BECs and Beyond: Investigating and Defending Office 365

Presented at ShmooCon XV (2019), Jan. 19, 2019, 11 a.m. (60 minutes)

As organizations increase their adoption of cloud services, we see attackers following them to the cloud. Microsoft Office 365 is becoming the most common email platform in enterprises across the world and it is also becoming an increasingly relevant artifact for intrusion investigations. This presentation will discuss two real world attacks that targeted Office 365–one motivated by money and the other by information. Through the case studies we will analyze the TTPs of both threat actors and how they differ, describe how to optimize Office 365 for investigations, provide an overview of the log sources that are available (and their limitations), and provide recommendations for enhancing the security of Office 365.

Presenters:

• Douglas Bienstock
  Doug Bienstock (@doughsec) splits his time at Mandiant performing Incident Response and Red Team work. He uses lessons learned from IRs to better simulate attacker techniques and aid organizations stay ahead of the bad guys.

Links:

• https://infocon.org/cons/ShmooCon/ShmooCon 2019/BECs and Beyond.mp4

Similar Presentations:

• DerbyCon 9.0 Finish Line (2019) / Attacking with Automation: How Office 365 automation provides another new risk to the cloud
• Black Hat USA 2021 / Cloudy with a Chance of APT: Novel Microsoft 365 Attacks in the Wild
• Black Hat USA 2020 Virtual / My Cloud is APT's Cloud: Investigating and Defending Office 365