
duration. Some of the other reports that can help you in this process include:

Synced Users: Provides a list of all the on-premises AD users synced with Azure AD.
Last User Activity by Service: You can verify whether a particular AD user is accessing Microsoft
365 services or not.
Last User Activity by Date: View the date when a AD user has accessed a M365 service.

All of the above mentioned reports can be exported to CSV, PDF, XLS, and HTML formats. Export the
required data to CSV and import it into the management module to block, manage permissions, or
delete them.

www.microsoft365managerplus.com 10
Conclusion
To make use of the advanced and essential security features offered by Microsoft, you have to own the
premium license. Sometimes those features also have shortcomings, especially when handling users
and mailboxes in bulk. Relying on PowerShell is not preferred by most IT admins, as it is time consuming
and requires a high level of expertise. To overcome these drawbacks, choose a tool like ManageEngine
M365 Manager Plus which brings management and security features for the major Microsoft 365
services like Exchange Online, Azure Active Directory, Microsoft Teams, OneDrive for Business, and
more under a single screen.

M365 Manager Plus is an extensive Microsoft 365 tool used for reporting, managing,
monitoring, auditing, and creating alerts for critical incidents. With its user-friendly interface,
you can easily manage Exchange Online, Azure Active Directory, Skype for Business, OneDrive
for Business, Microsoft Teams, and other Microsoft 365 services from a single console.

11