MDO Teams Threat
The Problem
Attackers can bypass MDO protections in Teams for guest users using an unprotected tenant. The protections used in Teams messages are determined by the host tenant; therefore, if a guest account is invited to a Teams chat in an unprotected tenant, then an attacker can send them malicious URLs and attachments that are not scanned by MDO.
Full Scenario
An attacker spins up a tenant with minimal licensing, specifically with no security
licensing. Using normal guest invitation procedures or the new Microsoft “Chat with people not using Teams” feature, a guest is invited to a Teams chat. If the victim accepts, the attacker sends them malicious links and/or attachments. Since the MDO protections are determined by the hosting tenant of the chat (the attacker’s tenant in this scenario), the links and attachments are not scanned by MDO Safe Links and Safe Attachments.
How Can We Mitigate the Risk?
Here are a few options to mitigate or reduce the risk of this scenario:
- Set the allowed/blocked external domains for Teams in the Global settings
This setting gives you control over the domains a user is allowed to contact via TeamsYou can define this setting to: - Allow only a specific set of external domains (recommended)
- Allow all external domains (not recommended)
- Block a specific set of recommended domains (not recommended)
- Block all external domains (recommended)
- This setting can prevent your user accounts from accepting the malicious invites and joining the malicious chats, but it will not protect their personal emails from being invited and joining Education and awareness are the only ways to help prevent compromise from personal account usage.
- Set the allowed/blocked external domains for Teams in the Global settings
Set the allowed/blocked external domains for Teams using a user-based policy. The settings configured are the same as above; however, you can choose to apply a Teams external access policy to a set of users that will take precedence over the global org settings.
- If you cannot block external domains for the whole org, you can use a policy to block external domains for admins, high-risk accounts, or others that have a large blast radius should they be compromised.
Sentinel Data Lake
What is the Sentinel Data Lake?
The Sentinel Data Lake is a long-term, cold storage solution separate from a log analytics workspace. This new data lake allows you to store more data for longer at a lower cost. Previously, you had 3 options for data storage in log analytics: the analytics tier, basic logs, and auxiliary logs. Now, you still have the same analytics tier, which is not changing, and you have the new cold storage data lake tier, which allows cold storage for up to 12 years. Pricing for the data lake tier can be found here.
Should you enable the Sentinel Data Lake?
Yes. The Sentinel Data Lake is a cheaper alternative to basic logs and auxiliary
logs. Additionally, the data lake tier provides cheaper and more extensive options for querying data in cold storage. This has not been confirmed by Microsoft; however, it would make sense that they are going to build additional Sentinel features that utilize the Sentinel Data Lake; therefore, you would need to enable the Sentinel Data Lake to make use of these future features.
How to enable the Sentinel Data Lake?
Enabling the Sentinel Data Lake is very simple. Go to the Security Center > Settings >Microsoft Sentinel > Data Lake. Once you start the process, you only need to enter a subscription and resource group for billing purposes. Required prerequisites can be found here.
