My Cloud is APT's Cloud - Investigating and Defending Office 365

Explore the increasing threat landscape of Microsoft Office 365 in this 41-minute Black Hat conference talk. Investigate how attackers are targeting cloud services, particularly Office 365, which has become the dominant email platform for enterprises worldwide. Delve into the various components of Office 365, including Exchange, Teams, SharePoint, and OneDrive, and understand why the vast amount of data stored in these services makes them attractive targets for threat actors. Learn about authentication types, the Unified Log, and the attack lifecycle through real-world case studies. Discover effective defense strategies, including conditional access, Azure Active Directory protection, and safeguarding against sophisticated techniques like GoldSAML attacks, mail forwarding rules abuse, and eDiscovery exploitation. Gain valuable insights from security experts Doug Bienstock and Josh Madeley on investigating and defending Office 365 environments against advanced persistent threats.

Intro
Meet Josh
Agenda
Authentication
Authentication Types
Unified Log
Attack Lifecycle
Case Studies
First Case Study
Second Case Study
How can we stop this
Persistence
Conditional Access
Sophistication
Azure Active Directory
GoldSaml
Mail Forwarding Rules
Rights Delegation
Mail Flow Transport Rules
Graph API
EDiscovery Abuse
Closing Thoughts
Questions