Want an easy way to see if you’ve had an M365 compromise? 𝗟𝗼𝗼𝗸 𝗮𝘁 𝗜𝗻𝗯𝗼𝘅 𝗥𝘂𝗹𝗲𝘀! Inbox rules are used by attackers to hide ongoing conversations they have jumped into. If you hunt through all rules, you can find indicators of a compromise. First, pull all rules with this PS code: 𝘊𝘰𝘯𝘯𝘦𝘤𝘵-𝘌𝘹𝘤𝘩𝘢𝘯𝘨𝘦𝘖𝘯𝘭𝘪𝘯𝘦 $𝘶𝘴𝘦𝘳𝘴 = (𝘎𝘦𝘵-𝘌𝘹𝘰𝘔𝘢𝘪𝘭𝘣𝘰𝘹 -𝘳𝘦𝘴𝘶𝘭𝘵𝘴𝘪𝘻𝘦 𝘶𝘯𝘭𝘪𝘮𝘪𝘵𝘦𝘥).𝘜𝘴𝘦𝘳𝘗𝘳𝘪𝘯𝘤𝘪𝘱𝘢𝘭𝘕𝘢𝘮𝘦 𝘧𝘰𝘳𝘦𝘢𝘤𝘩 ($𝘶𝘴𝘦𝘳 𝘪𝘯 $𝘶𝘴𝘦𝘳𝘴) { 𝘎𝘦𝘵-𝘐𝘯𝘣𝘰𝘹𝘙𝘶𝘭𝘦 -𝘔𝘢𝘪𝘭𝘣𝘰𝘹 $𝘶𝘴𝘦𝘳 | 𝘚𝘦𝘭𝘦𝘤𝘵-𝘖𝘣𝘫𝘦𝘤𝘵 𝘔𝘢𝘪𝘭𝘣𝘰𝘹𝘖𝘸𝘯𝘦𝘳𝘐𝘋,𝘕𝘢𝘮𝘦,𝘋𝘦𝘴𝘤𝘳𝘪𝘱𝘵𝘪𝘰𝘯,𝘌𝘯𝘢𝘣𝘭𝘦𝘥,𝘙𝘦𝘥𝘪𝘳𝘦𝘤𝘵𝘛𝘰,𝘔𝘰𝘷𝘦𝘛𝘰𝘍𝘰𝘭𝘥𝘦𝘳,𝘍𝘰𝘳𝘸𝘢𝘳𝘥𝘛𝘰 | 𝘌𝘹𝘱𝘰𝘳𝘵-𝘊𝘚𝘝 𝘛𝘦𝘯𝘢𝘯𝘵𝘙𝘶𝘭𝘦𝘴𝘖𝘶𝘵𝘱𝘶𝘵.𝘤𝘴𝘷 -𝘕𝘰𝘛𝘺𝘱𝘦𝘐𝘯𝘧𝘰𝘳𝘮𝘢𝘵𝘪𝘰𝘯 -𝘈𝘱𝘱𝘦𝘯𝘥 } Look through the output for the following signs: • Emails being put into the RSS Feeds, Conversation History, Archive, Junk, or Deleted Items folders • Rule names that are only composed of periods (., .., …, etc.), single letters, odd repeating characters, or names meant to enforce not to delete the rule (e.g. “Don’t Disable”) • Rules acting on emails containing keywords such as payment, payroll, direct deposit, paystub, invoice, password, etc. If you find any, reach out to the users and ask if they enabled them…they may have. If not, start an investigation because you may have just found a compromised account! What malicious inbox rules have you seen? #dfir #incidentresponse #forensics #inversion6
Email security audit for M365 users
Explore top LinkedIn content from expert professionals.
Summary
An email security audit for M365 users is a process of checking and verifying the security settings, configurations, and potential vulnerabilities in Microsoft 365 email accounts to prevent unauthorized access, phishing, and data breaches. This audit involves reviewing inbox rules, app permissions, and account behaviors to spot and address risks that may go unnoticed in default setups.
- Review inbox rules: Scan all mailbox rules for suspicious activity, such as messages being redirected to unusual folders or rules with odd names, and verify with users if these rules are legitimate.
- Audit account permissions: Regularly check app registrations, Graph permissions, and service principal identities to ensure no excess or unnecessary privileges have been granted, particularly on unused or unknown accounts.
- Check external email behaviors: Inspect external sharing and forwarding settings, and look into PowerShell or API-level configurations, rather than relying solely on user interface options, to uncover blind spots in email security.
-
-
24,153 followers
Want to keep Russian threat actors out of your M365 tenant? Good, me too. Go uncheck this box immediately in your settings. Unfortunately, M365 is not fully secure or hardened out of the box. By default, any user can create app registrations and consent to Graph permissions. Here is some other guidance to level-up your defenses: ☑️ Audit all user and service principal identities in your tenant using Microsoft Graph Data Connect to assess their privilege levels. Scrutinize privileges more closely if they belong to unknown identities, are no longer in use, or exceed necessary levels, especially for apps with app-only permissions that might have over-privileged access. ☑️ Review identities with ApplicationImpersonation privileges in Exchange Online. This feature allows a service principal to perform actions on behalf of a user, like managing a mailbox. Check permissions in the Exchange Online Admin Center or via PowerShell to ensure they are appropriately scoped and not overly broad. ☑️ Utilize anomaly detection policies to identify and address malicious OAuth apps in Exchange Online. Investigate and remediate any risky OAuth apps that perform sensitive administrative activities. ☑️ Implement conditional access app control for users on unmanaged devices. Be vigilant of OAuth application abuse, particularly those with EWS.AccessAsUser.All and EWS.full_access_as_app permissions, and remove any unnecessary permissions. ☑️ For applications requiring mailbox access, use role-based access control in Exchange Online to ensure granular and scalable access. This model allows applications to access only the specific mailboxes they need, enhancing security.
-
AI-Powered Security Executive & Strategist || CISO || Advisor || Founder || “All warfare is based on deception”
71,620 followers🚨 Still running Microsoft 365 in default config? You’re not alone — and you’re at risk. On July 6th, a new issue was highlighted on the Threat Breakdown stream: An email behavior blind spot in Microsoft 365 that can expose organizations to phishing and data exfiltration risks — especially if left unpatched or misconfigured. “The risk here is that Microsoft has a blind spot in M365... and if your instance is in its default config — which is not uncommon — you’re vulnerable.” This isn’t just about Microsoft either. Google Workspace may be impacted to a lesser extent, but the problem is bigger than just one provider. 🔍 What’s happening? 📧 External email behavior isn’t being fully captured by default settings 📤 That opens doors for phishing, credential harvesting, and sensitive data leaks ⚠️ Many orgs assume their cloud email stack is “secure by default” — and it’s not ✅ What to do now: Audit your email configurations immediately — especially external sharing and forwarding rules Look beyond the UI — PowerShell and API-level configs matter Don’t assume default = secure Cybersecurity isn’t just about tooling — it’s about tuning. 📺 Catch the full stream breakdown with Neal Bridges and Jason Miller for details and mitigation tips. #CyberInsecurity #ThreatBreakdown #Microsoft365 #EmailSecurity #DefaultRisks #PhishingPrevention #SecurityAwareness #CloudSecurity #GoogleWorkspace #InfosecLeadership #SOC