Transcription
POWERSHELLGEEK.COMEmail SecurityA P RACTI C A L PRI M ERPowerShellGeek.Com1
About the AuthorDamian ScolesMicrosoft MVP, PowerShell Book AuthorAn avid user of PowerShell, Damian loves to share his knowledgeand experience with this Powerful Microsoft tool.@PPowerShellPowerShellGeek.ComDamian Scoles2
Contents1Introduction2Domain Name System (DNS)3Transport Layer Security (TLS)4Exchange Online Protection (EOP)5MS Defender for O365 (ATP)6PowerShell (PS)7Conclusion8ResourcesPowerShellGeek.Com3
Email SecurityEmail is an old form of communication, with the very first email sentin 1971 - FIFTY years ago this year. While not as old as our usageof phone communication, email has supplanted snail mail andregular phone calls due to its low cost. This low cost has also leadto malicious actors plying their trade via SPAM, malware, Phishingattacks and more. By securing email communications, we canweaken their impact.PowerShellGeek.Com4
Intro Pa g eIntroductionEmail is for old people. Who needs emailMalware attacks by bad actors also compriseanymore? We can communicate viewa sizeable section of emails that are sent toTweets, Instagram, Facebook and more. Yet,people. Malware comes in many forms, butcorporations and people still use it on a dailyessentially consists of a bad file, say a PDFbasis. It also might just surprise you that email isor ZIP file that users will attempt to openstill one of the largest forms of communicationsand a malicious payload is unleashed on anworldwide.unsuspecting user.* Estimated 300 billion emails sent each day.Phishing attacks take email attacks to newThis means that a lot of people are using emails.levels where users are tricked into takingWe have your typical personal emails, not-for-an action they should not. Maybe they logprofit emails, corporate emails, governmentinto a site or click on a link that may installemails and more.something malicious.SPAM comprises over 50% of all email sentURL Links in email are another potentialin 2020. Having some sort of email hygieneattack vector that could be used againstproduct between you and Spammers ispeople. These URLs may look legit but endessentially a no brainer. It is also consideredup not being so and the end user can bea primary layer of defense against gettingcompromised with this simple hook.compromised.PowerShellGeek.Com5
DNSDomain Name SystemMail servers rely on DNS in order to find theirnext hop or delivery destination. As such,DNS is critical to proper email operation.Configuring DNS to meet best practices willalso ensure a good functioning delivery system.DNS Records for EmailWhat DNS records do email server use andwhat purpose do they serve?A Record: Used to point to the external/PublicDNS name of the sending mail system. Forexample, a lot of organizations will use anaming convention of mail. org domain .com. This name can be important in the emailauthentication process and TLS handshakeprocess as well.Pointer (PTR) record: A pointer record, isa reverse lookup to verify that the IP of thesending mail server matches the associatedname of the sending email server. When thisrecord was introduced as a check for sendervalidity it did cause some headaches as theadmins of sending mail systems needed toaccommodate for this in their build out. Ifexternal IP ranges change, this may need tochange as well.of the sending domain (i.e. example.com GoDaddy).DMARC Record: Intended to provide amechanism for both the Sender and theRecipient to help identify legitimate emails.The record is constructed on a per SMTPDomain (example.com) basis in DNS which isthen used to ensure an emails legitimacy. Asender can request emails that do not validateare either ignored (no processing), put into auser quarantine or blocked altogether. Simplyput, by using DMARC with SPF/DKIM, the guesscan be removed for the recipient server as tothe emails origin and how the sender wouldlike illegitimate emails to be processed and onlyfor a direct domain spoofing.Domain Keys Identified Mail (DKIM) Record:Like the SPF record, a mechanism used toauthenticate email. Outgoing messages arestamped with a signature header, based ona public/private key pair. The signature isthen used by the recipient’s mail system toconfirm the originator and that the messagehas not been tampered with. The originatingmail server will use its private key to sign themessage, whereas the recipients mail serverwill use the public key (published in DNS) toverify the signature.Sender Policy Framework (SPF) record: Usedto declare which email servers are authorized tosend email for a particular SMTP Domain. Thehope is to help the receiving server determineif the sender for that Domain is legitimate.Currently SPF DNS records are TXT recordscreated in the DNS Zone for the SMTP DomainPowerShellGeek.Com6
EOPExchange Online ProtectionExchange Online Protection (EOP) isMicrosoft’s premier email hygiene product.Composed of many layers, EOP can provideworld class protection for mailboxes inExchange Online. EOP provides protectionagain SPAM, Malware, Phishing attacks andmore. Currently EOP rates as one of the bestemail hygiene products according to Gartnerand it’s current competition is ProofPoint,Mimecast and Smarsh (as of Oct 2020).Choosing to use EOP is a safe decision thatprovides protection to mailboxes from badactors of the world. What does Microsoft doto provide this protection? What layers areinvolved in protecting your email?Malware Protection: A malware filter is justone of the many layers within EOP that can beused to protect users in Office 365. The filterprovides protections against viruses, spywareand ransomware by using multiple engines aswell as a fast, real time response. It is also an oftoverlooked feature in the EOP stack.AntiVirus Protection: In addition to Malwareprotection, EOP also provides AntiVirusprotection.Outbound Spam: Most organizations worryabout inbound messages that are full ofspam, phishing attempts, malware andmore. They may not realize that sometimesthose messages originate from their ownenvironment. This origination is calledOutbound SPAM. Outbound SPAM meansthere is an individual that is either sending thePowerShellGeek.Commalicious emails or something else has founda way to do this and is using your environmentto send emails using valid email addresses oraccounts. Microsoft has included this feature intheir Office 365 message hygiene detection andprevention processes.Enhanced Filtering: Exchange Online isconfigured by corporations and organizationsin many ways in terms of mail flow. Sometimesemail is configured to flow directly to theirExchange Online tenant, sometimes it traversesan internal mail server first and lastly, mailflow could be cleaned by a third-party servicesuch as ProofPoint and Mimecast. In each ofthese scenarios, an email’s message headersare stamped and processed differently, leadingto different processing by Exchange OnlineProtection.Zero-hour Auto Purge (ZAP): An interestingfeature of Exchange Online Protection is aconcept known as Zero-hour Auto Purge or ZAPfor short. ZAP covers a few different attacks,but all of them are AFTER an email is delivered.While normal message hygiene processes inEOP and ATP look at an email message prior todelivering the message to a user’s mailbox, ZAPlooks at the mailbox in post processing termsonce an email is delivered. The advantagesto ZAP are if a new type of malicious, spam orother campaign were occurring, then Microsoftcan remove this message as it will not bescanned by EOP or ATP once the message isdeposited in a mailbox.7
TLSTransport Layer SecurityTransport Layer Security (TLS) is a connectionlayer security protocol used by email servers tomake a secure connection between two hosts.This secure connection. When sending emailsto and from Exchange Online, connections areinitiated with a secure connection in order toprovide security for emails in transit betweensender and recipient servers. Beginning withExchange On-Premises, Microsoft introducedthe Internet based standards, RFC 3207,Opportunistic TLS. By doing so, ExchangeServers would attempt to connect to a recipientmail server with a secure TLS connection. Ifthis failed, then the SMTP connection would bemade in a non-TLS, insecure, manner.This capability was a good first step to securinga protocol (SMTP) which had not initiallybeen designed to be secure by default andconcentrated on delivering emails. ExchangeOnline also has this enabled by default andthus will attempt a TLS connection prior tofalling back to the normal, insecure SMTPconnection.Taking this step a bit further, Microsoft alsoprovides a way to force a TLS connectionwhere Exchange Online will not allow theTLS fallback that Opportunistic TLS has. Inthis mode, Exchange Online will reach outto the recipient server and begin a secureconnection. If this connection is allowed andconfirmed, then email transmission begins.However, if the connection via TLS fails, thenthe connection will also fail and the email willnot be delivered. A connection of this type istypically used when security is required overdelivery, like in the case of bank and otherfinancial email communications. Sometimesthese communications are a requirement of abusiness needing to send emails to each otherwith no allowance for non-TLS connections.PowerShellGeek.ComTLS Versions: TLS has been around for quite sometime and has gone through a few revisions overthe years. Each time security holes are fixed andfeatures are added to make the protocol moresecure.TLS 1.0: The original version of TLS was introducedin 1999 and was recently deprected in 2020.Currently is is suceptible to man in the middleattacks, making communication with the protocolrisky.TLS 1.1: This next version of TLS was introduced in2006 and was also recently deprected in 2020. Novulberabilities exist in TLS 1.1, however because ofthe use of SHA-1, TLS 1.2 is becoming the defactoreplacement.TLS 1.2: Introduced in 2008, this is now the currentversion of TLS that is fully supported in Office365. With it’s introduction of SHA-256, TLS 1.2is considers the replacement for TLS 1.1 and it’solder encryption. TLS 1.2 also use GCM in favorof CBC, which is simply an easier way to enforceencryption.TLS 1.3: The latest version of TLS was added in2018 as a future replacement for TLS 1.2. Microsoftdoes not currently support this if Office 365. TLS1.3 does include several improvements, includingfaster handshakes for better efficiency, ZeroRound Trip Time Resumption, improved securityby removing insecure ciphers and is being addedto Internet browser support as well.Guidance: Use forced TLS where possible,but otherwise rely on Exchange Online to tryOpportunistic TLS to provide an additional layer ofsecurity.8
Fo rm e rl y Mi c ro s o f t AT PMicrosoft Defender for O365Microsoft Defender for Office 365 (formerlyATP) is quite a mouthful and is also part ofa renaming of Microsoft’s Advanced ThreatProtection Suite. As such this more advancedspam protection product is gear towards themore malicious attacks that occur via email.Whether we are talking about attachments,links, Phishing or other form of attack, theDefender for Office 365 suite is designed toprotect mailboxes in Office 365 from theseattacks.from the email. Depending on the configurationof Safe Attachments, a message may be deliveredwith the attachment inaccessible while it isbeing scanned in the background by the SafeAttachments engine.Safe Attachments: For almost as long as emailhas been around, attachments have beensent between individuals. These files could bereports, invoices, documentation or any numberof types which also could be Adobe PDFs, WordDocs, Excel files and more. However, maliciousactors have also worked this attack vector bysending false invoices or ZIP files that containexecutable content and we even have to worryabout macros in the files and Visual Basic /PowerShell files that could execute unwantedtasks. As such there has always been a need toprotect users and their mailboxes from theseattacks.Safe Links: Received an email with a link to somenew product or free money recently? Or maybea friend sent you a link to a YouTube video or jokesite? Ever wonder if those links are truly good orcould they have a bad intent as well? Certainly,those malicious links exist.This is where Safe Attachments comes in. SafeAttachments will take an attachment andanalyze it in a virtual environment to determineif the file is malicious or not. If the file is notmalicious, then it will be safely delivered to theend user’s mailbox. For those attachments thatare found to be malicious, they will be removedPowerShellGeek.ComSafe Attachments is available for not only emailsdelivered in Exchange Online, but also in Teams,SharePoint and OneDrive for Business. SafeDocuments is also configurable in the SafeAttachment Policies as well as the Global ATPsettings.Safe Links sole purpose is to help protect an enduser in Office 365, using Office desktop appsand emails, and prevent them from opening orsharing malicious links that they may receive.The link protection is considered to be at time ofclick so that if a malicious URL were detected andan end user clicked on that link, then the userwould be prevented from going to that link.AntiPhishing: Phishing is a sophisticated way ofprobing your user base for weak points by usingSocial Engineering techniques designed to enticea user to give up something vital. The somethingvital could be credentials, access to internalsystems or just about any target an attack has in9
mind. There are three well-known types of phishingattacks:Email Phishing: The most common attack wherethe malicious actor is looking to trick the recipientinto performing an action and providing someaddition information like username and password,etc.Spear Phishing: A focused attack where one personis singled out for social engineering where an attackalready has specifics on the person.Whaling: This type of attack is super focusedon executives in a company and involve subtlemethods that could have tax, social security (U.S.) ormoney transfer requests in them.Automated Incident Response (AIR): Feature thatis part of the Office 365 ATP Plan 2 license. Thepurpose of AIR is to provide some automation in theanalysis of alerts and other data that is processedin your tenant. Analyzed items will be left to theappropriate person or group in an organization toapprove the recommendation. No change is madeautomatically as a feature.In order to configure AIR, the role of either GlobalAdministrator or Security Administrator will need tobe assigned to an account. For any recommendedchanges, Approvals or Rejections can be performedby Global Administrators, Security Administrators,Security Readers or those holding the Search andPurge right.AIR relies on alerts that are created or occur in theSecurity and Compliance Center. Some pre-createdalerts are already present in the Security andCompliance Center:* Malicious URL click detection* Phishing email reported* Malware detected in email post delivered (ZAP)* Phish URLs removed post-delivery (ZAP)* Pattern detected – suspicious emails* Restricted Users – blocked from sending emailsAttack Simulator: At time of writing, Microsoft hastwo attack simulators: one located in the Securityand Compliance Center, the other in the Microsoft365 Security Center. The Attack Simulation Trainingthat is present in the new Microsoft Seurity AdminCenter is a feature to use as it will help educate endPowerShellGeek.Comusers to the dangers of malicious emails that canbe delivered. The new Attack Simulator providesnumerous scenarios and payloads with which tosimulate these attacks.Customization: The attacks can include pre-built orcustom emails, scenarios, payloads, indicators andmore. The customization aspect is what really setsthis product apart from the competition.Training: In addition to the simulation itself,Microsoft also includes a series of training videos foreach scenario type that can be assigned to usersand tracked to ensure that the users watch thevideos. The videos are key to enforcing the lessonslearned from the attacks that are simulated.Priority Accounts Protection (In Preview): When itcomes to attacking a corporation or organization,malicious actors look for any angle to use to finda weakness in the defenses. Whether they useemail, phone calls, text or whatever, finding a weaktarget is paramount. For some malicious attacks,the higher value the target the better the payoffpotential is. As such, it’s not unsurprising to see thatC-level executives are more often than not beingtarget for attacks.Priority Account Protection is aimed to make iteasier for security operation teams to detect whenan alert is related to a potential high-value targetby adding a visual clue (tag) to the alert wheneveran alert is related to a ‘tagged’ user.Priority Account Protection looks like aninteresting feature provided by Microsoft to helporganizations protect accounts deemed to be highvalue targets. Per documentation the full use ofthe feature, which includes premium mail flowmonitoring, is limited customers with Office 365E3, Microsoft 365 E3 or Microsoft E5 AND 10,000seat implementations with 50 Exchange Onlinemailboxes. However, we have the option of usingUser Tags for filtering or grouping a set of users inOffice 365 in the various reporting views as thereis a column listed and a filter available for UserTags. If you have the licenses (10k ) and have theappropriate license level, then this feature shouldbe activated and utilized.10
Comm a nd Li n e E m ai l Se c u ri tyPowerShell / Email SecurityEmail Security and PowerShell. These twodo not seem like two terms that show be puttogether. However, in the Microsoft ecosystemof email protection, we can use PowerShell tohelp secure email communications and reduceoverall SPAM as well. Additionally, we can usePowerShell to produce reports.PowerShell BasicsKey things about PowerShell are:MultiFactor Authentication (MFA): When usingPowerShell, it is a best practice to ensure thatMFA is enabled for Administrators runningcmdlets and scripts.Auditing: PowerShell cmdlets that are run inOffice 365 are audited in an Admin audit log fortransparency and for a Security team’s ability toconfirm no malicious cmdlets were run.Exchange OnlinePermissions: First, when connectingPowerShell to any workload in Office 365(Exchange, Teams, Azure, etc) having theappropriate permissions can be key toaccomplishing a task. Whether or not yourorganization uses RBAC or specific roles orperhaps they use PIM and JIT (Just in Time)administration, making sure you can accessthe resource you need to manage should bechecked prior to going down that road.With Exchange Online PowerShell we are able tomanage some areas of Email Security. We canmanage the following:Modules: A module is a set of PowerShellcmdlets that are meant to manage a Microsoftworkload in Office 365 and on-premises serverproducts.Security and Compliance Center: In the Securityand Compliance Center we can now manage thefollowing:Access: Security policies in Office 365 couldblock an administrator’s connection type(basic auth), location (conditional access)or even the ability to use PowerShell (ClientAccess Rules). Make sure that you have accessas an Administrator before connecting.* AntiPhishing policies and settings* AntiSpam policies and settings* Connection filtering* Safe Attachment policies and settings* Safe Link policies and settings* AntiMalware policies and settings* Run Message traces to check email progress* Compliance Policies* Labels* Encryption* DLP. and more .Sample Message Trace performed via PowerShell:PowerShellGeek.Com11
. w h a t can yo u do . . .Next Steps?If you still have concerns about your currentemail hygiene solution, then perhaps somequick advice on what to do next would berelevant here.Assess: Like any other IT system, an emailhygiene solution should be assessed andre-evaluated every year or so to make sureit is performing the task that we think itis. This means setting review, checking outfalse positive reports, reviewing how muchspam actually made it through. In Office 365,use built-in Assessments to evaluate yourconfiguration against current best practices.Utilize PowerShell scripts like [ ORCA ] and [MCCA ] to assess certain aspects of Office 365.Review New FeaturesEmail Hygiene vendors typically add featuresand enhancements throughout the life of theproduct and Microsoft is no different. Microsofthas made changes and enhancements totheir EOP and ATP products continually overthe years. In order to keep pace with thosechanges and to allow yourself time to learnabout these changes, make sure to review twokey areas:Microsoft 365 Admin Center - Message Center:In addition to the Roadmap feature, Microsoftalso has a Message Center to keepAdministrators in the loop about changes orissues occurring in Office 365. Sample below:by Microsoft to help users of Office 365 keeptrack of features that have been released, are indevelopment or are rolling out now. We can findthis resource [ here ]. Make sure to review thispage at least once a month, if not more often.Document: Prior to making any changes,document before and after settings in case thereare issues.Make Changes: After assessing and determiningany weakness or holes, make configurationchanges and then monitor for any issues or enduser cases that might get opened.Re-Assess: After changing your configuration,reassess with Microsoft Assessments andPowerShell scripts. This process can be repeatedin an iterative mode with little changes or in onemass change and assessment.Read: This may seem like a basic suggestion, butit is one that can be overlooked when dealingwith daily fires and issues. Find time to read blogs(like www.powershellgeek.com for example) ofexperts in the field. Also get access to digital orphysical books on the topic as well (see www.practicalpowershell.com or m365securitybook.com).Get Trained: Participate in some webinarsor Microsoft training from LinkedIn on emailsecurity. There are an abundance of emailsecurity videos as well on YouTube:* Microsoft Webinar example [ here ]* LinkedIn Learning [ here ]* YouTube example [ here ]Office 365 Roadmap: A service providedPowerShellGeek.Com12
ResourcesBooks on Email Security, PowerShell and Office 365Practical PowerShell Exchange OnlinePractical PowerShell Security and Compliance CenterMicrosoft 365 Security for IT ProsCTA GOES HEREThank you for reading this eBook. Please visit our sponsor’s websites ook.comPowerShellGeek.Com13
world class protection for mailboxes in Exchange Online. EOP provides protection again SPAM, Malware, Phishing attacks and more. Currently EOP rates as one of the best email hygiene products according to Gartner and it's current competition is ProofPoint, Mimecast and Smarsh (as of Oct 2020). Choosing to use EOP is a safe decision that
