Whether we like it or not, email is still the primary form of communication for most businesses outside of the tech industry. It's the simplest option with everyone being able to send one. Things are slowly starting to change to things like Teams/Slack and others, especially with the recent shift to remote working due to COVID-19 but the transition is still slow leaving email as king. With it, comes spam, phising and general junk.
Working in a heavily Microsoft based place, we use Microsoft 365 (their new naming scheme this month). This means Exchange Online is well and truly in the mix these days. I will admit, years ago I was incredibly hesitant to move our fully managed internal Exchange infrastructure "to the cloud" (for some reason I still truly hate that phrase). These days I'm a little more accepting of the service as it has cut out the management of all the servers and a lot of the headaches that come with it. But still, you're missing that full control over the infrastructure.
Regardless, it is what it is and we're using it. And that means relying on Microsoft to provide the overall security with their anti-spam, anti-malware and filtering. Overall, it's actually incredibly good at what it does, regularly filtering 100's of thousands of items away from our user base that would otherwise be clicking away to their hearts content.
Along with these basics you also have the option to subscribe to their other security products such as their Advanced Threat Protection and Enterprise Mobility & Security. Subscriptions to these come with an absoloute boatload of features, I lost count of how many new dashboards appear on a weekly basis as they shift things around and rename things.
I'm getting sidetracked, back to the point. Phishing. No matter how many of these products you're subscribed to, something will always make it through and users are inevitably the weakest link in the security chain. I include myself in there too, we're all human and we all make mistakes. But when one of those makes it through, the user clicks on it and inputs their details, it can have serious consequences.
"Just use MFA" I hear many cry. Well, yes, we are. But deploying something like that to a large workforce with varying levels of technical understanding takes time, planning and resources. If that phishing email happens to go to one of the users before you've fully secured them, well. You are SOL. Unfortunately, this happened recently and the account was compromised. Within 10 minutes, that account proceeded to send just short of 5000 emails internally. Externally, they were blocked within the first 100 as the Microsoft services picked up on something strange. However, when you whitelist your domain for internal sending (there's a lesson to be learnt here), it is utterly relentless. You then need to start work on clearing up this mess as quick as possible to stop other people from clicking on it assuming it's safe because it came from inside.
At first, the only way to do this was with PowerShell. Microsoft have worked hard on their eDiscovery Content Search feature but I still find it to be so incredibly slow and clunky. So this is how I used to do it:
However, with MFA enabled on your account, this is no longer possible. You need to use the Exchange Online PowerShell module. Unfortunately, this takes a little more pre-planning and isn't just as simple as opening up PowerShell and having at it.
Firstly, Windows Remote Management needs to be enabled on your system. This is not on by default so you'll need to run the following in an elevated command prompt:winrm quickconfig
Once that is done, you'll needto make sure that Basic authentication is enabled by running the below and checking to see if Basic = true:winrm get winrm/config/client/auth
Once you've done that you'll need to install the Exchange Online Remote PowerShell Module. This isn't supported in PowerShell Core. To install this, you'll need sign in to your Exchange Online Admin Center, head over to Hybrid > Setup and click Configure for the Exchange Online Remote PowerShell Module. Once this is installed, it will pop open a new PowerShell window and make a shortcut on your desktop. Now you can start the process of connecting and doing the job. But there's a few differences to the connection process. I added a new file to my repo to reflect this:
I've been meaning to learn how to create a nice GUI for something like this for a while so people like first line support could take over without having to know how it all works behind. I suppose that is the purpose of Microsoft's eDiscovery Content Search portal, but as I said, it's just... shit and you still need to connect to the PowerShell to actually delete things properly anyway.
Running commands from a random blog is not something you should ever do without knowing what they are actually doing. Pretty much everything I've written here is available on the Microsoft Docs link below:
Once you've confirmed what it is I'm actually doing, I hope that my experience will save you a little time. I'm not a coder/developer/hacker/whateverthecooltermis which is why things are kept simple. So if you'd like to help improve the resources on GitHub I would be very grateful for any suggestions or pull requests.