365Inspect
Purpose
Further the state of M365 security by authoring a PowerShell script that automates the security assessment of Microsoft Office 365 environments.
Setup
365Inspect requires the administrative PowerShell modules for Microsoft Online, Azure AD, Exchange administration, and Sharepoint administration.
If you do not have these modules installed, you should be able to install them with the following commands in an administrative PowerShell prompt, or by following the instructions at the references below:
Install-Module -Name MSOnline
Install-Module -Name AzureAD
Install-Module -Name ExchangeOnlineManagement
Install-Module -Name Microsoft.Online.SharePoint.PowerShell
- Install MSOnline PowerShell
- Install Azure AD PowerShell
- Install Exchange Online PowerShell
- Install SharePoint
Once the above are installed, download the 365Inspect source code folder from Github using your browser or by using git clone.
As you will run 365Inspect with administrative privileges, you should place it in a logical location and make sure the contents of the folder are readable and writable only by the administrative user. This is especially important if you intend to install 365Inspect in a location where it will be executed frequently or used as part of an automated process.
Usage
To run 365Inspect, open a PowerShell console with local administrator privileges and navigate to the folder you downloaded 365Inspect into:
cd 365Inspect
You will interact with 365Inspect by executing the main script file, 365Inspect.ps1, from within the PowerShell command prompt.
All 365Inspect requires to inspect your M365 tenant is access via an M365 account with proper permissions, so most of the command line parameters relate to the organization being assessed and the method of authentication.
Execution of 365Inspect looks like this:
.\365Inspect.ps1 -OrgName <value> -OutPath <value> -Auth <MFA|CMDLINE|ALREADY_AUTHED>
For example, to log in by entering your credentials in a browser with MFA support:
.\365Inspect.ps1 -OrgName mycompany -OutPath ..\365_report -Auth MFA
Or, with credentials passed on the command line:
.\365Inspect.ps1 -OrgName mycompany -OutPath ..\365_report -Auth CMDLINE -Username "first.last@mycompany.com" -Password "rlygoodpassword528"
To break down the parameters further:
- OrgName is the name of the core organization or "company" of your M365 instance, which will be inspected.
- If you do not know your organization name, you can navigate to the list of all Exchange domains in M365. The topmost domain should be named domain_name.onmicrosoft.com. In that example, domain_name is your organization name and should be used when executing 365Inspect.
- OutPath is the path to a folder where the report generated by 365Inspect will be placed.
- Auth is a selector that should be one of the literal values "MFA", "CMDLINE", or "ALREADY_AUTHED".
- Auth controls how 365Inspect will authenticate to all of the Office 365 services.
- Auth MFA will produce a graphical popup in which you can type your credentials and even enter an MFA code for MFA-enabled accounts.
- Auth CMDLINE indicates that you intend to use a non-MFA-enabled account and pass the username and password on the command line, which may be preferable for automation integration or other tasks where headless execution is desired.
- If you use auth CMDLINE, make sure to also pass the username and password parameters so 365Inspect can log into your account without producing a popup window, as depicted in the 2nd example above..
- Auth ALREADY_AUTHED instructs 365Inspect not to authenticate before scanning. This may be preferable if you are executing 365Inspect from a PowerShell prompt where you already have valid sessions for all of the described services, such as one where you have already executed 365Inspect.
When you execute 365Inspect with -Auth MFA, it may produce several graphical login prompts that you must sequentially log into. This is normal behavior as Exchange, SharePoint etc. have separate administration modules and each requires a different login session. If you simply log in the requested number of times, 365Inspect should begin to execute. This is the opposite of fun and we're seeking a workaround, but needless to say we feel the results are worth the minute spent looking at MFA codes.
As 365Inspect executes, it will steadily print status updates indicating which inspection task is running.
365Inspect may take some time to execute. This time scales with the size and complexity of the environment under test. For example, some inspection tasks involve scanning the account configuration of all users. This may occur near-instantly for an organization with 50 users, or could take entire minutes (!) for an organization with 10000.
Output
365Inspect creates the directory specified in the out_path parameter. This directory is the result of the entire 365Inspect inspection. It contains three items of note:
- Report.html: graphical report that describes the M365 security issues identified by 365Inspect, lists M365 objects that are misconfigured, and provides remediation advice.
- Various text files named [Inspector-Name]: these are raw output from inspector modules and contain a list (one item per line) of misconfigured M365 objects that contain the described security flaw. For example, if a module Inspect-FictionalMFASettings were to detect all users who do not have MFA set up, the file "Inspect-FictionalMFASettings" in the report ZIP would contain one user per line who does not have MFA set up. This information is only dumped to a file in cases where more than 15 affected objects are discovered. If less than 15 affected objects are discovered, the objects are listed directly in the main HTML report body.
- Report.zip: zipped version of this entire directory, for convenient distribution of the results in cases where some inspector modules generated a large amount of findings.
Necessary Privileges
365Inspect can't run properly unless the M365 account you authenticate with has appropriate privileges. 365Inspect requires, at minimum, the following:
- Global Reader
- Security Reader
- SharePoint Admin
- An Exchange role with View-Only access to everything
An extremely permissive role such as Global Admin will also work, but this isn't an appropriate long-term solution if you intend to use 365Inspect regularly or as part of an automated process.
Developing Inspector Modules
365Inspect is designed to be easy to expand, with the hope that it enables individuals and organizations to either utilize their own 365Inspect modules internally, or publish those modules for the M365 community.
All of 365Inspect's inspector modules are stored in the .\inspectors folder.
It is simple to create an inspector module. Inspectors have two files:
- ModuleName.ps1: the PowerShell source code of the inspector module. Should return a list of all M365 objects affected by a specific issue, represented as strings.
- ModuleName.json: metadata about the inspector itself. For example, the finding name, description, remediation information, and references.
The PowerShell and JSON file names must be identical for 365Inspect to recognize that the two belong together. There are numerous examples in 365Inspect's built-in suite of modules, but we'll put an example here too.
Example .ps1 file, BypassingSafeAttachments.ps1:
# Define a function that we will later invoke.
# 365Inspect's built-in modules all follow this pattern.
function Inspect-BypassingSafeAttachments {
# Query some element of the M365 environment to inspect. Note that we did not have to authenticate to Exchange
# to fetch these transport rules within this module; assume main 365Inspect harness has logged us in already.
$safe_attachment_bypass_rules = (Get-TransportRule | Where { $_.SetHeaderName -eq "X-MS-Exchange-Organization-SkipSafeAttachmentProcessing" }).Identity
# If some of the parsed M365 objects were found to have the security flaw this module is inspecting for,
# return a list of strings representing those objects. This is what will end up as the "Affected Objects"
# field in the report.
If ($safe_attachment_bypass_rules.Count -ne 0) {
return $safe_attachment_bypass_rules
}
# If none of the parsed M365 objects were found to have the security flaw this module is inspecting for,
# returning $null indicates to 365Inspect that there were no findings for this module.
return $null
}
# Return the results of invoking the inspector function.
return Inspect-BypassingSafeAttachments
Example .json file, BypassingSafeAttachments.json:
{
"FindingName": "Do Not Bypass the Safe Attachments Filter",
"Description": "In Exchange, it is possible to create mail transport rules that bypass the Safe Attachments detection capability. The rules listed above bypass the Safe Attachments capability. Consider revie1wing these rules, as bypassing the Safe Attachments capability even for a subset of senders could be considered insecure depending on the context or may be an indicator of compromise.",
"Remediation": "Navigate to the Mail Flow -> Rules screen in the Exchange Admin Center. Look for the offending rules and begin the process of assessing who created them and whether they are necessary to the continued function of your organization. If they are not, remove the rules.",
"AffectedObjects": "",
"References": [
{
"Url": "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/manage-mail-flow-rules",
"Text": "Manage Mail Flow Rules in Exchange Online"
},
{
"Url": "https://www.undocumented-features.com/2018/05/10/atp-safe-attachments-safe-links-and-anti-phishing-policies-or-all-the-policies-you-can-shake-a-stick-at/#Bypass_Safe_Attachments_Processing",
"Text": "Undocumented Features: Safe Attachments, Safe Links, and Anti-Phishing Policies"
}
]
}
Once you drop these two files in the .\inspectors folder, they are considered part of 365Inspect's module inventory and will run the next time you execute 365Inspect.
You have just created the BypassingSafeAttachments Inspector module. That's all!
365Inspect will throw a pretty loud and ugly error if something in your module doesn't work or doesn't follow 365Inspect conventions, so monitor the command line output.
About Security
365Inspect is a script harness that runs other inspector script modules stored in the .\inspectors folder. As with any other script you may run with elevated privileges, you should observe certain security hygiene practices:
- No untrusted user should have write access to the 365Inspect folder/files, as that user could then overwrite scripts or templates therein and induce you to run malicious code.
- No script module should be placed in .\inspectors unless you trust the source of that script module.