Hello, welcome to the Thursday, June 28th, 2018 edition of the Sandcent Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Remember about a week ago, I talked to Mark Lucas, the SDI student who wrote a paper about Office 365 logs.

Now, he explained how there are actually quite detailed logs available, but a lot of this

you have to enable and of course it's too late to enable it after an incident.

Well, it turns out that in addition to these official logs that Microsoft actually always had some

private APIs that could be used to gather some fairly detailed data about Office 365

activity.

This particular API was fairly tightly held up to now.

We have now a couple great blog posts by CrowdStrike

and by Sherry Davidov about how to actually analyze this and Sherry's team actually did

release a tool that makes it rather easy to extract these logs. So we're not talking about the vulnerability

here. These logs, they require authentication, everything, but these are APIs that were

not available or at least not made public before, and only a couple forensics teams actually

knew about the existence of these APIs and sort of treated them as a trade secret.

Now one particular type of case where this comes in really handy is fishing.

And this is something that Office 365 users fall for all the time.

Given that there are still organizations out there that do not enforce

two-factor authentication for these kind of cloud services. So typically, if your account gets

breached, then hacker will then try to launch a business email compromise, which usually

involves them searching for emails that relate to invoices, for example,

and of course they will log in and send email or read email to do this.

...