The 2023
Cyberattack Survival guide
for Microsoft 365 using the
CISA's
recommendations
www.microsoft365managerplus.com
� Table of Contents
Introduction 2
Mitigation techniques 3
Enable multi-factor authentication (MFA) for administrator accounts 3
Enable MFA for all users 3
Assign administrator roles using role-based access control (RBAC) 4
Enable the unified audit log (UAL) 4
Disable legacy protocol authentication when appropriate 5
Enable alerts for suspicious activity 5
Incorporate Microsoft Secure Score 6
Integrate logs with your existing SIEM tool 6
Review user-created email forwarding rules and alerts, or restrict forwarding 7
Bonus content 7
How M365 Manager plus can help 8
Conclusion 9
www.microsoft365managerplus.com 1
� Introduction
After the pandemic set in, organizations all over the world moved to
cloud or hybrid infrastructures to accommodate the widespread
adoption of remote work. While organizations made this transition,
threat actors evolved their attack techniques to suit the new working
model. Recent cyberattacks carried out by the threat actor group
NOBELIUM are a good example—the sophisticated attack techniques
they use initially made it impossible to identify their presence. This
evolution has proved that perimeter security techniques aren't enough
to meet new-age cyberthreats. Organizations that were slow to adopt
new cyberhygiene techniques have suffered the most.
In this e-book, you'll learn about the mitigation techniques
recommended by the Cybersecurity and Infrastructure Security Agency
(CISA) to prevent new-age cloud attacks. It also covers how these
settings can be implemented in Microsoft 365.
Note: The techniques recommended in this e-book can be extended to
other cloud structures as well.
www.microsoft365managerplus.com 2
�Mitigation techniques
The following list contains recommended configurations for deploying M365:
Enable multi-factor authentication (MFA) for
administrator accounts
Global Administrators are the first accounts created in Azure AD. They can configure tenants, create
users, manage permissions, migrate user accounts, and do everything in an Azure AD setup. Though
these are privileged accounts, MFA isn't enabled by default even for them in Azure AD. If hackers gain
access to a Microsoft 365 account, they can maintain persistence to move laterally to the on-premises
AD when the user accounts are synced.
How to do it
Head to the Microsoft 365 admin center> Users > Active users to enable MFA for users in bulk.
What's the catch?
Though the Microsoft 365 admin center allows administrators to enable or disable MFA for users
in bulk, authentication methods have to be configured for the accounts individually. Bulk MFA
configuration is not available.
Enable MFA for all users
Though normal users in a Microsoft 365 environment don't have elevated permissions, they still have
access to data that could be harmful to an organization if accessed by an unauthorized entity. Also,
threat actors compromise normal user accounts in order to send phishing emails and attack other
organizations using the apps and services the compromised user has access to.
How to do it
Head to the Microsoft 365 admin center> Users > Active users to enable MFA for users in bulk.
What's the catch?
Though the Microsoft 365 admin center allows administrators to enable or disable MFA for users
in bulk, authentication methods have to be configured for the accounts individually. Bulk MFA
configuration is not available.
www.microsoft365managerplus.com 3
�Assign administrator roles using role-based
access control (RBAC)
Due to its high level of privilege, the Global Administrator account should only be used when necessary.
Instead, you can use use Azure AD’s predefined administrator roles to limit the use of high privileged
accounts.
How to do it
Sign in to Azure AD.
In the search bar, search for the resources for which the access applies.
Select Access control (IAM) > Click the Role assignment tab.
Select Add > Add role assignment > Select a role > Click Next.
Add users, groups, or service principals > Click Next.
Click Review + assign.
What's the catch?
Microsoft 365 neither allows you to modify the predefined roles nor create custom roles tailored
to meet your organizational needs.
Enable the unified audit log (UAL)
The UAL contains all the activity logs from Exchange Online, SharePoint Online, OneDrive, Azure AD,
Microsoft Teams, Power BI, and other Microsoft 365 services. Audit logging is enabled by default for
Microsoft 365 enterprise users. However, when setting up a new Microsoft 365 organization, always
verify whether it's turned on or not.
Use the Get-AdminAuditLogConfig cmdlet in Exchange Online PowerShell to check the audit logging
status. If the UnifiedAuditLogIngestionEnabled property returns as True, it indicates that audit log
searching is turned on.
How to do it
Go to the Microsoft 365 compliance center.
Choose Audit from the left pane.
Click the Start recording user and admin activity banner.
What's the catch?
By default, audit logs are stored for a maximum of 90 days. You need to purchase an E5 premium
license to store them for 365 days. Logs cannot be accessed after the retention period. However,
some compliance requirements may require you to store logs for a longer period.
www.microsoft365managerplus.com 4
�Disable legacy protocol authentication
when appropriate
Azure AD uses the modern authentication method, which supports MFA to authenticate Exchange
Online users. However, legacy protocols like POP3, IMAP, and SMTP that are associated with Exchange
Online don't support MFA, and these protocols are still used by some old email clients. This means that
user accounts are able to be accessed with just a username and a password for authentication. To avoid
this, client apps that use legacy protocols should be blocked by disabling the protocols themselves.
They can be disabled at the tenant level or at the user level. However, should an organization require
older email clients as a business necessity, these protocols will presumably not be disabled. The best
way to handle this is to use Azure AD's Conditional Access policy.
How to do it
Sign in to Azure AD.
Choose Security from the left pane.
Click Conditional Access from the left pane.
Select New policy.
Select users and groups who should be included in the policy.
Select the client apps and cloud applications that should be included in the policy.
Under Access controls, select Block access.
Click Create.
What's the catch?
You must have a Microsoft 365 Business Premium license or an Azure AD Premium P1 license to
use Conditional Access policies.
Enable alerts for suspicious activity
Creating alerts to notify administrators about abnormal events reduces the time needed to effectively
identify and mitigate malicious activity. At a minimum, the CISA recommends enabling alerts for logins
and for accounts exceeding sent email thresholds.
How to do it
Go to the Microsoft 365 Defender portal.
Select Policies & rules > Alert policy.
Select the action for which alert should be configured, and provide all the required inputs.
Click Create.
www.microsoft365managerplus.com 5
� What's the catch?
Alert policies can be created in the Microsoft Defender portal, but alerts related to mail flow have
to be created in the Exchange admin center. This dispersal of features across different portals
makes it difficult to use.
Incorporate Microsoft Secure Score
Microsoft provides a built-in tool to measure an organization’s security posture with respect to its
Microsoft 365 services and offer enhancement recommendations. Using Microsoft Secure Score
provides organizations a centralized dashboard for tracking and prioritizing security and compliance
changes within Microsoft 365.
How to do it
Go to the Microsoft 365 Defender portal.
Click Secure Score in the left pane.
What's the catch?
Recommendations provided by Microsoft Secure Score do not encompass all possible security
configurations, but organizations should still consider using Microsoft Secure Score because
Microsoft 365 service offerings frequently change.
Integrate logs with your existing SIEM tool
It's critical to integrate and correlate your Microsoft 365 logs with other log management and
monitoring solutions. This will ensure that you can detect anomalous activity in your environment and
correlate it with any potential anomalous activity in Microsoft 365.
How to do it
Go to the Microsoft Defender for Cloud Apps portal.
Under the Settings cog, select Security extensions.
Under the SIEM agents tab, select Add > Generic SIEM.
Provide all the required details including your SIEM format, syslog server hostname,
and syslog server port number.
Select the data types you want to export to your SIEM server for Alerts and Activities.
Select Next.
Copy the token and save it for later. Select Finish and leave the Wizard.
In the Microsoft Download Center, download the ZIP file and unzip it.
Run the extracted file on your server:
www.microsoft365managerplus.com 6
� java -jar mcas-siemagent-0.87.20-signed.jar [--logsDirectory DIRNAME] [--
proxy ADDRESS[:PORT]] --token TOKEN
What's the catch?
In order for your organization to comply with the licensing requirements for Microsoft Defender
for Cloud Apps, you must obtain a license for every user protected by it.
Review user-created email forwarding rules and alerts,
or restrict forwarding
Auto forwarding enables threat actors to compromise your security posture without direct access to
your environment. A typical hacker gets into a privileged mailbox and turns on auto forwarding, which
allows them to access confidential information and even reroute payments to their own bank accounts.
This is why it's important to keep an eye on auto forwarding rules, and it's even better disable auto
forwarding on a case-to-case basis.
How to do it
Log in to the Exchange Admin Center.
Choose Reports > Mail flow from the left pane.
Click the Auto forwarded messages report.
What's the catch?
This report cannot be scheduled. So, as an admin, you have to check this report manually to
identify anomalies.
Bonus content
Focus on awareness and training: Make employees aware of threats like phishing scams and how
they're delivered. Additionally, provide users training on information security principles and
techniques as well as overall emerging cybersecurity risks and vulnerabilities.
Establish blame-free employee reporting: Ensure that employees know who to contact when they
see suspicious activity or when they believe they've been a victim of a cyberattack. This will ensure
that the proper established mitigation strategy can be employed quickly and efficiently.
www.microsoft365managerplus.com 7
�How M365 Manager Plus can help
M365 Manager Plus is ManageEngine's Microsoft 365 management and security tool. It helps you
govern Exchange Online, Azure AD, Microsoft Teams, OneDrive for Business, and other Microsoft 365
services, all from a single console. In this section, we'll cover how M365 Manager Plus can help you
effortlessly implement the aforementioned security recommendations.
Enable MFA for administrator accounts: Enabling MFA and configuring MFA aren't two different
tasks with M365 Manager Plus—everything can be done all at once. In the UI, configure the MFA
settings and upload the details of users, and that's all. You'll be good to go.
Assign administrator roles using RBAC: With M365 Manager Plus, you can create your own
custom roles and assign them to technicians. With the dedicated set of reports provided by the
tool, you can even audit the actions of those delegated technicians.
View the UAL: M365 Manager Plus comes with more than 500 predefined reports, which can be
viewed in a single click. Unlike Microsoft 365, all audit logs starting from the day of installation can
be stored indefinitely, provided audit logging is enabled.
Enable alerts for suspicious activity: M365 Manager Plus allows you to create email alerts for all
critical activities. In addition to the default alert profiles, you can create your own threshold-based
alert profiles to stay informed.
Integrate logs with your existing SIEM tool: Integrate M365 Manager Plus with a Splunk or Syslog
server to analyze and gain deep insights into the activities happening in your environment.
Restrict users from forwarding emails to accounts outside of your domain: With M365 Manager
Plus' Set Mail Forwarding feature, you can disable email forwarding for multiple mailboxes at a
time. No need to need to rely on PowerShell scripts.
www.microsoft365managerplus.com 8
�Conclusion
With the goal of maximum disruption in mind, cyberattacks are getting more sophisticated every day.
Security complacency is never an option; always stay informed about ongoing cybersecurity trends and
make sure to implement them in your environment. This can be overwhelming and challenging at times,
but we at ManageEngine are continuously striving to provide the right solutions to help overcome this.
M365 Manager Plus is an extensive Microsoft 365 tool used for reporting, managing, monitoring,
auditing, and creating alerts for critical incidents. With its user-friendly interface, you can easily manage
Exchange Online, Azure Active Directory, Skype for Business, OneDrive for Business, Microsoft Teams,
and other Microsoft 365 services from a single console.
