Microsoft 365: A Tale of Online Security – Chapter 2
Chapter 2: Inside the Tenant
Jake and Lily quickly changed their passwords and alerted Mr. Johnson about the phishing email. They knew they had to act fast to prevent further damage to the Office 365 Tenant.
Grateful for their help, Mr. Johnson permitted them to investigate the Tenant and check for any compromises. Jake and Lily logged in and explored the different applications and services available.
As they dug deeper, they realized that the hackers had access to sensitive information. They had read Mr. Johnson’s emails, accessed his calendar, and even viewed some confidential documents. Jake and Lily felt a sense of dread wash over them. They had been careless with their passwords and allowed the hackers to access this valuable data.
“We have to stop them,” Lily said. “But how do we do it?”
Jake thought for a moment. “We need to find out what they’re doing inside the Tenant. We can use the audit logs to see their activity.” Lily nodded. “Good idea. Let’s see if we can find any suspicious logins or data exports.”
# Example Microsoft Sentinel Query
OfficeActivity
| where Operation in (“Export”, “UserLoggedInFailed”)
| where UserId == “johnson@codequest.com”
| where TimeGenerated > datetime(2023-03-01) and
TimeGenerated < datetime(2023-03-28)
They started to search through the logs, looking for any signs of unauthorized access. It was slow and tedious work, but they were determined to find the hackers.
After a while, Jake spotted something unusual. “Look at this,” he said, pointing to a log entry. “Someone accessed Mr. Johnson’s email account from a different IP address than usual. And they exported some of his emails to a file.”
# Example Microsoft Sentinel Query
SigninLogs
| where UserPrincipalName == “johnson@codequest.com”
| where IPAddress == “109.87.255.10”
| where ResultType == 0
| where TimeGenerated > datetime(2023-03-28 00:00:00) and
TimeGenerated < datetime(2023-03-28 00:05:00)
Lily’s eyes widened. “That must be the hackers! They’re stealing Mr. Johnson’s emails!”
Jake nodded. “We have to stop them. But how do we do it without tipping them off?”
Lily had an idea. “Let’s create a fake email and send it to the hackers, pretending to be Mr. Johnson. We’ll say that we’ve changed our password, and they must log in again. Then, we can catch them in the act.”
Jake smiled. “That’s brilliant! Let’s do it.”
Together, they crafted the fake email and sent it to the hackers. They waited nervously, hoping that their plan would work.
Connect-Graph -Scopes "Mail.Send" $email = @{ To = "johnson@codequest.com" Subject = "Important Message" Body = @( "This is a fake email from Mr. Johnson.", "We have changed our password and you need to log in again.", "Thank you." ) } Send-GraphMessage @email
After a few minutes, they saw a login attempt from the hackers’ IP address. Jake and Lily watched as the hackers tried to enter their credentials, but they had changed the password.
# Example Microsoft Sentinel Query
SigninLogs
| where UserPrincipalName == “johnson@codequest.com”
| where IPAddress == “109.87.255.10”
| where ResultType == 0
| where TimeGenerated > datetime(2023-03-28 00:00:00) and
TimeGenerated < datetime(2023-03-28 00:05:00)
“We got them!” Jake said, pumping his fist in the air.
Lily grinned. “Now, let’s call in the forensic expert. We need to figure out who these hackers are and how they got into Mr. Johnson’s Tenant.”
Jake nodded. “Good idea. Let’s bring in Max.”
Liam Cleary
Liam began his career as a computer trainer. He quickly realized that programming, breaking and hacking were much more fun. Liam spent the next few years working within core infrastructure and security services. He is now the founder and owner of SharePlicity, a consulting company focusing on Microsoft 365 and Azure technology. His role within SharePlicity is to help organizations implement Microsoft 365 and Azure technology to enhance internal and external collaboration, document, and records management, automate business processes, and implement security controls and protection. He is a long-time Microsoft MVP and Microsoft Certified Trainer, focusing on architecture, security and crossing the boundary into software development. Over the past few years, his specialty has been security in Microsoft 365, Azure and its surrounding platforms. Liam also creates online training courses for Pluralsight, LinkedIn Learning and Cloud Academy, and he teaches multiple Microsoft certification courses for Opsgility and Microsoft. You can find him at user groups and conferences, teaching classes, offering advice, spending time in the community, teaching his kids how to code, raspberry PI programming, hacking the planet, building Lego robots, or coaching soccer. You may also find him running races in the dark, hiking, or mountain biking at breakneck speeds.