Simplest way to be notified that a client has been compromised. (O365)

[thecomputerguy]

When a client gets compromised it's almost always the same story.

Link Clicked, Token Stolen, Logs with bad logins showing "previously satisfied", Rules configured, client is then notified by one of their clients they have been hacked.

Client notifies me.

I tried setting up an alert policy in security.microsoft.com to notify me when an Inbox-Rule is created but that option does not exist. The only option is to notify when a user creates a forward/redirect of mail.

This seems like such a trivial function I can't believe it isn't easier to configure.

My clients all use Business Standard/Business Premium

How can I be better notified when a client is compromised when FIDO keys & CA policies requiring intune registered compliant devices aren't an option?

@YeOldeStonecat @Sky-Knight

 

[YeOldeStonecat]

Yeah the built in alerts ...from Defender...EMail & Collab...Policies & Rules...Alert Policies.....those aren't bad.. Used those in the old days, sort of like a "poor mans SIEM" ...we'd have it fire off emails to our helpdesk email address.

And I can't believe the canned alert for "Creation of forwarding/redirect rule" is not at least 2 bars red..it's all gray like it's miminal...heh.
Although its counterpart..nearly similar rule...Suspicious EMail Forwarding Activity"..is all 3 bars red.

There is a rule called "EMail messages removed after delivery" which is close....covers a little bit of that gap.

But yeah we lean on the stack of tools now .....Huntress ITDR..and even Augmentt does lots of this.

 

[Velvis]

So, is there any way to make a "notify me when an Inbox-Rule is created" alert within M365?

 

[TazUk]

In the O365 policies you can tell it to block forwarding to an external domain. This would generate an alert if someone attempted to do that.

 

[HCHTech]

So, is there any way to make a "notify me when an Inbox-Rule is created" alert within M365?

Yes, there is a "Created mail forward or redirect rule" alert you can enable. Like @TazUk said, block forwarding to an external domain is a good one as long as that don't have some workflow in place that requires this (forwarding to web-based practice management software, for example). Also block email from their domain that didn't originate in their domain - again if they don't have some workflow that requires this (marketing stuff like Canva, etc.)

 

[thecomputerguy]

Yes, there is a "Created mail forward or redirect rule" alert you can enable. Like @TazUk said, block forwarding to an external domain is a good one as long as that don't have some workflow in place that requires this (forwarding to web-based practice management software, for example). Also block email from their domain that didn't originate in their domain - again if they don't have some workflow that requires this (marketing stuff like Canva, etc.)

This is partially correct.

Yes it does alert when a forwarding/redirect rule is created which is essentially an alert when someone tried to forward their mailbox to an external mailbox which by default is disabled anyways.

It does not, however, alert when an Inbox-Rule is created in the sense that:

- Mark mail as read
- Move mail from X to Folder: (Conversation History)

When a mailbox is compromised it is not common for the compromising party to forward the mail, yes it can happen but it's not a normal part of a routine day to day compromise.

Typically a compromise occurs in the following order:

Token Stolen
Bad sign ins in entra
Rules setup to move mail to different folder
Account used to compromise other accounts

This alert would not be triggered by any of these events.

 

[HCHTech]

Token Stolen
Bad sign ins in entra
Rules setup to move mail to different folder
Account used to compromise other accounts

This alert would not be triggered by any of these events.

Well, that's....disappointing. I guess I saw what I wanted to see in that alert title.

 

[YeOldeStonecat]

When a bad actor gets into an account....they get sneaky with rules. Naming them with say, a ".", or other name that you might miss...or over look, or think is normal or default. It's not always "forward to external"...they take other actions to "hide" incoming emails that fall under a certain category, delete stuff in sent folder, etc. Old days they'd do a forwarding rule to some external email they had...and some still do, but since Microsofts optimal settings (and other best practice guides) now disabled external forwarding...they've adapted to that and just stay inside the system.

3rd party tools, such as Huntress ITDR or Augmentt, are great at detecting..and cleaning up these funky rules.

 

[timeshifter]

Agreed that the Inbox filters these bad actors set up are always to divert incoming messages to a place that's "invisible" to the user. Sometimes the RSS Feeds folder. Some move everything to deleted. A few have redirect keywords and or senders.

I'm going to be following along here. I'd like to have some kind of notification too. An alert based on a rule being created is good, inexpensive method. Seems like there should be some better triggers beyond that before you have to go to a full blown ITDR. But maybe that's what I need to do.

I did have a trial of Adlumin that N-Able pushed me into, but I didn't have the mental bandwidth to deal with that at the time. May need to revisit that.

 

[YeOldeStonecat]

The ITDR that seems to be winning over MSPs lately...is Petra ITDR

Petra Security | Best-in-class M365 ITDR

Petra is best-in-class M365 ITDR. Petra tracks attackers across Entra ID, Exchange, Sharepoint, and more.

www.petrasecurity.com

I have not demo'd it, have not priced it. Several colleagues I regularly chat with either demo'd it, onboarded with it, etc...and really love it.
One of them so impressed with it..they moved to it from the top dog...Blackpoint. (which is quite pricey)

 

[Sky-Knight]

The XDR admin panel is where this data comes from and goes to if you want a Microsoft solution. But, to make it fully work you need M365 Business Premium + Defender Suite for Business Premium. Then you can go configure all the defender bits to make the XDR admin panel almost a SIEM and get the intelligent alerting. But really, you don't even get what you want for this specific correlation of factors until you put Microsoft Sentinel on top. And at the SMB level, it's just not cost effective.

 

[HCHTech]

Also, found out the hard way that getting M365 alert notifications sent to an external email is nigh on impossible wtihout a third-party solution. I still have scars from beating my head against that particular wall.

 

[Sky-Knight]

Also, found out the hard way that getting M365 alert notifications sent to an external email is nigh on impossible wtihout a third-party solution. I still have scars from beating my head against that particular wall.

Send to shared mailbox, configure shared mailbox via anti-spam policy to have authorization to forward externally, configure shared mailbox to forward externally.

 

[timeshifter]

The ITDR that seems to be winning over MSPs lately...is Petra ITDR

Petra Security | Best-in-class M365 ITDR

Petra is best-in-class M365 ITDR. Petra tracks attackers across Entra ID, Exchange, Sharepoint, and more.

www.petrasecurity.com

I have not demo'd it, have not priced it. Several colleagues I regularly chat with either demo'd it, onboarded with it, etc...and really love it.
One of them so impressed with it..they moved to it from the top dog...Blackpoint. (which is quite pricey)

Impressed so far...

I thought I'd check them out. Submitted my phone number, company name, etc. Was expecting a phone call and a push for a demo, etc. Instead within three minutes it was collecting logs for one of my tenants, preparing to review 6 months of history.

 

[timeshifter]

Looks like it's $2.99 per identity protected (mailbox, user?). Presume that's my cost. So sell it for $6.00 per month or $84 per month for the small business I'm testing it on.

Sounds like a lot in my space. But that client has paid A LOT in BEC cleanups.

What's the going rate for this service in the MSP space?

 

[HCHTech]

Send to shared mailbox, configure shared mailbox via anti-spam policy to have authorization to forward externally, configure shared mailbox to forward externally.

You would think - but no. Something about not being seen as a "regular" email because it's generated by the backend. We tried:

• Allowing forwarding in the default outbound anti-spam policy, then creating an Exchange Transport Rule to block forwarding to anyone except our notification address
• Creating a distribution group with both an internal user and our desired external address as a contact, then setting the group to be the alert recipient
• Creating a shared mailbox and setting it as the alert recipient, then setting up the forwarding to our notification address
• Using Power Automate to catch and forward the alerts

Basically the alerts don't follow transport rules, don't follow outbound spam policy, don't appear in message traces (unless you have an internal recipient), don't honor distribution groups (unless they only have internal members), and are silently dropped for external delivery "for security reasons".

Further, you can have them sent to an internal user, and then use an inbox rule to forward them (because once they arrive in the internal user's inbox, the messages ARE "regular" emails), but that is not a scalable or easy-to-maintain system. You have to have an internal mailbox to use for this purpose (you could use one of the normal users and then set the inbox rule to forward the alerts then delete them, I suppose), but that's kludgy to say the least. I also remember that some of the alert types don't email at all no matter what - I'd have to dig up my notes to jog my memory on that.

There was some suggestion to use Azure Monitor & Action Groups, of Microsoft Graph, but that is WAY out of my wheelhouse, so I didn't explore it.

This is why things like Lighthouse & CIPP exist, not to mention 3rd party services like SaaSAlerts.

 

[YeOldeStonecat]

What's the going rate for this service in the MSP space?

We charge $20/user/mo for "ITDR and 365 tenant security standards...maintain >85 security score" This includes Huntress ITDR, currently Augmentt, as well as Axcient SaaS backup.

 

[timeshifter]

What do you mean by "currently Augmentt"? Some clients are now on Huntress ITDR and some are still on Augmentt?

Is the Axcient SaaS backup essentially a single user 365 backup, similar to Cove's 365 mailbox backup that comes in around $1.65 per mailbox?

If I were to offer something comparable to what you're doing I'd have $1.65 for back and $2.99 for ITDR in COGS. Is maintaining that score just a management of the tenant, manual review thing? Or is there something else automated you're paying for that's bundled into that price?

 

[YeOldeStonecat]

What do you mean by "currently Augmentt"? Some clients are now on Huntress ITDR and some are still on Augmentt?

We use both tools...
Huntress ITDR....does alerting for risky activity, and auto remediates
Augmentt...is a tool used to apply "best practices" to a 365 tenant...to increase security settings, quickly and easily.

Now...Huntress did recently add some "best practice security settings" to their suite...after they purchased InsideAgent365. They're calling it "ISPM"...Identity Security Posture Management".
And...Augmentt does have some alerting.

But..their primary purpose...Huntress...ITDR...and Augmentt...apply security best practices across multiple 365 tenants with a few clicks of the mouse.

We also use Huntress as our endpoint security now...antivirus on the workstations/laptops...Huntress has a suite of products...each one with a cost.

 

[John Kennedy]

We use Guardz as our primary security stack (ITDR, Avanan, SentinelOne -- all under MDR) and that's been working well for us. For clients that for some reason don't want the full stack, I've been using Blackpoint since they switched to month-to-month, no minimums for their Essentials tier (also get endpoint MDR for those not on Guardz).

Petra looks a lot nicer, and I'd love to have more visibility like they have, but Guardz is such a great stack at about $7/user for all of those items bundled together (and a few others that are less relevant) so it's hard for me to want to switch.