Office 365 rant

[doriel]

Hello everyone. So part of the company made a step and moved to Office 365. Microsoft 365. Junk 356.

Immediatelly after migration last week, mail spoofing and phishing attacks increased by hundreds of percents. This product IS SO AWESOME AND SAFE!!!

Now our management came with the idea, that emails from external addresses are attached as .MSG files.
So we cant search through these messages.

I knew that this will happen, no matter what Microsoft PR department is trying to sell us, I simply do not buy it because IT IS NOT TRUE, ITS JUST MARKETING! 365 junk.

Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 1809 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

5 users thanked author for this post.

Bill C., HiFlyer, Cybertooth, Elly, ScotchJohn

Reply | Quote

[Paul T]

How does changing your software cause other people to send you phishing emails? Is it not just a coincidence?

cheers, Paul

Reply | Quote

[doriel]

Thanks for the question, but changing SW is not all it takes. There is Office Admin Center in the cloud. Administration is not dne locally but its a service as a cloud (imagine something like MS Azure) and you can access your email via web interface. Thats the weak spot. By my opinion the cloud solution is to blame. Better to have administration within own (protected) domain instead of cloud solution.
I really doubt its a coincidece, but I may be mistaken. Thats why I put this into rants forum.
PS – people send phishing emails? Arent those done by some PHPmailer or something like that? Just asking, I am curious and I want to know more.

Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 1809 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

Reply | Quote

[mn–]

Actually… it’s quite possible to detect service moves.

There’s a little security implication in RFC1912 in that it recommends a way of constructing the zone “serial number” that contains the date of last change.

Therefore, recent SOA record of mail domain + MX in 365 + recent RFC1912-type serial means higher probability of a new tenant, so a good target…

Even more so if you also have an invalid or weird-looking SPF record, means probably transition in progress.

And transition probably means confused users who therefore are easier targets than usual.

And if someone’s planning on doing targeted or semi-targeted attacks, well, it’s sort of cheap to script DNS lookups say once or twice per day on a list of target candidates, and flag when there’s a change… even without a date of change embedded in the zone serial.

3 users thanked author for this post.

oldfry, Elly, doriel

Reply | Quote

[Susan Bradley]

The issue is not the cloud, the issue is how it’s set up and possibly the license you got.

1. you want to go through this checklist – The Exchange Online Best Practices Checklist.docx (sharepoint.com) to lock down older protocols
2. You want to turn on mfa
3. You want to ensure Advanced threat protection is properly enabled – which includes enabling DKIM and all that

The idea that you can do an on premise mail server cheaper – between the cost of licenses, and servers, and with the demise of Small Business Server, I’d beg to differ.

Susan Bradley Patch Lady

1 user thanked author for this post.

doriel

Reply | Quote

[mn–]

Susan Bradley wrote:

The idea that you can do an on premise mail server cheaper – between the cost of licenses, and servers, and with the demise of Small Business Server, I’d beg to differ.

Depends on what you count for that.

There’s a bit of a difference between “an on-premise mail server”, and a full-function “groupware” server (mail and calendar, contacts, etc) like Exchange.

Bare email is feasible with all free software and quite minimal hardware these days. (Would of course need a backup MX or two, storage for the mailboxes and…)

Now, all-free open source groupware server software with calendaring and all that does exist, but I can’t imagine anyone having to count working hours actually deciding to not get the support subscriptions at least for production use… so…

You’d probably need to have hundreds of users (and multiple sites) before on-premises solutions would have a chance of breaking even, currently.

So, yes. From way over here, Microsoft’s 365 pricing is cheap enough to look suspicious. And the various reported data breach and compliance hassles really don’t help that part.

Reply | Quote

[Susan Bradley]

It’s all in the configuration.  number 1 thing to make you more secure:  USE TWO FACTOR. (yes I’m shouting)  it really does make a huge difference.  Next turn off legacy protocols like imap, pop, etc.  These two things are HUGE.  When I talk about a mail server I mean an application like Outlook that works with Word and Excel and QuickBooks.  Something that allows you to set default mail clients, works and doesn’t depend on me trying to search forums for how to get it all working.  Open source works if you know how to code.  I don’t.

Susan Bradley Patch Lady

Reply | Quote

[doriel]

More about this O365. I dont know if you want to answer this, nothing persnal here. I thank you for all your effort you do for us. We really appreciate. But for me its all about angle of view. I simply do not agree with Cloud being safer than on promise.
Thank you once again – for the checklist and for those three points, they look like fundaments, that need to be met to ensure best security. Good advices.

I read that checklist and I dont want to post off-context quotes here, but few things came to my mind. The complexity of this is great.
– Its nothing easy and it has lot to learn, I see very lot of functions and adons on the description of Exchange Online. Including integration into Outlook client.
– Thats good, cause according to the check list there is no more the option to “Remember my credentials” and I cant imagine people going through MFA multiple times when accessing their mail. that would be suicidal.
– Also I should download some .ps1 scripts from gitHub and run them on my server? Checksums are mighty weapon, but.. I would be very carefull on a server.
I could continue, but there is no need, because I dont have as much knowledge as needed.

I know that I should move forward and stay in touch with latest technology. I want to and I try. I did try Azure (it was free for some time, so I created one). And I quite liked it! But I relly disagree with all statements how Cloud soulutions are more secure. They are if you set them so. Same with on-premise. Something stored on multiple dataceters cannot be more safe, that something stored locally and backed up on tapes.

This does not have one solution. Its not black and white, there are at least 50 shades of gray 🙂

Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 1809 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

Reply | Quote

[Paul T]

Looks like coincidence to me. And yes, bots send the mail – it’s people behind the bots so as a generalisation it’s fine (subtleties of English).

cheers, Paul

1 user thanked author for this post.

doriel

Reply | Quote

[Alex5723]

doriel wrote:

So part of the company made a step and moved to Office 365. Microsoft 365. Junk 356.

Your are probably aware that Microsoft monitors all Office 365/Microsoft 365 data and has a direct access to it, and transfers data to the FBI, NSA.. even for non-US users ?

Microsoft shares banking data of Indian customers with US Intelligence agencies

• This reply was modified 1 month, 3 weeks ago by Alex5723.

3 users thanked author for this post.

HiFlyer, Cybertooth, doriel

Reply | Quote

[doriel]

I am not not aware, maybe you have more accurate information. And I have no possibility to know, what is happening “behind the scenes”. I can only interpret what big players are saying (MSFT, Google, Apple, Samsung, ..)

And I think that nobody publicly admits he has problems/sells data these days. Its a pity, because honesty is part of good manners. Without honesty, civilisation is just bunch of savages, that tries to trick each other.

And last note: since our email accounts are exposed somewhere in the cloud, I would bet my half year sallary, that some malware can snoop these accounts/data/addresses from the server. In our own infrastructure, I consider all data safe behind firewall. In the cloud not. Thats why I do not agree with angle of view of @Paul_T. Nothing personal here.

Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 1809 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

2 users thanked author for this post.

Alex5723, Paul T

Reply | Quote

[bbearren]

doriel wrote:

In our own infrastructure, I consider all data safe behind firewall. In the cloud not.

If you have an email server within your own infrastructure to handle all intranet email, yes, it is secure behind your firewall.

However, any email exchanges outside your own infrastructure (clients/contractors/suppliers) via the internet is going through “the cloud”, and is not protected by your firewall.

Create a fresh drive image before making system changes/Windows updates, in case you need to start over!

"When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns

"Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware

Computer Specs

Reply | Quote

[doriel]

That is correct, in the past we used exchange server only. And there was also communication with people outside organisation. But we added some emails to our address pool by creating 0365 accounts.
Apart of Office365, you cannot access our emails outside domain, unless you are on a VPN, we do not use web interface (like OWA) to connect to our emails, thus I considered that as safe. You can access our email whenever we want in your smart phones, if we need it.
Usually, FW blocked 10-100 a day messsages with unwanted links in it. When we created these online accounts, statistic looks more like 100 – 1000 per day.
I say: someone can register with our email to some e-shop and it can cause this peak, but this looks like too much coincidence. Or maybe number of attacks/spam/whatever increased in the whole world. I dont know.
Thank you for your opinion.

Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 1809 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

Reply | Quote

[b]

Alex5723 wrote:

Your are probably aware that Microsoft monitors all Office 365/Microsoft 365 data and has a direct access to it, and transfers data to the FBI, NSA.. even for non-US users ?

Microsoft shares banking data of Indian customers with US Intelligence agencies

“We never provide customer data unless we receive a legally valid warrant, order or subpoena about specific accounts or individual identifiers that we have reviewed and considered legally appropriate and consistent with the rule of law and our Microsoft principles.”

Which similar services do not comply with legally valid warrants?

Reply | Quote

[Alex5723]

b wrote:

“We never provide customer data unless we receive a legally valid warrant, order or subpoena about specific accounts or individual

No US judge or FBI.. have any authority regarding data of non-US banks, accounts…

Reply | Quote

[b]

Alex5723 wrote:

No US judge or FBI.. have any authority regarding data of non-US banks, accounts…

Unless the data is stored within the US?

(I’ll assume you agree that all similar services comply with legally valid warrants.)

Reply | Quote

[mn–]

Yes, that’s exactly the problem here.

Microsoft was earlier found to illegally transfer certain non-US data to US servers. They said it was by honest mistake though…

Not that Microsoft is alone in that either.

Really waiting for someone to actually bother enough to build up a high-profile court case.

1 user thanked author for this post.

doriel

Reply | Quote

[Elly]

Just a non-technical observation- different e-mail clients use different spam filters, which usually need some ‘training’ when initially implemented.

I’d be checking what was filtered out into spam/trash to see if you are losing any legit communications, as well.

As people correctly label the received mail, the spam filter will become more accurate, and you will see less unwanted mail…

Non-techy Win 10 Pro and Linux Mint experimenter

Reply | Quote

[OscarCP]

Ellis: “I’d be checking what was filtered out into spam/trash to see if you are losing any legit communications, as well. ”

From my own experience, this definitely can happen, so one should always check the Junk folder contents before deleting them. In my case, this seems to happen mainly with messages from correspondents overseas. But it also, now and then, happens in reverse, with my messages sometimes ending in the Junk mail of my foreign correspondents.

Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

1 user thanked author for this post.

Elly

Reply | Quote

[Alex5723]

b wrote:

Unless the data is stored within the US?

The data in the Indian banks hasn’t been stored in the US.

Reply | Quote

[niv.dolgin]

Sounds like you need to configure EOP properly.

Microsoft recommendations for EOP and Defender for Office 365 security settings, recommendations

There’s even a config analyzer you should use to see what you’re missing:
Configuration analyzer for security policies – Office 365 | Microsoft Docs

2 users thanked author for this post.

oldfry, doriel

Reply | Quote

[doriel]

Thank you, its evident, that you are more experienced than me, to be honest I have no clue what are talking about. And according to that link its quite complicated procedure, that non experienced user has no chance to set up properly while attempting for the first time.
Maybe its not obvious to MSFT team, but other people have more things to do, than try to reapair Microsoft non-funtional products every sigle day.

I dont want to spend another another two weeks configuring O365. I like O2010 and I will stay as long as possible, I strogly recommended our management to stay on O2010. Seems like our German management has some spare money, that they do not need and they want to give them away to Microsoft. Thats pity.

Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 1809 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

1 user thanked author for this post.

Cybertooth

Reply | Quote

[anonymous]

There are a lot of angry cloud fearful people on this post. I’m sorry to have found that. The cloud can be more secure than anything on-premises but it all depends on how you configure it. The tools are many but if you chose not to use them, then yes, you’ll not be surprised when you get loaded up with phishing, spam and all manner of garbage from the unwashed Internet.

Here are a couple of articles to get you started. Microsoft 365 administration: Email rules for security and privacy (techgenix.com) and Microsoft 365 administration: Email security policies (techgenix.com)

Hope this helps you in securing your new cloud environment.

Moderator note: Edit for content. Please follow the –Lounge Rules 11. No advertising, except by explicit prior arrangement.

Reply | Quote

[mn–]

anonymous wrote:

The cloud can be more secure than anything on-premises but it all depends on how you configure it.

That part I really disagree with. Among other things, cloud security depends on trusting the cloud infrastructure provider, and Microsoft isn’t considered quite trustworthy enough by a lot of people.

It’s fairly cheap to build an Office 365 cloud system that has better availability especially regarding local physical damage than anything single-site on-premises, but credible and proven prevention of unauthorized access is another thing. (Especially if you’re worried about actual international espionage…)

I mean, just the other year, Microsoft was caught sending fragments of documents from European users direct to one of their teams in the US, unauthorized. As in “unknown” words from spelling check being sent to the spelling check team… and everyone knows that happens a lot with multilanguage documents.

Reply | Quote

[doriel]

I was thinking exactly about the same sentence since yesterday.

The cloud can be more secure than anything on-premises but it all depends on how you configure it.

I say: maybe those functions that are protecting cloud are more sophisticated. But it seems as logical to me as buying new Dodge Ram to save some space in your garage. And the more complex program is, the more holes are there. Nearly everyday some vulnerability is dicovered. Dont tell me, that data stored on multiple locations are safer. Encrypted maybe 🤷‍♂️

I still wonder.. Nearly everyday we see information abou ransomeware attacks and so on the bleepingcomputer.com for example. And my question is: do these hacked companies rely purely on On-Premise or do they use cloud solutions?
Cloud I say. And once again that is just too much coincidence to me. Of course I can be mistaken, of course I can.

Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 1809 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

Reply | Quote

[anonymous]

I’ve never purchase Office 365 as I don’t believe in subscription products and, as a privacy buff, distrust Microsoft, the Cloud, etc.

I’m decidedly low tech-  no cellphone- and am laughing at all of those who are upset that I don’t conform.  They’re the ones that are having all the privacy and data breach issues.

Not that I don’t have the occasional issue- but that’s the price for I pay for being part of a database over which I have no control.

 

Reply | Quote

[WSMRCS]

Best post yet, anonymous Guest.
This topic got awfully quiet after SolarWinds.

“If it had been using Office 365 for email, it would have been game over.”

https://www.reuters.com/article/us-global-cyber-usa/suspected-russian-hackers-used-microsoft-vendors-to-breach-customers-idUSKBN28Y1BF

Are memories so short these days that we need the constant reminders.

• This reply was modified 3 weeks, 6 days ago by Susan Bradley.
• This reply was modified 3 weeks, 6 days ago by WSMRCS.
• This reply was modified 3 weeks, 6 days ago by WSMRCS.

1 user thanked author for this post.

Cybertooth

Reply | Quote

[Paul T]

WSMRCS wrote:

“If it had been using Office 365 for email, it would have been game over.”

You are using that quote out of context and there is not a problem with O365 mail.

The attackers gained access through a 3rd party, not via O365 mail.

cheers, Paul

Reply | Quote

[WSMRCS]

Paul, that was old info. Follow some of the links.

SolarWinds Hack Compromised 40-plus Microsoft Customers
https://www.crn.com/news/security/solarwinds-hack-compromised-40-plus-microsoft-customers
Microsoft Breached Via SolarWinds As Scope Of Destruction Widens: Report
https://www.crn.com/news/security/microsoft-breached-via-solarwinds-as-scope-of-destruction-widens-report?itc=refresh
Microsoft’s Role In SolarWinds Breach Comes Under Scrutiny
https://www.crn.com/news/security/microsoft-s-role-in-solarwinds-breach-comes-under-scrutiny

Reply | Quote

[Paul T]

Again, not 0365.

cheers, Paul

Reply | Quote

[WSMRCS]

“hackers for months monitored staff emails sent via Office 365”

If you’re saying that because Office 365 was not the original vector that makes you comfortable, I’m glad for you.

Reply | Quote

[Paul T]

That is the case with any email system once you have internal access.
If bad people have full access to your system, it’s not your system anymore.

cheers, Paul

Reply | Quote

[WSMRCS]

It goes without saying that once your system, or the system you’re a part of, is breached, you’re s******. But, I believe the upshot of the discussion became where are you better off. If you plan on not doing anything or don’t know anything about security, then I would agree that someone is better off with the cloud.
Otherwise, who is the bigger or more likely target:
1) Microsoft with thousands of clients or, like most of us, someone smaller than MS with just themselves or a comparably few clients.
2) 63% of break-ins are inside jobs (that’s an old number) and all of the security software and measures in the world is not going to help you. MS and other companies like them have thousands of employees, whereas most companies are much smaller and most of the employees are known to those responsible for the company’s security.

Reply | Quote

[Author]

Posts