Teams Phishing Inside Your Tenant: How Attackers Trick Your Users

1
00:00:00,000 --> 00:00:03,840
Attention, valued knowledge workers.

2
00:00:03,840 --> 00:00:06,320
By order of the Productivity Council,

3
00:00:06,320 --> 00:00:10,720
your Microsoft 365 defenses are failing precisely

4
00:00:10,720 --> 00:00:14,280
where humans decide and policies equivocate.

5
00:00:14,280 --> 00:00:18,080
Most believe MFA, EDR, and Secure Score suffice.

6
00:00:18,080 --> 00:00:19,400
They do not.

7
00:00:19,400 --> 00:00:23,720
They do not arrest consent abuse, device code fraud,

8
00:00:23,720 --> 00:00:27,520
or teams pretexting conducted under your own brand.

9
00:00:27,520 --> 00:00:29,720
Here is what actually happens.

10
00:00:29,720 --> 00:00:32,360
Attackers operate inside official channels

11
00:00:32,360 --> 00:00:35,240
and harvest trust at line speed.

12
00:00:35,240 --> 00:00:38,240
The council will present five incident case files

13
00:00:38,240 --> 00:00:40,960
and the exact corrective doctrine.

14
00:00:40,960 --> 00:00:45,120
Policies, detections, user protocols, and tooling.

15
00:00:45,120 --> 00:00:49,440
One misconfiguration currently nullifies your MFA.

16
00:00:49,440 --> 00:00:50,400
Remember it.

17
00:00:50,400 --> 00:00:52,680
Its name will be issued shortly.

18
00:00:52,680 --> 00:00:56,120
Case file Y, Teams Fishing Authority Theater

19
00:00:56,120 --> 00:00:57,640
inside the perimeter.

20
00:00:57,640 --> 00:01:01,200
This is an official account of Authority Theater.

21
00:01:01,200 --> 00:01:04,840
The adversary enters through Teams External Federation.

22
00:01:04,840 --> 00:01:08,120
A profile named IT Support Priority

23
00:01:08,120 --> 00:01:11,280
appears with a Microsoft colored avatar.

24
00:01:11,280 --> 00:01:14,000
The message declares an authentication irregularity

25
00:01:14,000 --> 00:01:15,960
and promises rapid resolution.

26
00:01:15,960 --> 00:01:17,520
A number prompt follows.

27
00:01:17,520 --> 00:01:20,840
Approval fatigue is engaged, moments later,

28
00:01:20,840 --> 00:01:23,200
an attacker in the middle relay kit

29
00:01:23,200 --> 00:01:25,760
captures the session token.

30
00:01:25,760 --> 00:01:29,480
The mailbox changes, the SharePoint site syncs,

31
00:01:29,480 --> 00:01:33,360
compliance evaporates.

32
00:01:33,360 --> 00:01:36,400
Failure analysis is direct.

33
00:01:36,400 --> 00:01:41,000
External access defaults remain permissive.

34
00:01:41,000 --> 00:01:44,440
Tennis allow any federated domain to message any user.

35
00:01:44,440 --> 00:01:47,280
Message visibility, governance is weak.

36
00:01:47,280 --> 00:01:49,840
Unsolicited DMs are not rate limited

37
00:01:49,840 --> 00:01:51,920
or quarantined for review.

38
00:01:51,920 --> 00:01:54,720
User risk policies exist, but are not aligned

39
00:01:54,720 --> 00:01:58,560
to block risky sessions from chat-initiated elevations.

40
00:01:58,560 --> 00:02:00,760
Citizens, this is not adversary genius.

41
00:02:00,760 --> 00:02:02,720
This is policy ambiguity.

42
00:02:02,720 --> 00:02:04,840
Now the corrective doctrine.

43
00:02:04,840 --> 00:02:07,720
External Federation must be disabled or narrowed

44
00:02:07,720 --> 00:02:09,400
to an allow list.

45
00:02:09,400 --> 00:02:13,680
Use scoped external access with explicit domains only.

46
00:02:13,680 --> 00:02:17,520
In Teams Admin Center, configure external access,

47
00:02:17,520 --> 00:02:21,160
deny by default, allow approved partners.

48
00:02:21,160 --> 00:02:25,680
For collaboration needs, use shared channels with verified tenants,

49
00:02:25,680 --> 00:02:27,960
not open DMs.

50
00:02:27,960 --> 00:02:31,760
Apply saffelings in Teams and enable URL detonation.

51
00:02:31,760 --> 00:02:34,760
This removes the convenience of blind trust

52
00:02:34,760 --> 00:02:37,920
and replaces it with controlled exchange.

53
00:02:37,920 --> 00:02:42,880
Conditional access must assume that Teams is an elevation vector.

54
00:02:42,880 --> 00:02:45,080
Require compliant device and phishing

55
00:02:45,080 --> 00:02:47,080
resistant authentication strengths

56
00:02:47,080 --> 00:02:50,200
for any Teams initiated step-up, including access

57
00:02:50,200 --> 00:02:53,000
to admin portals, exchange and sharepoint

58
00:02:53,000 --> 00:02:54,920
with download permissions.

59
00:02:54,920 --> 00:02:58,760
Implement session controls for risky sign-ins.

60
00:02:58,760 --> 00:03:02,040
If sign-in-risk is medium or greater,

61
00:03:02,040 --> 00:03:06,200
restrict to web only, restrict download,

62
00:03:06,200 --> 00:03:10,160
and require reauthentication for sensitive operations,

63
00:03:10,160 --> 00:03:12,200
sign-in frequency should be shortened

64
00:03:12,200 --> 00:03:15,640
for elevated roles to minimize durable exposure.

65
00:03:15,640 --> 00:03:19,400
Detection changes the tempo, deploy anomaly rules

66
00:03:19,400 --> 00:03:23,240
focused on graph and Teams admin APIs.

67
00:03:23,240 --> 00:03:27,560
Citizens will monitor for unusual spikes in new tenant chats

68
00:03:27,560 --> 00:03:31,560
or new external contacts added within a short interval.

69
00:03:31,560 --> 00:03:35,720
Correlate unusual MFA prompt bursts occurring

70
00:03:35,720 --> 00:03:38,280
within five minutes of inbound Teams,

71
00:03:38,280 --> 00:03:41,080
DMs from previously unseen tenants.

72
00:03:41,080 --> 00:03:45,560
Flag device context shifts, where a chat originates

73
00:03:45,560 --> 00:03:50,200
from a consumer IP, while the target signs in

74
00:03:50,200 --> 00:03:52,520
from a corporate IP and then elevates.

75
00:03:52,520 --> 00:03:55,400
The butt therefore pattern must be formalized.

76
00:03:55,400 --> 00:03:58,280
A message appears, therefore a prompt occurs,

77
00:03:58,280 --> 00:04:00,200
therefore elevation is attempted.

78
00:04:00,200 --> 00:04:01,880
That chain is the alarm.

79
00:04:01,880 --> 00:04:04,120
Training is mandatory and procedural.

80
00:04:04,120 --> 00:04:07,320
Establish a verification phrase protocol.

81
00:04:07,320 --> 00:04:10,600
Every IT outreach must include a rotating phrase

82
00:04:10,600 --> 00:04:13,720
verifiable on an authoritative intranet banner.

83
00:04:13,720 --> 00:04:15,560
No phrase, no action.

84
00:04:15,560 --> 00:04:19,480
Introduce a code over voice prohibition.

85
00:04:19,480 --> 00:04:22,760
No employee is authorized to read numbers,

86
00:04:22,760 --> 00:04:27,400
codes or device codes into chat, voice or voice mail.

87
00:04:27,400 --> 00:04:31,400
Mandate escalation via a known channel only.

88
00:04:31,400 --> 00:04:33,720
The service desk number on the badge,

89
00:04:33,720 --> 00:04:36,200
not the number in the message.

90
00:04:36,200 --> 00:04:41,560
The pause rule applies, stop, verify, proceed or report.

91
00:04:41,560 --> 00:04:45,480
A micro story is now entered for instructional value.

92
00:04:45,480 --> 00:04:51,240
A finance analyst received a Teams DM at 0812 labeled Payroll Lock.

93
00:04:51,240 --> 00:04:54,440
The adversary requested approval of an MFA prompt

94
00:04:54,440 --> 00:04:56,840
to unlock the payroll run.

95
00:04:56,840 --> 00:05:00,440
The analyst declined, invoked the mandatory pause,

96
00:05:00,440 --> 00:05:04,440
called the posted service desk number and reported the event.

97
00:05:04,440 --> 00:05:08,120
Security correlated the DM with a burst of device

98
00:05:08,120 --> 00:05:12,600
all end point hits and blocked access through conditional access.

99
00:05:12,600 --> 00:05:13,880
A breach was averted.

100
00:05:13,880 --> 00:05:17,480
This is the power of a rule that removes improvisation.

101
00:05:17,480 --> 00:05:19,960
Tooling must operationalize the doctrine.

102
00:05:19,960 --> 00:05:23,400
Enable defender for office safe links in Teams.

103
00:05:23,400 --> 00:05:25,960
In Defender for Cloud Apps, create policies

104
00:05:25,960 --> 00:05:28,600
to detect mass external messaging.

105
00:05:28,600 --> 00:05:32,120
Suspicious OAuth consent attempts seated from Teams

106
00:05:32,120 --> 00:05:34,280
and risky session downloads.

107
00:05:34,280 --> 00:05:38,840
Feed Microsoft 365 audit logs into your CM.

108
00:05:38,840 --> 00:05:44,200
Build UBA baselines for chat frequency, external contact ratio,

109
00:05:44,200 --> 00:05:47,160
and time of day message posture per department.

110
00:05:47,160 --> 00:05:49,400
Orchestrate an automatic response.

111
00:05:49,400 --> 00:05:53,560
Isolate the user session, require reauthentication with Vido2

112
00:05:53,560 --> 00:05:58,200
and alert the security desk when the Teams to MFA pattern appears.

113
00:05:58,200 --> 00:06:00,760
Citizens remember Teams is not a chat room.

114
00:06:00,760 --> 00:06:02,680
It is an identity elevator.

115
00:06:02,680 --> 00:06:05,240
Therefore supervision is compulsory.

116
00:06:05,240 --> 00:06:09,000
If external messaging is business critical, confine it with governance.

117
00:06:09,000 --> 00:06:12,600
If it is not, disable it categorically.

118
00:06:12,600 --> 00:06:16,600
Failure to do so will be recorded as a preventable oversight.

119
00:06:16,600 --> 00:06:18,360
But here is where it gets interesting.

120
00:06:18,360 --> 00:06:22,360
When chat pretext stalls under verification friction,

121
00:06:22,360 --> 00:06:24,280
adversaries pivot.

122
00:06:24,280 --> 00:06:27,720
They abandon the theater and pursue device code flows,

123
00:06:27,720 --> 00:06:30,280
harvesting cooperation without a password,

124
00:06:30,280 --> 00:06:32,120
and often without suspicion.

125
00:06:32,120 --> 00:06:34,760
The next case file will document that transition.

126
00:06:34,760 --> 00:06:39,080
The council will show how a six-character code

127
00:06:39,080 --> 00:06:44,440
read aloud in good faith becomes a durable OAuth grant

128
00:06:44,440 --> 00:06:48,520
that survives MFA and persists beyond a password change.

129
00:06:48,520 --> 00:06:51,720
Mandatory compliance is appreciated.

130
00:06:51,720 --> 00:06:53,240
Case file 2.

131
00:06:53,240 --> 00:06:54,840
Device code flow.

132
00:06:54,840 --> 00:06:58,040
MFA resilient token laundering.

133
00:06:58,040 --> 00:07:00,360
Citizens, the pivot has occurred.

134
00:07:00,840 --> 00:07:05,640
The adversary discards protected chats and engages the device code flow.

135
00:07:05,640 --> 00:07:09,960
A trusted Microsoft page displays a six or eight-character code.

136
00:07:09,960 --> 00:07:14,680
A voice call, a text, or a polished IVR informs the target

137
00:07:14,680 --> 00:07:17,800
that verification assistance is in progress.

138
00:07:17,800 --> 00:07:19,720
The user reads the code aloud.

139
00:07:19,720 --> 00:07:23,160
The attacker inputs the code at device login.

140
00:07:23,160 --> 00:07:26,120
OAuth completes without a password exchange.

141
00:07:26,120 --> 00:07:27,320
Token's are minted.

142
00:07:27,320 --> 00:07:29,400
Persistence is achieved.

143
00:07:29,400 --> 00:07:31,400
This is not a breach of cryptography.

144
00:07:31,400 --> 00:07:33,160
It is a breach of ceremony.

145
00:07:33,160 --> 00:07:37,720
Device code is designed for devices without keyboards.

146
00:07:37,720 --> 00:07:41,560
The attacker repurposes it for social extraction.

147
00:07:41,560 --> 00:07:43,000
No password is requested.

148
00:07:43,000 --> 00:07:46,920
MFA can be neutralized because the consent ceremony occurs

149
00:07:46,920 --> 00:07:49,080
outside the victim's frame of reference.

150
00:07:49,080 --> 00:07:53,080
The human provides the only missing artifact,

151
00:07:53,080 --> 00:07:54,200
the code itself.

152
00:07:54,200 --> 00:07:57,480
Failure analysis is precise.

153
00:07:58,120 --> 00:08:01,720
Permissive device code policies remain unbounded

154
00:08:01,720 --> 00:08:03,320
by network or risk.

155
00:08:03,320 --> 00:08:06,120
High-privileged scopes, male,

156
00:08:06,120 --> 00:08:09,800
read, write, files, dull, read,

157
00:08:09,800 --> 00:08:15,080
all offline access are not gated by step-up authentication.

158
00:08:15,080 --> 00:08:18,840
Sign-in-risk evaluation is not enforced at the device,

159
00:08:18,840 --> 00:08:20,360
auth, and point.

160
00:08:20,360 --> 00:08:22,760
Citizens are permitting a low-friction path

161
00:08:22,760 --> 00:08:26,760
to durable refresh tokens with no posture verification.

162
00:08:27,560 --> 00:08:30,680
Controls must become non-negotiable.

163
00:08:30,680 --> 00:08:33,560
Block user consent for device code

164
00:08:33,560 --> 00:08:36,600
flows originating from untrusted networks.

165
00:08:36,600 --> 00:08:41,560
Implement named locations with strict IP hygiene.

166
00:08:41,560 --> 00:08:45,240
Require administrator consent for high-risk

167
00:08:45,240 --> 00:08:49,560
graph scopes and any request including offline access.

168
00:08:49,560 --> 00:08:53,080
Enforced publisher verification,

169
00:08:53,080 --> 00:08:56,040
unverified publishers must be barred from requesting

170
00:08:56,040 --> 00:08:57,560
sensitive permissions.

171
00:08:57,560 --> 00:08:59,800
Where device code is truly required,

172
00:08:59,800 --> 00:09:03,800
confine it to managed networks with conditional access

173
00:09:03,800 --> 00:09:07,160
and require phishing-resistant authentication strengths,

174
00:09:07,160 --> 00:09:11,160
such as FIDO2 or certificate-based authentication

175
00:09:11,160 --> 00:09:13,080
during scope elevation.

176
00:09:13,080 --> 00:09:15,400
Conditional access is the metronome.

177
00:09:15,400 --> 00:09:19,560
Configure policies that evaluate client app,

178
00:09:19,560 --> 00:09:21,560
equals other clients,

179
00:09:21,560 --> 00:09:24,120
and device platform equals unknown.

180
00:09:25,080 --> 00:09:27,800
If sign-in-risk is medium or higher,

181
00:09:27,800 --> 00:09:30,440
block or force password change,

182
00:09:30,440 --> 00:09:32,520
then require a compliant device.

183
00:09:32,520 --> 00:09:37,080
Set sign-in frequency to short intervals for privileged roles

184
00:09:37,080 --> 00:09:39,640
and for cloud apps that can exfiltrate,

185
00:09:39,640 --> 00:09:41,720
exchange online, sharepoint,

186
00:09:41,720 --> 00:09:43,560
one-drive, teams, graph,

187
00:09:43,560 --> 00:09:45,400
apply session controls.

188
00:09:45,400 --> 00:09:48,040
Restrict downloads,

189
00:09:48,040 --> 00:09:51,640
require reauthentication on sensitive operations

190
00:09:51,640 --> 00:09:56,040
and enforce continuous access evaluation to revoke sessions

191
00:09:56,040 --> 00:09:57,640
when risk changes.

192
00:09:57,640 --> 00:10:00,600
Detection turns shadows into shape.

193
00:10:00,600 --> 00:10:03,800
Citizens will monitor the device.

194
00:10:03,800 --> 00:10:07,240
Auth endpoint for bursts by user,

195
00:10:07,240 --> 00:10:09,080
tenant, and IP.

196
00:10:09,080 --> 00:10:12,200
Track the client app signal.

197
00:10:12,200 --> 00:10:15,400
Other clients combined with offline access grants

198
00:10:15,400 --> 00:10:17,800
issued outside named locations

199
00:10:17,800 --> 00:10:20,760
correlate impossible travel linked specifically

200
00:10:20,760 --> 00:10:22,680
to device code grants,

201
00:10:22,680 --> 00:10:24,760
not interactive logins.

202
00:10:24,760 --> 00:10:27,960
Alert on A typical combinations.

203
00:10:27,960 --> 00:10:30,760
Service principles requesting male items

204
00:10:30,760 --> 00:10:33,880
accessed immediately after a device code grant.

205
00:10:33,880 --> 00:10:38,040
Graph Delta queries appearing seconds after consent.

206
00:10:38,040 --> 00:10:41,320
Build UEBA profiles for device code use.

207
00:10:41,320 --> 00:10:44,520
In most organizations, normal frequency is near zero.

208
00:10:44,520 --> 00:10:47,640
Remediation must be swift and exhaustive.

209
00:10:48,280 --> 00:10:52,280
Revoque refresh tokens for impacted identities.

210
00:10:52,280 --> 00:10:56,520
Invalidate sessions through Azure AD PowerShell or Graph.

211
00:10:56,520 --> 00:10:58,760
Review enterprise app grants

212
00:10:58,760 --> 00:11:01,560
and remove newly authorized service principles.

213
00:11:01,560 --> 00:11:04,840
Rotate app secrets and certificates

214
00:11:04,840 --> 00:11:07,400
for any app targeted or used as cover.

215
00:11:07,400 --> 00:11:11,000
Enforced a forced password reset with key rotation

216
00:11:11,000 --> 00:11:13,320
for synchic accounts and require re-enrollment

217
00:11:13,320 --> 00:11:14,840
of phishing resistant factors.

218
00:11:15,560 --> 00:11:18,600
Audit mailbox rules and inbox delegates.

219
00:11:18,600 --> 00:11:22,040
Device code compromises often pair with silent forwarding

220
00:11:22,040 --> 00:11:23,400
and hidden rules.

221
00:11:23,400 --> 00:11:25,960
A formal micro story follows.

222
00:11:25,960 --> 00:11:29,400
An operations manager reported a compliance verification

223
00:11:29,400 --> 00:11:32,760
robo-call instructing them to read a Microsoft device code

224
00:11:32,760 --> 00:11:35,080
for expedited ticket closure.

225
00:11:35,080 --> 00:11:36,440
They complied.

226
00:11:36,440 --> 00:11:39,640
Within minutes audit logs show device auth activity

227
00:11:39,640 --> 00:11:43,640
from a residential ASN, followed by graph files.

228
00:11:44,600 --> 00:11:50,680
Read all enumeration and share point download spikes at 0211

229
00:11:50,680 --> 00:11:54,440
because name locations and risk-based blocks were active.

230
00:11:54,440 --> 00:11:58,680
Downstream access was constrained to web only with no download.

231
00:11:58,680 --> 00:12:02,440
Security revoked tokens disabled the malicious app

232
00:12:02,440 --> 00:12:05,400
and issued a tenant-wide admin consent review.

233
00:12:05,400 --> 00:12:08,680
Exposure was contained to metadata.

234
00:12:08,680 --> 00:12:12,440
The doctrine worked because risk and session controls were aligned

235
00:12:12,440 --> 00:12:14,840
to the client app pattern.

236
00:12:14,840 --> 00:12:17,400
Training is an order, not a suggestion.

237
00:12:17,400 --> 00:12:22,360
Institute the code overvoice prohibition universally.

238
00:12:22,360 --> 00:12:26,120
No codes, no numbers, no device codes in any channel.

239
00:12:26,120 --> 00:12:28,440
Teach the ceremony a code is consent.

240
00:12:28,440 --> 00:12:33,800
Inform staff that legitimate IT will never request a device code

241
00:12:33,800 --> 00:12:35,400
verbally or via chat.

242
00:12:35,400 --> 00:12:40,200
Deploy quarterly simulations featuring device code laws

243
00:12:40,200 --> 00:12:42,200
delivered by voice and SMS.

244
00:12:42,200 --> 00:12:48,680
Require the pause rule, stop, verify through the published service desk number

245
00:12:48,680 --> 00:12:52,040
and report tooling must operationalize vigilance.

246
00:12:52,040 --> 00:12:57,880
Defender for cloud apps will create policies for anomalous OAuth consent,

247
00:12:57,880 --> 00:13:01,560
device auth spikes and other clients anomalies.

248
00:13:01,560 --> 00:13:07,080
CM correlation will bind teams, DMs, voice events and

249
00:13:07,080 --> 00:13:10,280
device code grants into a single timeline.

250
00:13:10,280 --> 00:13:15,080
SOAR will revoke tokens automatically when a device code grant originates

251
00:13:15,080 --> 00:13:17,320
outside named locations.

252
00:13:17,320 --> 00:13:21,320
App governance will flag broad graph scopes requested

253
00:13:21,320 --> 00:13:23,320
by unverified publishers.

254
00:13:23,320 --> 00:13:26,120
Citizens understand the analogy.

255
00:13:26,120 --> 00:13:28,280
Device code is a service elevator.

256
00:13:28,280 --> 00:13:30,280
It bypasses the lobby and the guard.

257
00:13:30,280 --> 00:13:33,640
Therefore the guard must relocate to the elevator door.

258
00:13:33,640 --> 00:13:35,160
Place your controls there.

259
00:13:35,160 --> 00:13:37,560
Mandatory compliance is appreciated.

260
00:13:37,560 --> 00:13:39,720
Case file three OAuth.

261
00:13:39,720 --> 00:13:44,600
App consent persistent access without passwords.

262
00:13:44,600 --> 00:13:49,720
Citizens persistence now arrives cloaked in legitimacy.

263
00:13:49,720 --> 00:13:53,800
The adversary abandons device codes and presents an application that appears

264
00:13:53,800 --> 00:13:54,760
orderly.

265
00:13:54,760 --> 00:13:56,360
The publisher logo is polished.

266
00:13:56,360 --> 00:13:58,440
The name implies productivity.

267
00:13:58,440 --> 00:14:00,680
The consent screen lists familiar scopes.

268
00:14:00,680 --> 00:14:02,200
Read your mail.

269
00:14:02,200 --> 00:14:04,680
Access your files.

270
00:14:04,680 --> 00:14:07,160
The link is a real Microsoft domain.

271
00:14:07,160 --> 00:14:09,160
The ceremony feels official.

272
00:14:09,160 --> 00:14:10,840
The user clicks accept.

273
00:14:10,840 --> 00:14:16,360
At that moment durable access is conferred without a password

274
00:14:16,360 --> 00:14:19,480
and beyond the reach of routine MFA.

275
00:14:19,480 --> 00:14:22,120
Here is what actually happens.

276
00:14:22,120 --> 00:14:27,320
A malicious app sometimes verified requests mail.

277
00:14:27,320 --> 00:14:33,400
Read right, files, read, all and offline access.

278
00:14:33,400 --> 00:14:35,480
The tenant allows user consent.

279
00:14:35,480 --> 00:14:36,920
The victim grants.

280
00:14:36,920 --> 00:14:40,360
An OAuth service principle is created in your directory.

281
00:14:40,360 --> 00:14:42,120
Refresh tokens are issued.

282
00:14:42,120 --> 00:14:48,840
The attacker harvests quietly through graph using delta queries to enumerate only what changed.

283
00:14:48,840 --> 00:14:50,840
There is no inbox login to alert on.

284
00:14:50,840 --> 00:14:53,160
There is no brute force to block.

285
00:14:53,160 --> 00:14:56,280
There is only sanctioned access operating as designed.

286
00:14:56,280 --> 00:14:59,960
Failure analysis exposes a governance vacuum.

287
00:15:00,600 --> 00:15:03,480
User consent remains enabled tenant-wide.

288
00:15:03,480 --> 00:15:06,600
Permission reviews are weak or nonexistent.

289
00:15:06,600 --> 00:15:11,880
High-risk scopes, including mailbox and file access

290
00:15:11,880 --> 00:15:16,120
at tenant breadth, are not gated by administrator review.

291
00:15:16,120 --> 00:15:19,000
Publisher verification is not enforced,

292
00:15:19,000 --> 00:15:21,880
allowing deceptive branding to pass casual inspection.

293
00:15:21,880 --> 00:15:27,320
No app governance solution inspects unusual data access patterns.

294
00:15:27,320 --> 00:15:30,760
Citizens have delegated trust to a screen.

295
00:15:30,760 --> 00:15:32,920
Controls must be absolute.

296
00:15:32,920 --> 00:15:35,400
Disable user consent globally.

297
00:15:35,400 --> 00:15:40,680
Enforce an administrator consent workflow for all third-party applications.

298
00:15:40,680 --> 00:15:47,480
In Entra, configure permission grant policies so that high-impact scopes,

299
00:15:47,480 --> 00:15:55,800
mail, read right, files, read, all sites, read, all offline access.

300
00:15:55,800 --> 00:15:59,640
Are blocked from user grant under any circumstance,

301
00:15:59,640 --> 00:16:05,800
require verified publishers for any app allowed to request organizational data

302
00:16:05,800 --> 00:16:08,520
and still require admin approval.

303
00:16:08,520 --> 00:16:11,480
Implement least-privileged app access policies

304
00:16:11,480 --> 00:16:13,320
if a function only needs files.

305
00:16:13,320 --> 00:16:14,600
Read.

306
00:16:14,600 --> 00:16:17,160
It will not receive files.

307
00:16:17,160 --> 00:16:19,800
Read.all.

308
00:16:19,800 --> 00:16:24,440
Conditional access can constrain app misuse, apply app enforced restrictions

309
00:16:24,440 --> 00:16:25,160
were available.

310
00:16:25,160 --> 00:16:31,160
Use cloud app filters to limit access paths for graph to the intended operations

311
00:16:31,160 --> 00:16:35,800
and apply session controls that restrict download and cut and paste for apps

312
00:16:35,800 --> 00:16:37,480
touching sensitive resources.

313
00:16:37,480 --> 00:16:44,920
For sensitive actions, message send on behalf, file export, permission changes,

314
00:16:44,920 --> 00:16:49,400
require step-up with phishing resistant authentication strengths.

315
00:16:49,400 --> 00:16:54,440
If sign-in-risk elevates block consent events and require administrator review.

316
00:16:54,440 --> 00:16:57,560
Detection is your x-ray.

317
00:16:57,560 --> 00:17:01,720
Monitor for creation of new service principles, especially with broad scopes

318
00:17:01,720 --> 00:17:04,120
or immediate delta query usage.

319
00:17:04,120 --> 00:17:08,520
Alert on sudden mail items accessed spikes from an application identity

320
00:17:08,520 --> 00:17:11,160
tied to a newly created service principle.

321
00:17:11,160 --> 00:17:16,200
Track graph patterns that jump directly to me messages delta drives root children

322
00:17:16,200 --> 00:17:19,800
or sites root drives with high pagination counts.

323
00:17:19,800 --> 00:17:26,440
Build queries to surface apps with offline access plus read all scopes granted in the last 24 hours.

324
00:17:26,440 --> 00:17:32,840
Correlate consent events with subsequent mailbox rule creation,

325
00:17:32,840 --> 00:17:37,000
external forwarding and unusual team's file access.

326
00:17:37,000 --> 00:17:40,680
Your response playbook must be surgical and complete.

327
00:17:40,680 --> 00:17:43,720
Disable the application in Entra immediately.

328
00:17:44,360 --> 00:17:46,520
Revoque user and tenant consents.

329
00:17:46,520 --> 00:17:51,480
Invalidate tokens associated with the app and the impacted identities.

330
00:17:51,480 --> 00:17:56,280
Conduct e-discovery and content search for scope impact windows.

331
00:17:56,280 --> 00:18:02,600
Identify files read, messages accessed, and data exported.

332
00:18:02,600 --> 00:18:07,000
Audit mailboxes for hidden inbox rules, forwarding and delegates.

333
00:18:07,000 --> 00:18:07,640
Remove them.

334
00:18:07,640 --> 00:18:11,480
Review service principle roles and privileges and

335
00:18:11,480 --> 00:18:16,200
strip any unintended directory read or role assignment abilities.

336
00:18:16,200 --> 00:18:20,920
Document the app's request origin, domains, and IPs for future blocking.

337
00:18:20,920 --> 00:18:23,960
A micro story for clarity.

338
00:18:23,960 --> 00:18:28,680
A sales executive received a consent prompt for calendar optimizer pro

339
00:18:28,680 --> 00:18:32,360
with a verified looking publisher and a Microsoft URL.

340
00:18:32,360 --> 00:18:34,520
They accepted.

341
00:18:34,520 --> 00:18:36,520
Over the next six hours,

342
00:18:36,520 --> 00:18:41,560
graph delta queries harvested recent email threads and proposal attachments.

343
00:18:41,560 --> 00:18:48,920
The SOC observed a new service principle requesting mail items accessed with steady cadence.

344
00:18:48,920 --> 00:18:53,400
No interactive sign-ins and files enumerated via me drive.

345
00:18:53,400 --> 00:18:58,200
Admin consent enforcement was absent, user consent was allowed.

346
00:18:58,200 --> 00:19:01,240
Once detected, the team disabled the app,

347
00:19:01,240 --> 00:19:06,040
revoked consents, tenant-wide, and ran mailbox rule audits.

348
00:19:06,600 --> 00:19:12,440
They then implemented admin consent workflows and blocked unverified publishers.

349
00:19:12,440 --> 00:19:15,960
Data loss was finite because time to detection was short.

350
00:19:15,960 --> 00:19:19,880
The breach vector existed because governance seeded trust to ceremony.

351
00:19:19,880 --> 00:19:23,800
Training must recalibrate instincts,

352
00:19:23,800 --> 00:19:28,840
teach that a Microsoft URL and a clean logo do not equal safety.

353
00:19:28,840 --> 00:19:31,000
A consent screen is a contract.

354
00:19:31,000 --> 00:19:33,880
Staff must know for bidsn scopes by name.

355
00:19:33,880 --> 00:19:34,200
Mail.

356
00:19:34,200 --> 00:19:35,160
Read.

357
00:19:35,800 --> 00:19:37,160
Write files.

358
00:19:37,160 --> 00:19:38,760
Read.

359
00:19:38,760 --> 00:19:40,920
All sites.

360
00:19:40,920 --> 00:19:42,280
Read.

361
00:19:42,280 --> 00:19:45,240
All offline access.

362
00:19:45,240 --> 00:19:50,040
Require the pause rule for any unexpected consent prompt.

363
00:19:50,040 --> 00:19:53,000
Publish the sanctioned app catalog.

364
00:19:53,000 --> 00:19:55,880
Only those apps may be approved.

365
00:19:55,880 --> 00:19:59,880
Rout all others to the administrator consent queue,

366
00:19:59,880 --> 00:20:05,560
conduct quarterly simulations that present realistic consent prompts and score teams

367
00:20:05,560 --> 00:20:07,400
on refusal and escalation.

368
00:20:07,400 --> 00:20:10,760
Tooling and configuration close the loop.

369
00:20:10,760 --> 00:20:17,640
Enable app governance in Microsoft Defender for cloud apps to baseline app behavior,

370
00:20:17,640 --> 00:20:22,440
flag over permissive scopes, and auto-remediate anomalous access.

371
00:20:22,440 --> 00:20:26,840
Integrate consent events into seam with high fidelity alerts.

372
00:20:26,840 --> 00:20:32,120
Automate SOAR playbooks to disable new apps with risky scopes pending review.

373
00:20:32,840 --> 00:20:38,040
Enforce publisher verification and consent grant policies in Entra.

374
00:20:38,040 --> 00:20:42,680
Expand audit log retention to preserve consent and mail items,

375
00:20:42,680 --> 00:20:45,560
access telemetry for at least one year.

376
00:20:45,560 --> 00:20:48,680
Citizens understand the doctrine.

377
00:20:48,680 --> 00:20:50,760
Passwords can be rotated.

378
00:20:50,760 --> 00:20:54,840
Token's expire, but a granted permission remains until you revoke it.

379
00:20:54,840 --> 00:20:59,160
Therefore, revoke by default, consent by exception,

380
00:20:59,160 --> 00:21:03,320
and record every exception. Mandatory compliance is appreciated.

381
00:21:03,320 --> 00:21:06,200
Case file 4. SharePoint link abuse.

382
00:21:06,200 --> 00:21:08,760
Silent exfiltration through collaboration.

383
00:21:08,760 --> 00:21:09,800
Citizens.

384
00:21:09,800 --> 00:21:12,120
The corridor of convenience is now open.

385
00:21:12,120 --> 00:21:14,680
It is labeled "anyone with the link."

386
00:21:14,680 --> 00:21:16,440
No account.

387
00:21:16,440 --> 00:21:17,960
No verification.

388
00:21:17,960 --> 00:21:22,040
Just a URL generated inside your collaboration fabric

389
00:21:22,040 --> 00:21:24,840
carried outside the border by email or chat.

390
00:21:25,960 --> 00:21:29,880
At 0237, an external IP begins mass downloads.

391
00:21:29,880 --> 00:21:34,600
Minutes later, the same actor pivots to encrypt mapped one-drive folders.

392
00:21:34,600 --> 00:21:39,320
Collaboration has been converted into an egress channel and a detonator.

393
00:21:39,320 --> 00:21:41,320
The incident pattern is consistent.

394
00:21:41,320 --> 00:21:47,400
A project site spawns a handful of innocuous shares to expedite a vendor review.

395
00:21:47,400 --> 00:21:49,320
The default link type is anonymous.

396
00:21:49,320 --> 00:21:51,160
Exploration is disabled.

397
00:21:51,160 --> 00:21:52,760
Passwords are not required.

398
00:21:53,400 --> 00:21:56,360
The link circulates beyond the intended recipient.

399
00:21:56,360 --> 00:22:00,520
A credential stuffed mailbox forward leaks it further.

400
00:22:00,520 --> 00:22:06,360
The adversary arrives with no authentication ceremony to betray them.

401
00:22:06,360 --> 00:22:10,440
Telemetry shows SharePoint file operation surges.

402
00:22:10,440 --> 00:22:13,320
Predominantly, download file and get file.

403
00:22:13,320 --> 00:22:17,560
The window closes only when quotas are reached or attention awakens.

404
00:22:17,560 --> 00:22:22,280
Failure analysis identifies legacy gravity.

405
00:22:23,240 --> 00:22:28,120
Tenant level sharing policies remain permissive to maintain business agility.

406
00:22:28,120 --> 00:22:34,120
Unmanaged devices are permitted to access content with full download rights.

407
00:22:34,120 --> 00:22:37,640
Session controls are absent. Access is binary.

408
00:22:37,640 --> 00:22:38,520
Allow or block.

409
00:22:38,520 --> 00:22:40,920
Audit coverage is incomplete.

410
00:22:40,920 --> 00:22:45,880
Administrators cannot reconstruct which files left the environment,

411
00:22:45,880 --> 00:22:49,000
because log retention is short and enrichment is thin.

412
00:22:49,720 --> 00:22:52,040
Citizens have traded provenance for speed.

413
00:22:52,040 --> 00:22:55,400
Controls must re-impose sovereignty.

414
00:22:55,400 --> 00:22:59,560
Set the default sharing link type to specific people.

415
00:22:59,560 --> 00:23:03,080
Disable anyone links tenant-wide.

416
00:23:03,080 --> 00:23:08,440
Retaining them only for explicitly scoped sites with documented justification.

417
00:23:08,440 --> 00:23:11,000
Enforce link expiration by policy.

418
00:23:11,000 --> 00:23:13,000
30 days or less.

419
00:23:13,000 --> 00:23:16,200
And require password protection for external shares.

420
00:23:16,920 --> 00:23:23,560
Apply sensitivity labels that enforce encryption and block anonymous sharing at the document level.

421
00:23:23,560 --> 00:23:28,840
Confidential content must never inherit permissive site settings.

422
00:23:28,840 --> 00:23:34,360
Require recipients to authenticate with the invited identity.

423
00:23:34,360 --> 00:23:37,480
No email forward daisy chains.

424
00:23:37,480 --> 00:23:43,160
Conditional access must govern the act of taking, not merely the act of seeing.

425
00:23:43,800 --> 00:23:50,120
Require compliant or hybrid joint devices for download from SharePoint and OneDrive.

426
00:23:50,120 --> 00:23:57,800
For unmanaged devices, enforce web only with download, print, and sync,

427
00:23:57,800 --> 00:24:01,400
blocked via conditional access app control.

428
00:24:01,400 --> 00:24:07,560
Deny legacy protocols and legacy authentication paths that bypass modern session controls.

429
00:24:07,560 --> 00:24:11,240
Tie sign in risk to session posture.

430
00:24:11,240 --> 00:24:17,960
If risk is medium or higher, restrict to view only, require reauthentication to elevate

431
00:24:17,960 --> 00:24:23,880
and invoke continuous access evaluation to cut session's midstream when risk changes.

432
00:24:23,880 --> 00:24:26,360
Detection must be quantitative and skeptical.

433
00:24:26,360 --> 00:24:31,800
Monitor SharePoint file operation for bursts per user, site, and IP.

434
00:24:31,800 --> 00:24:37,640
Create thresholds per role, and engineers normal differs from finance.

435
00:24:38,520 --> 00:24:44,520
Alert on downloads exceeding baseline by an order of magnitude within a short interval,

436
00:24:44,520 --> 00:24:50,280
especially from new IP ranges or autonomous system numbers, not seen for that user.

437
00:24:50,280 --> 00:24:56,280
Surface external user creation spikes and link sharing events clustered in rapid succession.

438
00:24:56,280 --> 00:25:03,400
Bind anomalous egress from SharePoint to contemporaneous or author grants or device code activity.

439
00:25:04,040 --> 00:25:09,560
Exfiltration rarely operates alone. Remediation requires containment and proof.

440
00:25:09,560 --> 00:25:13,160
Break permission inheritance on affected libraries.

441
00:25:13,160 --> 00:25:15,400
Revoque extent, anonymous links.

442
00:25:15,400 --> 00:25:23,320
Rotate site collection, app permissions, and revoke unused app registrations associated with the site.

443
00:25:23,320 --> 00:25:27,560
Quarantine impacted sites to read only while you assess exposure.

444
00:25:27,560 --> 00:25:32,520
Perge local sync caches on endpoints through MDM to prevent offline leakage.

445
00:25:33,240 --> 00:25:39,320
Enforce password resets and reauthentication for any account that created large anonymous links

446
00:25:39,320 --> 00:25:41,560
or initiated anomalous downloads.

447
00:25:41,560 --> 00:25:47,880
Expand audit retention now. Absence of evidence is not evidence of absence.

448
00:25:47,880 --> 00:25:51,960
A brief, micro story clarifies causality.

449
00:25:51,960 --> 00:25:55,880
A design team enabled anonymous links for a vendor handoff.

450
00:25:55,880 --> 00:25:59,160
Weeks later, a paste site posted the link.

451
00:25:59,960 --> 00:26:09,560
At 0109, an external ASN pulled 9.2 GGB across 1,800 files, then deployed ransomware through a

452
00:26:09,560 --> 00:26:14,280
compromised partner account. Because the tenant had conditional access app control

453
00:26:14,280 --> 00:26:19,720
with download blocks for unmanaged devices, the actor could view previews but not retrieve

454
00:26:19,720 --> 00:26:27,000
originals. UEBA flagged the anomaly. The SOC revoked links, quarantined the site,

455
00:26:27,000 --> 00:26:33,320
and forced device compliance for contributors. The event became an inconvenience, not a catastrophe.

456
00:26:33,320 --> 00:26:40,120
Training must correct habits. Citizens will treat anyone with the link as an exception,

457
00:26:40,120 --> 00:26:43,800
requiring written justification and manager approval.

458
00:26:43,800 --> 00:26:51,800
Teach the lexicon. Specific people is standard. Passwords and expiration are mandatory.

459
00:26:51,800 --> 00:26:57,960
Recipients must authenticate. Institute the pause rule before external sharing.

460
00:26:57,960 --> 00:27:02,440
Confirm classification. Confirm recipient identity. Confirm necessity.

461
00:27:02,440 --> 00:27:08,120
Conduct quarterly drills that simulate link leakage and score teams on revocation speed.

462
00:27:08,120 --> 00:27:11,560
Tooling must institutionalize restraint.

463
00:27:11,560 --> 00:27:19,960
In Defender for Cloud Apps, deploy policies that block anonymous link creation for labeled content,

464
00:27:19,960 --> 00:27:26,600
alert on mass external sharing and session enforce web only for unmanaged devices.

465
00:27:26,600 --> 00:27:34,280
Implement automated workflows in your SOC to revoke links exceeding safe thresholds

466
00:27:34,280 --> 00:27:41,560
and notify site owners with remediation guidance. Expand CM parsers for SharePoint file operation,

467
00:27:41,560 --> 00:27:45,400
link created, and anonymous link used events.

468
00:27:46,760 --> 00:27:51,800
Extend retention to a year. Investigation without history is theater.

469
00:27:51,800 --> 00:27:58,840
Citizens' collaboration is a public square when links are anonymous, converted back into a controlled

470
00:27:58,840 --> 00:28:05,880
workspace. If sharing must cross the border, insist on identity, time limits, and revocation discipline.

471
00:28:05,880 --> 00:28:14,360
Mandatory compliance is appreciated. As case file v, token theft, AITM, and session replay at scale,

472
00:28:14,360 --> 00:28:20,440
Citizens, the adversary now removes the mask. A reverse proxy interposes between the user

473
00:28:20,440 --> 00:28:25,400
and the Microsoft sign in page. The URL looks plausible. The page is pixel perfect,

474
00:28:25,400 --> 00:28:31,240
the password and MFA succeed. However, the proxy siphons the session cookie and the refresh token.

475
00:28:31,240 --> 00:28:36,120
The attacker replays the session from a different host. Mailbox rules appear.

476
00:28:36,120 --> 00:28:42,200
O-auth refresh is reused. Persistence is renewed with each silent refresh.

477
00:28:42,200 --> 00:28:47,240
This is not a failure of prompts. It is a failure of binding, authentication occurred.

478
00:28:47,240 --> 00:28:50,920
But the artifact of trust was not anchored to the device or the client.

479
00:28:50,920 --> 00:28:56,360
Therefore, the artifact travels where the cookie goes, access follows.

480
00:28:56,360 --> 00:28:59,640
The result is account action without account presence.

481
00:28:59,640 --> 00:29:07,000
Failure analysis isolates four defects. First, fishing resistant MFA is absent,

482
00:29:07,000 --> 00:29:13,720
enabling approval fatigue and AITM success. Second, token protection is disabled.

483
00:29:13,720 --> 00:29:18,680
The session token is not bound to the device's hardware or the client key. Third,

484
00:29:18,680 --> 00:29:25,080
refresh token lifetimes are long, allowing adversaries to rehydrate access for days.

485
00:29:25,080 --> 00:29:33,400
Fourth, session revocation is inconsistent. Stale tokens persist after password changes and

486
00:29:33,400 --> 00:29:39,640
factor resets. Controls must become structural, not ceremonial. Enforce authentication

487
00:29:39,640 --> 00:29:45,880
strengths that require fishing resistant factors for privileged roles and for data exfiltration

488
00:29:45,880 --> 00:29:53,640
parts. Fido2 security keys and certificate-based authentication deprive proxies of reusable artifacts.

489
00:29:53,640 --> 00:30:01,720
Enable continuous access evaluation, so risk, device compliance and sign-in location changes

490
00:30:01,720 --> 00:30:07,480
invalidate access, mid-session, activate token protection for windows to cryptographically

491
00:30:07,480 --> 00:30:13,960
bind tokens to device keys. A stolen cookie will not validate off the original device.

492
00:30:13,960 --> 00:30:20,280
Shorten sign-in frequency and idle timeouts for high-risk apps, exchange online,

493
00:30:20,280 --> 00:30:26,520
SharePoint, OneDrive teams and Graph. Conditional access is your perimeter of consequence.

494
00:30:26,520 --> 00:30:33,080
Require device compliance for privileged workloads and for download operations. Block legacy

495
00:30:33,080 --> 00:30:40,040
protocols that ignore modern auth controls. If sign-in risk reaches high, block access and require

496
00:30:40,040 --> 00:30:47,640
secure reauthentication. Demand step-up for sensitive actions. Mailbox permissions changes.

497
00:30:47,640 --> 00:30:54,680
External forwarding, creation of inbox rules, SharePoint permission elevation, app consent events,

498
00:30:55,480 --> 00:31:01,960
tie these actions to fishing resistant strengths to frustrate session replay. Detection

499
00:31:01,960 --> 00:31:08,840
must assume the adversary looks legitimate. Alert on new user agents reusing an existing session

500
00:31:08,840 --> 00:31:16,360
identifier shortly after an interactive sign-in from a different ASN or geography. Monitor for mailbox

501
00:31:16,360 --> 00:31:22,920
rule creation patterns. Auto-forward to external, mark as read, delete, move to hidden folders.

502
00:31:22,920 --> 00:31:28,520
Surface unfamiliar token signing key identifiers or claims anomalies compared to the user's

503
00:31:28,520 --> 00:31:34,680
baseline. Detect concurrent access where one session performs administrative actions while the

504
00:31:34,680 --> 00:31:43,320
legitimate user's device remains idle. Correlate. AITM infrastructure indicators known proxy ASN

505
00:31:43,320 --> 00:31:50,360
blocks, free TLS cert issuers and short-lived domains observed in referers or link paths

506
00:31:50,360 --> 00:31:57,160
proceeding sign-ins. Response procedures must be ruthless. Revoke refresh tokens for the user

507
00:31:57,160 --> 00:32:03,480
and disable session's tenant-wide if lateral movement is suspected. Force reauthentication with

508
00:32:03,480 --> 00:32:09,240
fishing resistant strengths. Rotate app secrets and certificates for any app identities

509
00:32:09,240 --> 00:32:15,960
implicated in the session chain. Hunt for mailbox rules and delegates. Remove unauthorized entries

510
00:32:15,960 --> 00:32:22,520
in enable anti-auto-forward policies. Query recent mail items accessed and share point file

511
00:32:22,520 --> 00:32:29,480
operation to delineate exposure. Block identified ITM infrastructure at the proxy and firewall

512
00:32:29,480 --> 00:32:36,680
require device attestation or rejoin for non-compliant endpoints. A short microstory clarifies the doctrine.

513
00:32:36,680 --> 00:32:43,400
Original manager authenticated successfully after receiving a prompt then reported unusual scent

514
00:32:43,400 --> 00:32:50,760
items. Telemetry showed a new chromium variant user agent reusing the same session within minutes

515
00:32:50,760 --> 00:32:58,040
from a foreign ASN. Mailbox rules redirected invoices to an external account. Because token

516
00:32:58,040 --> 00:33:03,640
protection was active on managed Windows devices the stolen cookie failed off device. Continuous

517
00:33:03,640 --> 00:33:12,120
access evaluation cut the replayed session when sign-in risk spiked. The SOC revoked tokens perched rules

518
00:33:12,120 --> 00:33:18,760
and imposed step-up for mailbox permission changes. Losses were prevented because the artifact

519
00:33:18,760 --> 00:33:25,320
was bound and the session was reactive to risk. Training must be unambiguous. Teach that a perfect

520
00:33:25,320 --> 00:33:32,920
looking page can still be an imposter. Require URL verification rituals and the pause rule when prompted

521
00:33:32,920 --> 00:33:40,440
unexpectedly. Prohibit approval on unknown prompts and mandate immediate reporting of any unexplained

522
00:33:40,440 --> 00:33:48,440
MFA event. Simulate AITM scenarios quarterly and measure refusal rates. Tooling completes enforcement,

523
00:33:48,440 --> 00:33:55,720
deployed defender for office, anti-fishing with real-time URL detonation. Enable defender for cloud

524
00:33:55,720 --> 00:34:04,040
app session control to block downloads on risky sessions. Integrate sign-in logs, mail items access

525
00:34:04,040 --> 00:34:12,120
and unified audit into CM and automate SOAR to revoke tokens on high-confidence AITM signals. Mandatory

526
00:34:12,120 --> 00:34:22,520
compliance is appreciated. Corrective doctrine policy baseline detections training tools citizens

527
00:34:22,520 --> 00:34:30,040
the office now issues the corrective doctrine policy replaces improvisation detection replaces

528
00:34:30,040 --> 00:34:38,760
surprise training replaces hesitation tooling replaces folklore policy baseline is mandatory

529
00:34:38,760 --> 00:34:46,360
first disable user consent tenant wide enforce administrator consent workflow for all third party

530
00:34:46,360 --> 00:34:56,760
applications configure permission grant policies to block high risk scopes mail read write files read

531
00:34:57,560 --> 00:35:10,920
all sites read all mail send offline access from any user grant require verified publishers for

532
00:35:10,920 --> 00:35:17,800
any app allowed to request organizational data even then approval is administrative only

533
00:35:17,800 --> 00:35:25,880
second restrict external teams communications in teams admin center set external access to deny

534
00:35:25,880 --> 00:35:33,320
by default maintain an explicit allow list of verified partner domains for shared channels and

535
00:35:33,320 --> 00:35:42,520
federation prohibit open DMs from unknown tenants apply safe links in teams and enable real-time URL

536
00:35:42,520 --> 00:35:49,560
detonation third enforce least privilege sharing rigor set tenant default sharing links to specific

537
00:35:49,560 --> 00:35:55,160
people disable anyone links reserving exceptions for control sites with documented justification

538
00:35:55,160 --> 00:36:02,440
expiration and passwords require recipients to authenticate as themselves apply sensitivity labels

539
00:36:02,440 --> 00:36:09,560
that block anonymous sharing and encrypt confidential content by policy fourth publisher verification

540
00:36:09,560 --> 00:36:16,520
is compulsory only verified publishers may request organizational scopes combine with admin

541
00:36:16,520 --> 00:36:24,440
consent and app governance to constrain post consent behavior fifth governance of audit is non-negotiable

542
00:36:25,160 --> 00:36:32,360
expand unified audit log retention to at least 365 days ensure mail items accessed sharepoint

543
00:36:32,360 --> 00:36:38,760
file operation app consent grant service principle created and conditional access evaluation

544
00:36:38,760 --> 00:36:45,560
events are ingested into your cm with full fidelity conditional access pack is the perimeter of

545
00:36:45,560 --> 00:36:51,960
consequence define authentication strengths and require phishing resistant methods

546
00:36:51,960 --> 00:36:59,560
vital to or certificate based authentication for privileged roles and all data exfiltration paths

547
00:36:59,560 --> 00:37:07,720
exchange online sharepoint one drive teams and graph set sign in frequency tighter for privileged

548
00:37:07,720 --> 00:37:15,320
and high impact apps reduce durable sessions without crippling operations implement name locations

549
00:37:15,320 --> 00:37:22,040
with strict ip hygiene treat residential as ends and hosting providers as untrusted by default

550
00:37:22,040 --> 00:37:29,400
if sign in risk is medium restrict to web only and block download if high block access and require

551
00:37:29,400 --> 00:37:35,880
secure reauthentication apply session controls through conditional access app control to restrict

552
00:37:35,880 --> 00:37:42,360
download cut and paste print and sync on unmanaged devices require device compliance for file

553
00:37:42,360 --> 00:37:48,680
download and admin operations block legacy protocols universally everything changes when session

554
00:37:48,680 --> 00:37:55,560
awareness is continuous enable continuous access evaluation to invalidate sessions on risk

555
00:37:55,560 --> 00:38:03,080
device compliance changes token revocation and location drift activate token protection for

556
00:38:03,080 --> 00:38:09,880
windows to bind tokens to device keys a stolen cookie will not validate off the issuing endpoint

557
00:38:10,520 --> 00:38:17,480
detection catalog converts telemetry into verdicts deploy high signal KQL queries

558
00:38:17,480 --> 00:38:25,960
app grants surface new service principles created in the last 24 hours with read all scopes

559
00:38:25,960 --> 00:38:32,360
or offline access correlate immediate graph delta queries and mail items access spikes

560
00:38:32,360 --> 00:38:39,960
mail items access to anomalies alert on sudden increases by application identity or user

561
00:38:39,960 --> 00:38:47,400
context outside named locations or baseline time windows device code spikes monitor device

562
00:38:47,400 --> 00:38:56,360
all endpoint bursts by user ip and client app equals other clients correlate with impossible travel

563
00:38:56,360 --> 00:39:05,480
absent interactive sign in teams anomalies flag rapid creation of external contacts new tenant

564
00:39:05,480 --> 00:39:12,120
chats from unseen domains and MFA prompt clusters within minutes of inbound dms

565
00:39:12,120 --> 00:39:20,120
SharePoint egress detect SharePoint file operation download surges above roll baselines new ip ranges

566
00:39:20,120 --> 00:39:26,680
and anonymous link usage events tied to labeled content feed all detections into ueba

567
00:39:26,680 --> 00:39:33,720
baseline per department chat frequency consent cadence device code rarity download norms

568
00:39:33,720 --> 00:39:41,160
and after hours activity remember a single rare event is suspicious clustered rare events are hostile

569
00:39:41,160 --> 00:39:49,240
training program is compulsory civic education conduct quarterly simulations that rotate vectors

570
00:39:49,240 --> 00:39:57,160
teams pretext device code vishing o auth consent prompts and anonymous link bait

571
00:39:58,520 --> 00:40:04,840
enforce the verification protocol every legitimate it outreach includes a rotating phrase

572
00:40:04,840 --> 00:40:10,600
posted on the internet banner no phrase no action establish the code over voice prohibition

573
00:40:10,600 --> 00:40:17,880
no codes no numbers no device codes transmitted over chat voice SMS or voicemail teach the ceremony

574
00:40:17,880 --> 00:40:27,000
a code is consent institute the mandatory pause rule stop verify through the published service

575
00:40:27,000 --> 00:40:36,200
desk number proceed only after verification or report mandate deep fake awareness train citizens

576
00:40:36,200 --> 00:40:43,080
to challenge unexpected voice or video instructions with an out of band callback using no numbers

577
00:40:43,080 --> 00:40:50,280
require secondary verification for any request that affects identity permissions payments or

578
00:40:50,280 --> 00:40:58,040
data movement define escalation paths by role publish a sanctioned app catalog require administrator

579
00:40:58,040 --> 00:41:06,200
consent requests for any non catalog app enable a one click report suspicious in teams and outlook

580
00:41:06,200 --> 00:41:14,200
that preserves headers urls and consent artifacts record response time publish compliance scores

581
00:41:14,200 --> 00:41:21,560
tooling updates harden the apparatus in defender for cloud apps enable app governance to baseline

582
00:41:21,560 --> 00:41:28,040
third party app behavior auto quarantine apps with over permissive scopes and revoke risky

583
00:41:28,040 --> 00:41:34,840
consents automatically create policies for mass external sharing anonymous link creation

584
00:41:34,840 --> 00:41:41,480
unlabeled content device or the normalies and other clients grants outside named locations

585
00:41:42,360 --> 00:41:49,560
enable defender for office safe links and safe attach across exchange and teams integrate

586
00:41:49,560 --> 00:41:58,920
Microsoft defender telemetry enter sign in logs graph audit logs and m365 unified audit into your

587
00:41:58,920 --> 00:42:06,520
cm normalized entities to tie a consent event to downstream mailbox rule changes and sharepoint

588
00:42:06,520 --> 00:42:14,520
downloads automate with soar when high confidence signals fire new service principle with files read

589
00:42:14,520 --> 00:42:24,680
all plus offline access or device off grant from untrusted as revoked tokens disabled the app

590
00:42:24,680 --> 00:42:30,200
force reauthentication with phishing resistant methods and open a ticket within rich context

591
00:42:31,080 --> 00:42:37,720
governance is the metronome establish a monthly review cadence for conditional access policies

592
00:42:37,720 --> 00:42:45,240
app consent requests and high risk detections and force change control with peer review for identity

593
00:42:45,240 --> 00:42:52,200
policy modifications maintain emergency break glass accounts protected with hardware keys stored

594
00:42:52,200 --> 00:42:59,240
offline and audited quarterly expand audit coverage verify that critical workloads log at full

595
00:42:59,240 --> 00:43:06,200
fidelity this is the final warning the null configuration that erases your mf a gains is broad

596
00:43:06,200 --> 00:43:13,000
user consent enabled for graph scopes disable it replace it with administrator consent verified

597
00:43:13,000 --> 00:43:20,920
publishers and app governance the office has spoken compliance order and next action citizens

598
00:43:21,720 --> 00:43:29,160
here is the single directive social engineering prevails wherever identity consent and

599
00:43:29,160 --> 00:43:36,360
collaboration policies permit ambiguity proceed now subscribe to receive the full KQL detection

600
00:43:36,360 --> 00:43:42,440
pack baseline policy templates and the red team simulation guide then report to the linked

601
00:43:42,440 --> 00:43:49,080
briefing for live detections and deployment steps the named misconfiguration broad user consent

602
00:43:49,080 --> 00:43:53,240
is to be disabled immediately. Mandatory compliance is appreciated.