This is part 1 of a 3 part series on preparing for, preventing, and responding to Business Email Compromise
Part 2 – Business Email Compromise Prevention and Mitigation
Part 3 – Coming Soon: Responding to Business Email Compromise
The BEC Problem
Since 2014, the FBI’s Internet Crime Complaint Center (IC3), has recorded over $6.2 Billion dollars in losses as a result of Business Email Compromise, with $1.8 Billion dollars in losses in 2020 alone. For perspective, 100 one dollar bills stacked together is about 1 inch high. Can you guess how high a billion dollars stacked together is? 10,000,000 inches or 83,3333 feet or 157 miles! For more perspective, the tallest mountain in the world is Mount Everest, with an elevation of just over 29,000 feet or about 5.4 miles.
Chances are good if you’re reading this you may have some idea of what Business Email Compromise (BEC), sometimes called Email Account Compromise (EAC), actually is. Perhaps, you’ve even fallen victim to this type of scam. For those that are less familiar, and very generally, BEC is a type of scam that targets businesses and individuals and, using a combination of simple but extremely effective techniques, convinces an employee to fraudulently transfer funds to a bank account the threat actor controls.
How to Prepare
The goal of this article is to help your Firm prepare for BEC scams in Microsoft 365.
“The time to have the map is before you enter the woods.” – Brendon Burchard
In this article, we identify three key components of Microsoft 365 that, if put in place prior to a BEC, are extremely helpful when the unfortunate circumstance, a BEC scam, arises. Now, this is by no means an exhaustive list, however, these are things we often see are lacking and/or missing during our Microsoft 365 Security Assessments as well when we begin log collection for BEC incident response cases.
Note, if you have not yet enabled and enforced Multifactor Authentication (MFA) for all users, we highly recommend doing that now. MFA is single handedly one of the most important things you can do to prevent BEC.
Quick Warning
Running scripts or code you copy from the internet or from articles like this is at your own risk. It’s always a good idea to review, test and make sure you know and understand what something is going to do before you run it, especially against a production tenant.
1. The Unified Audit Log (UAL)
The UAL records user and admin activity from your organization for a number of Microsoft products including Azure Active Directory, Exchange Online, SharePoint, OneDrive and more.
If you only take one thing away from this article, make sure it is this. Even though Microsoft documentation says that “Basic Audit is turned on by default for all organizations with an appropriate subscription” its one hundred percent a really good idea to verify this. We have seen it time and time again. We begin an investigation with log collection, only to find out the Unified Audit Log has not been enabled, leaving us with few artifacts that are helpful for BEC investigations.
The second piece of advice is to determine if the default retention period is enough for your Firm. By default, with Basic Audit, audit data is kept for only 90 days. You can extend this by subscribing to a subscription that comes with Advanced Audit. This is typically included with Microsoft’s E5 line or similar. With Advanced audit, you can retain audit logs for longer periods of time such as 1 year or 10 years. You also get access some additional, but very crucial, Mailbox Audit Log items we will discuss in the next section such as, MailItemsAccessed and Send. Oh and yes, unfortunately Microsoft is pay walling this absolutely critical audit log items behind their E5 subscriptions.
Verify that the Unified Audit Log is Enabled
The Unified Audit Log can be verified and enabled two different ways. With the Microsoft Admin console and with PowerShell. Chose the option that is most comfortable for you.
Using the Microsoft Admin Console
- Go to https://compliance.microsoft.com and sign in.
- In the left navigation pane of the Microsoft 365 compliance center, click Audit.
- If auditing is not turned on for your organization, a banner is displayed prompting you start recording user and admin activity.
3. Click the Start recording user and admin activity
4. It may take up to 60 minutes for the change to take effect.
Note, We created a PowerShell script to assist in identifying the Microsoft 365 components that are commonly missing. If you want to check that out and run it on your environment, see here: BEC-Preparation script. Use at your own risk.
Using PowerShell
- Launch PowerShell as an Administrator
- Run the commands:
- Install-Module ExchangeOnlineManagement
- Import-Module ExchangeOnlineManagement
- Connect-ExchangeOnline
- Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled
- If you see UnifiedAuditLogIngestionEnabled : True then the Unified Audit Log is enabled and you don’t need to do anything else.
- If you do not see a value of True, enable the Unified Audit Log with
- Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
- A message is displayed saying that it may take up to 60 minutes for the change to take effect.
2. Mailbox audit Logs (MAL)
The MAL records activity by mailbox owners, delegates, and admins for things such as when an item was created in the Calendar, when an item was deleted or moved, etc.
The second most important thing you can do related to your Microsoft 365 tenant is to make sure that Mailbox Audit Logging is enabled for all users. It is also pretty handy to have the MailboxLogin action enabled. More on that below. Now, according to Microsoft starting in January 2019 Microsoft was going to be turning on mailbox audit logging by default for all organizations, for all new mailboxes that were created.
Again, my recommendation is to verify that Mailbox Audit Logs are enabled for all of your users and add the MailboxLogin action to each user. The first step to doing that is to verify that the setting AuditDisabled is False. I know, pretty straightforward right. Then you want to check each user to ensure mailbox audit logs are being recorded for their account. Finally, consider enabling MailboxLogin for each user. This is helpful because it gives you a SessionId with which to track user logins with.
These setting can only be verified using PowerShell, sorry to those who prefer the GUI.
Note, We created a PowerShell script to assist in identifying the Microsoft 365 components that are commonly missing. If you want to check that out and run it on your environment, see here: BEC-Preparation script. Use at your own risk.
Verify that Mailbox Audit Logging is Enabled
- Launch PowerShell as an Administrator
- Run the commands:
- Install-Module ExchangeOnlineManagement
- Only if you have not already installed this module
- Import-Module ExchangeOnlineManagement
- Connect-ExchangeOnline
- Get-OrganizationConfig | Format-List AuditDisabled
- Install-Module ExchangeOnlineManagement
- If you see AuditDisabled : False then “mailbox auditing on by default” is enabled for your organization. Which means you’re good to go, Microsoft is logging mailbox audit events for your tenant.
- If you do not see a value of False, enable “mailbox auditing on by default” with
- Set-OrganizationConfig -AuditDisabled $false
Verify All Users Have Mailbox Audit Logging Enabled
- Launch PowerShell as an Administrator
- Run the commands:
- Install-Module ExchangeOnlineManagement
- Only if you have not already installed this module
- Import-Module ExchangeOnlineManagement
- Connect-ExchangeOnline
- Get-EXOMailbox -ResultSize Unlimited -Filter “RecipientTypeDetails -eq ‘UserMailbox'” -Properties AuditEnabled | Select-Object Name,AuditEnabled | Export-Csv csv -NoTypeInformation
- Install-Module ExchangeOnlineManagement
- Review the CSV file that was created. Any user who has a value of False in the AuditEnabled column should be reviewed.
- To enable mailbox audit logging for a user run
- Set-Mailbox -Identity “Ben Smith” -AuditEnabled $false
- Where “Ben Smith” is the name of the user you want to enable mailbox audit logging for
- Set-Mailbox -Identity “Ben Smith” -AuditEnabled $false
Add MailBoxLogin to Each User
This mailbox action shows you details related to users signing into their mailbox. This can be very helpful for correlating threat actor activity and for distinguishing “good” logins (your user) from “bad” logins (threat actors).
- Launch PowerShell as an Administrator
- Run the commands:
- Install-Module ExchangeOnlineManagement
- Only if you have not already installed this module
- Import-Module ExchangeOnlineManagement
- Connect-ExchangeOnline
- $usersWithMailbox = Get-EXOMailbox -ResultSize Unlimited -Filter “RecipientTypeDetails -eq ‘UserMailbox'” | Select-Object DisplayName
- $usersWithMailbox | ForEach-Object { Set-Mailbox -Identity $_.DisplayName -AuditOwner @{Add=”MailboxLogin”} }
- Install-Module ExchangeOnlineManagement
Advanced Audit
Straight from Microsoft’s documentation, “Advanced Audit helps organizations to conduct forensic and compliance investigations by increasing audit log retention required to conduct an investigation, providing access to crucial events (by using Audit log search in the Microsoft 365 compliance center and the Microsoft 365 Management Activity API) that help determine scope of compromise, and faster access to Microsoft 365 Management Activity API.”
Advanced Audit, unfortunately, is reserved for only those organizations that have an E5 Microsoft subscription. The reason Advanced Audit is a prized commodity during BEC investigations is because Exchange, SharePoint and Azure Active Directory audit logs are stored for 1 year by default and you gain access to several advanced auditing mailbox actions that can really help understand what a threat actor did while accessing a user’s Microsoft account and mailbox. The really important ones are: MailItemsAccess, Send and SearchQueryInitiated.
While it is an increased cost, it’s recommended to at least evaluate the cost vs value of being able to retain logs for a longer period of time and the ability to access some advanced mailbox audit actions, should they be needed.
3. Azure Active Directory Audit & Sign-in Logs
Azure AD Audit & Sign-in Logs records information about sign-ins, how resources are used by users, and information about changes or updates applied to your tenant.
Azure Active Directory (AAD) is third on this list but is by no means the least important. Quite the opposite in fact. Azure Active Directory Sign-in and Audit logs can be vital to a BEC investigation. Why do you need the Azure logs and the Unified Audit Log? Well, that’s because only a subset of Azure log events are ingested into the unified audit log.
The main thing to check with AAD is that you are able to retain the sign-in and audit logs long enough to be able to assist with BEC investigations. If you have Azure AD Free, well, you only get 7 days of Audit and Sign-in logs. You would need to upgrade to Azure AD Premium P1 or P2 to be able to get 30 days of retention on those same logs.
Seven days is simply not long enough for most investigations and 30 days is really cutting it close depending on how quickly an incident is identified and investigated.
You should retain those audit and sign-in logs for longer than the default. There’s a number of ways to do that including using an Azure storage account combined with Azure Monitor, collect them manually by downloading the logs through the Azure Portal or you could even collect them with whatever you’re using for a SIEM. The bottom line is, preserve these logs, they are important, and they will be especially helpful during a BEC investigation.
That’s it for this section, no fancy PowerShell commands for this one. Well, unless you want to view information about your licensing plans, services and/or licenses.
Note, We created a PowerShell script to assist in identifying the Microsoft 365 components that are commonly missing. If you want to check that out and run it on your environment, see here: BEC-Preparation script. Use at your own risk.
- Launch PowerShell as an Administrator
- Run the commands:
- Install-Module AzureAD
- Import-Module AzureAD
- Connect-AzureAD
- Get-AzureADSubscribedSku | Select-Object -Property Sku*,ConsumedUnits -ExpandProperty PrepaidUnits | Format-Table
- Get-AzureADSubscribedSku | ForEach-Object {$_.ServicePlans}
- SkuPartNumber: Shows the available licensing plans for your organization. For example, ENTERPRISEPACK is the license plan name for Office 365 Enterprise E3.
- Enabled: Number of licenses that you’ve purchased for a specific licensing plan.
- ConsumedUnits: Number of licenses that you’ve assigned to users from a specific licensing plan.
For more information about the products, features, and services that are available in different Microsoft 365 subscriptions, see Microsoft 365 Plan Options.
Summary (TLDR;)
TLDR = Too Long Didn’t Read. For those not in the know.
Business Email Compromise is really big (criminal) business. Billions of dollars annually big. These three steps outline the most common things we see being missed when performing assessments and incident response in Microsoft 365.
Step 1. Ensure the Unified Audit Log is Enabled. If it’s not, enable it now!
Step 2. Ensure Mailbox Audit Logging is enabled, for your tenant and for all users.
Step 3. Ensure you’re preserving Azure Active Directory Audit and Sign-in logs.
Optionally. Consider upgrading to get Advanced Audit and consider enabling the Mailbox Login action item for all users.
Note, We created a PowerShell script to assist in identifying the Microsoft 365 components that are commonly missing. If you want to check that out and run it on your environment, see here: BEC-Preparation script. Use at your own risk.
If you need any help with anything in Step 1, 2 or 3, read the associated sections. And if you’re in the unfortunate situation where your Firm has fallen victim to a Business Email Compromise, we are here to help.
