BECs and Beyond - Investigating and Defending Office 365

Explore the evolving landscape of cloud security in this 49-minute conference talk focusing on Microsoft Office 365. Analyze two real-world attack case studies targeting Office 365, examining the tactics, techniques, and procedures (TTPs) of financially and information-motivated threat actors. Learn how to optimize Office 365 for investigations, understand available log sources and their limitations, and discover recommendations for enhancing Office 365 security. Gain insights from Douglas Bienstock, a Mandiant professional experienced in Incident Response and Red Team work, as he shares lessons learned from investigations to help organizations stay ahead of cyber threats.

Intro
Roadmap
Introduction
Modern vs Legacy Authentication
Core Logs
Unified Audit Log
Mailbox Audit Log
Admin Audit Logs
Remain undetected
Find the rules!
Change banking information
Attacker logs in
Access other Mailboxes
Azure AD PowerShell
OAuth Abuse
Exchange Online message read auditing
Exchange Online Sessions
What did we learn?