#exchange_online — Public Fediverse posts

🚨 Incident Response
===================

Executive summary: This guide provides a 10-step investigation workflow for Business Email Compromise (BEC) incidents within Office 365 environments. It is designed to help incident response teams identify, collect and analyse mailbox- and tenant-level artifacts relevant to impersonation, forwarding abuse and account takeover.

Technical details:
• The guide emphasises review of mailbox audit logs, message trace, mail-flow rules (transport rules) and eDiscovery exports as primary evidence sources.
• Key artefacts highlighted include unusual SendAs/SendOnBehalf events, newly created inbox rules that forward or delete messages, anomalous OAuth app consent events, and unexpected mailbox folder movements.
• Tenant-level indicators include changes to mail-flow configuration, additions to send connectors, and modifications to conditional access or MFA settings.

Analysis and detection guidance:
• The workflow recommends correlating mailbox audit events with message trace entries and Azure AD sign-in logs to link message delivery anomalies to authentication or session anomalies.
• Detection focus areas are: new inbox rules that create forwarding to external addresses, SendAs spikes originating from unusual IPs, and simultaneous role/permission changes across accounts.

Conceptual implementation (no commands):
• Collect mailbox and tenant audit data for the suspected timeframe, prioritise mailboxes involved in financial workflows, and preserve eDiscovery exports for chain-of-custody.
• Use correlation across Exchange Online, Azure AD sign-ins and conditional access changes to establish timeline and scope.

Best practices and limitations:
• Best practices include capturing comprehensive audit logs early, documenting access and evidence handling, and validating mail-flow rule histories.
• Limitations include possible log retention gaps depending on tenant configuration and the need for eDiscovery access to export mailbox content.

Practical use cases:
• The guide supports investigations of CFO impersonation scams, vendor invoice fraud, and mass forwarding events used to exfiltrate emails.

References:
• Contact for incident support: [email protected]

🔹 BEC #incident_response #office365 #exchange_online #eDiscovery

🔗 Source: https://github.com/PwC-IR/Business-Email-Compromise-Guide/blob/main/PwC-Business_Email_Compromise-Guide.pdf

Миграция почты из Exchange Online в Яндекс 360 для бизнеса

Миграция почты из Exchange Online в Яндекс 360 для бизнеса Привет, Хабр! В очередной статье цикла про управление Яндекс 360 для бизнеса я расскажу как можно мигрировать почту из зарубежного сервиса Microsoft 365 / Exchange Online на российский облачный сервис Яндекс 360 для бизнеса / Яндекс Почта. Я приведу пошаговые действия, которые нужно выполнить администратору для централизованной миграции почты без сбора паролей пользователей. Затем, поделюсь наиболее частыми вопросами по работе сервиса миграции, которые возникают у наших заказчиков. Отдельно обозначу как быть, если владелец тенанта, не хочет или не может предоставить права для сервиса миграции на Яндекс 360 на все почтовые ящики тенанте, а только на избранные.

https://habr.com/ru/companies/yandex360/articles/812213/

#Миграция #Почта #Exchange_Online #Microsoft_365