Security in Obscurity

A thought by Jeff Stein
      Securing Microsoft O365: Exchange Online (Part 2)
      This thought focuses on securing the Microsoft O365 Exchange Online service, April 2020
    
When it comes to hardening Microsoft O365, Exchange Online is one common service utilized which offers you a number of security features to implement. 
While Microsoft may take care of the email infrastructure, the shared responsibility model will require you to consider your options in how you harden your environment. 
Taking advantage of these features can provide a path forward.
This thought is a part of a multi-part series on securing Microsoft O365 including:
Accessing Services
	  
Exchange Online
	  
SharePoint Online
	  
Exchange OnlineExchange Online can be used to replace your on premise Exchange mail infrastructure or as a replacement for other mail providers. 
The solution has a number of robust security features that can be used to provide security to your email environment. 
Additionally there are some configuration options provided with Exchange Online that you should consider turning off to ensure a secure deployment of Exchange Online and O365. 
The features fall into two high-level categories. Those that can be considered defensive in nature to protect your users and mail from malicious attacks such as phishing as well as those which enforce how recipients of mail from your domain handle the messages.
EnforceEnforcement deals with message integrity to ensure that messages received by recipients are indeed legitimate and if not instruct a recipient how to properly handle the concerning message. 
There are three email authentication standards, SPF, DKIM and DMARC provided for a secure implementation of email.
To use Exchange Online with message integrity you will need to add O365 to your configuration of all three standards. 
You can check out my previous though on how to leverage message integrity here. 
While configuring DKIM and DMARC is recommended as it will help you promote a strong enforcement posture, to ensure you can use O365 to send email you must either add or update your SPF TXT record in your DNS of your domain to include the O365 information.
SPFThink of SPF as a whitelist for you domain. 
It provides you the ability to define which IP addresses are allowed to send mail on behalf of your domain. 
This whitelist resides in the form of an SPF record. 
Depending upon how many different services you are using besides Exchange Online to send as your domain the feature may be quite limiting. 
One limitation of SPF is that the framework only allows for up to 10 IP addresses to be included in the SPF record. 
To add O365 to your SPF record you should run the following command:
Command
      v=spf1 include:spf.protection.outlook.com -all
  
[1].
DKIMDKIM enables message integrity by adding a digital signature to the message which is done to increase the trust of the source of the message. 
A recipient can then validate the digital signature to know if the message is valid or if has been altered or forged. 
Fortunately, O365 will automatically set up DKIM for you when you use the default  'onmicrosoft.com' domain associated with your O365 tenant. 
If you have a custom domain you want to use with O365 then you will need to manually publish two CNAME records in DNS for each domain you have with the domainGUID and domainKey contained in the CNAME records to allow the use of DKIM [2].
DMARCUsing the DMARC framework you can improve the proper handling of SPF and DKIM. 
This will allows you, as domain owner, to instruct the message recipient how to handle any messages which do not pass a combination of SPF and DKIM authentication. 
From an inbound mail standpoint O365 supports DMARC and will handing instructions provided by incoming senders by default. 
To take advantage of DMARC for your domain you will need to create a DMARC TXT record in DNS, similar to SPF. 
To ensure the best security posture possible I recommend you set your DMARC policy to REJECT to best control what happens to invalid messages not aligned with your SFP and DKIM configuration.
DefendThe features offered by O365 to protect your email environment and your end users that receive mail include a variety of protections ranging from message filtering to mail encryption as well data retention. 
The majority of the hardening options come with the Exchange Online Protection feature in Exchange Online.
Exchange Online ProtectionThis feature set will address static malware analysis, spam keywords and spam reputation. 
You can use the product to create spam filtering rules to address items such as sender repudiation and DNS blacklists as well as O365's propriety threat intelligence. 
Additionally the feature supports encrypted mail.
All messages are sent to recipient domains using TLS if the recipient supports it and you can also create a transport rule that can identify potential Personal Identifiable Information (PII) to automatically encrypt the email. 
Keywords can also be used in the subject or body of an outbound message to encrypt it. 
Encrypted emails will then be sent to the recipient with the content striped out and replaced with a link that the recipient can click to view the contents using an HTTPS connection. You can additionally tie your transport rule to your Data Loss Prevention policy (DLP) to prevent your senders from sending messages in violation of your DLP policies.
Advanced Threat ProtectionThis feature will allow you to protect your email users from potentially malicious links. 
O365 will rewrite all links using "Safe Links" so that the actual link included in an email is not visible to the message recipient. 
O365 will then inspect these links to determine if they are potentially malicious. 
The idea being that if a malicious link is being leverages as a part of a phishing attack Microsoft can sever the link between the Safe Link and the actual URL. 
This way when your user clicks on the link they will not be taken to the malicious link and be protected from the attack. 
Similar to Safe Links there is also a "Safe Attachments" aspect of the feature which uses heuristic malware scanning and strips malicious attachments from emails prior to your users accessing them.
Journaling/RetentionSimilar to the Exchange on premise feature set Exchange Online supports journaling inboxes and retention policies. You can set global retention policies in line with your legal requirements which means that data will not be purged from removed accounts until it has aged past your retention policy. 
Additionally you can place a "Legal Hold" on a inbox to complement your retention policy if a legal issue arises with one of your users.
---
Hardening Exchange Online is key to ensuring a secure service in O365. 
While Microsoft may be handling all of the risk associated with the infrastructure of your email environment the shared responsibility model does create a gap for both external and internal threats to exist which must be addresses in your tenant. 
Utilizing message integrity with your Exchange Online service as well as defensive features available in the product will help you layer security controls on your O365 tenant and mitigate potential risk.
Resources Consulted[1] Set up SPF to help prevent spoofing (November, 2019). Retrieved from Article Link
[2] Use DKIM to validate outbound email sent from your custom domain (October, 2019). Retrieved from Article Link
VIEW NEXT >>

  
    
 

      Tags
    
Security Vulnerabilities WAF
      Malware Policies Email
      Python Splunk Cloud
      O365 PKI Firewall Access Control Vulnerability Management
    

      Topics
    

	  
        
        Thoughts

      

	  
        
        Scripts

      

	  
        
        Published Works

      

	  
        
        Courses

      