Exposing the Secret Office 365 Forensics Tool
June 29, 2018 9:13 AM Subscribe
An ethical crisis in the digital forensics industry came to a head last week with the release of new details on Microsoft’s undocumented “Activities” API. A previously unknown trove of access and activity logs held by Microsoft allows investigators to track Office 365 mailbox activity in minute detail.
i, uh, wasn't quite prepared for the objection to be "not enough people have access to it"...
posted by reprise the theme song and roll the credits at 9:37 AM on June 29, 2018 [1 favorite]
posted by reprise the theme song and roll the credits at 9:37 AM on June 29, 2018 [1 favorite]
This isn't a data breach, thankfully, but it is shady. Office 365 has been monitoring email activity even if audit logging is supposed to be disabled. That's good if you are a forensics team, bad if you don't want your activity monitored.
The data is still only accessible if you have access to the account and the necessary permissions, so it's not a case of Microsoft leaking information...just gathering more information than they said they were and keeping access to it secret except for a few large firms apparently. That's also pretty shady.
posted by Eddie Mars at 9:52 AM on June 29, 2018 [2 favorites]
The data is still only accessible if you have access to the account and the necessary permissions, so it's not a case of Microsoft leaking information...just gathering more information than they said they were and keeping access to it secret except for a few large firms apparently. That's also pretty shady.
posted by Eddie Mars at 9:52 AM on June 29, 2018 [2 favorites]
Office 365 has been monitoring email activity .... bad if you don't want your activity monitored.
Given it IS sourced by Microsoft and going to a central server out of your control - what should one expect on activity monitoring?
Tails and protonmail look to be the closest the commoner can hope to get a lack of monitoring.
And if *YOU* think *YOU* are good enough with your own skills - a reminder that someone who is supposed to be aware of security can blow it. Because it is hard. (And odds are, you ain't that good.)
posted by rough ashlar at 10:21 AM on June 29, 2018 [2 favorites]
Given it IS sourced by Microsoft and going to a central server out of your control - what should one expect on activity monitoring?
Tails and protonmail look to be the closest the commoner can hope to get a lack of monitoring.
And if *YOU* think *YOU* are good enough with your own skills - a reminder that someone who is supposed to be aware of security can blow it. Because it is hard. (And odds are, you ain't that good.)
posted by rough ashlar at 10:21 AM on June 29, 2018 [2 favorites]
The biggest issue is that the few forensic firms with access to the secret tool were getting all the contracts.
It would be interesting to see how this leaked and how money changed hands.
posted by Dr. Curare at 11:28 AM on June 29, 2018 [1 favorite]
It would be interesting to see how this leaked and how money changed hands.
posted by Dr. Curare at 11:28 AM on June 29, 2018 [1 favorite]
This is very interested to me, as someone who pays a metric crapton of money to Microsoft for our compay's o365 subscription.
posted by slogger at 12:23 PM on June 29, 2018 [1 favorite]
posted by slogger at 12:23 PM on June 29, 2018 [1 favorite]
OMG my first time being able to contribute something useful!
Sooooo this isn't nefarious at all, mail admins normally have access to pretty much all of this exact audit data if your company had a Microsoft Exchange server, in this case the officially-documented Office 365 audit logs were pretty shitty and limited by comparison so this unofficial (probably so they don't have to guarantee it functions properly) audit data is fantastically detailed and lets you see the same stuff you could see on an Exchange server that you control.
Crowdstrike actually put out a really cool article (with links to their helpful scripts!) on how to use this data to determine important stuff like people logging onto your HR mailbox and running searches for "wire transfer" to pull up any sent/received wire transfer info and using it to rob your company's account.
The article also details that there is no way to get that stuff without having a valid mailbox logon rights, the access token is only valid for 60 minutes so it's not a permanent backdoor into your account.
My company is switching to Office 365 later this year and I'm excited that we can get real, detailed audit data and not just the ho-hum Office 365 Audit Logs!
posted by marshmallow kitty at 6:26 PM on June 29, 2018 [6 favorites]
Sooooo this isn't nefarious at all, mail admins normally have access to pretty much all of this exact audit data if your company had a Microsoft Exchange server, in this case the officially-documented Office 365 audit logs were pretty shitty and limited by comparison so this unofficial (probably so they don't have to guarantee it functions properly) audit data is fantastically detailed and lets you see the same stuff you could see on an Exchange server that you control.
Crowdstrike actually put out a really cool article (with links to their helpful scripts!) on how to use this data to determine important stuff like people logging onto your HR mailbox and running searches for "wire transfer" to pull up any sent/received wire transfer info and using it to rob your company's account.
The article also details that there is no way to get that stuff without having a valid mailbox logon rights, the access token is only valid for 60 minutes so it's not a permanent backdoor into your account.
My company is switching to Office 365 later this year and I'm excited that we can get real, detailed audit data and not just the ho-hum Office 365 Audit Logs!
posted by marshmallow kitty at 6:26 PM on June 29, 2018 [6 favorites]
« Older Chronic pain patients driven to despair | Read This Article!!! Newer »
This thread has been archived and is closed to new comments
posted by snuffleupagus at 9:15 AM on June 29, 2018