I do remember in the past, when I started having issues with email been rejected, obviously we got a spike on tickets because this problem was affecting the whole company. After checking the NDR (Non-delivery report) and different workarounds, I realize that a certificate for exchange has expired.
There are different approaches to identify whether a certificate is about to expire; in this article https://tonygonzalez0379.com/2020/05/25/how-to-check-certificates-expiration-date-using-powershell, you can find how to use PowerShell to identify proactively if a certificate will expire in a period of time, in my case, I use 30 days in advance, so this script is being executed on weekends. You have plenty of time to renew the certificate before you significantly impact all end users.
Another common issue that affects the email flow is when a domain name is about to expire; sometimes, we get a domain name only for a year, and then when this domain expires, Exchange can’t continue delivering email to those users that contain the specific domain in the email address.
It is common that a user has different SMTP addresses, because those accounts need to receive emails using other domains, the same approach as the certificate, you could create a PowerShell script to validate the expiration date using The Who is information for those domains.
The good news is that Microsoft 365 now has a solution that can help the administrators to proactively identify if a certificate or domain name that is part of the registered domains in M365 is about to expire; this feature is new, and you will be able to see this notification in the insight area.
Also, the administrator will receive an email with this notification. I believe that this is great for all the messaging administrators in the company, because if you are not proactive, there is a high risk of having a problem like everyone can’t send or receive emails, and the business impact could be huge.
Below you can see an example of the domain expiration. You can find this in the exchange ministration console on Office 365, in the inside tab. In the same way, you will find the information about the certificates here. Nonetheless, it is better to have a solution like PowerShell, this is the old school, and pretty much all the Administrators are familiar with this process.
Here you can see the domains that will expire soon
I was researching the ATP policies in Office 365 when I saw a message about the new features in Office 365 defender, as sometimes it happens when you start reading about a specific topic. You find different links to other various topics, and at the end, you finish reading about something different as you started. This is the case.
I would like to mention some benefits that Microsoft 365 security center and Microsoft 365 defender have to protect the information that is hosted in your M365 tenant.
The new M365 security center it’s similar to having a SIEM (Security Information and Event Management) because it provides detection, analytics, and response to different events in your organization.
In the Microsoft 365 Security Center, you can get alerts and notifications about incidents regarding security breaches.
Incident dashboard
For example, when a computer is detected sending unusual traffic, using a different port to connect applications, sites, or protocols, or if a mailbox has received malicious content like malware, virus, or phishing.
The security defender solution, besides detecting all of these attacks, also gives some playbooks to mitigate the incident and make sure that the security breach is mitigated.
In the situation where a user receives malware, the incident dashboard contains all the information regarding the computer infected, IP address, location, user details, mailboxes, and the level of the risk.
In our experience as messaging administrators, we know that regardless of all the technologies or systems that we have to identify and block malware, sometimes some emails pass through. Therefore, we need to purge the delivered emails.
Now, Office 365 can identify those emails and delete them from the mailbox, even when they have been delivered; this is known as ZAP (Zero-Hour Auto Purge). Once Office 365 identifies this problem, an alert is triggered, and the alert is correlated with an incident. Therefore, in the dashboard, we can see an investigation related to this event.
Office 365 security can act immediately without any human intervention.
NOTE: It’s important to mention that ZAP does not work in a standalone exchange Online Protection (EOP) environment that protects an On-prem exchange environment.
Report of all emails that were zapped
You can see how many emails have been Zapped, how many mailboxes have been affected, and the status of the purge; that means you can double-check that no one has that malicious email in the mailbox.
In the Microsoft 365 security center, we can see not only the email threats but their kind of alert and their status; meaning, whether that alert has been mitigated or it is in process, and you can drill down to see all details.
Part of the information that contains the alerts, you can see the user name, title, department, computer name, IP address, location, and much more data that is helpful to the administrator to review if the user was trying to log in on different computers that might be at risk.
Details about a user with a high risk score
As you can see from this figure, we could identify how risky a user is. In this example, the user is a high priority to investigate due to all the different events that her account had. Also, we can see all the various activities the user had in previous days or weeks.
Office 365 provides a score where we can quickly identify the top users where you need to take action because they can be compromised.
With the advanced hunting tool, you are able to query different system applications from Office 365 such as Defender for Office 365, Defender for EndPoint, Defender for Identity, Cloud App Security (CAS), ATP, EOP, and then use a query to get information from all this telemetry.
Advance hunting console
The output of these queries can give us more valuable information about an incident. For example, if there is a situation where the user account is compromised, we are talking that these credentials were trying to be stolen. Therefore we can identify if those credentials were used to try to access other computers.
As we know, some attackers start with a typical user and then, they move laterally until they find an admin user that can have access to any domain controller in the network.
After reviewing all the different capabilities that Microsoft Office 365 security provides, the solution can automatically detect anomalies, gathering formation from other Office 365 security products; as I stated before, now Office 365 has a kind of SIEM product where the security team is able to control all the different security incidents.
Alert when credentials were stolen or theft
Furthermore, we can see alerts regarding inbox forwarding rules to external email addresses, this is a common method the attackers use to extract information from users or companies, M365 defender creates an alert to notify the administrator that there is a suspicious rule in a mailbox, and then, a security administrator must take a look at this configuration and start an investigation.
I am stunned that Microsoft now has this kind of solution working towards having a cloud environment more secure.
There is something that I always tell other skeptical engineers about migrating to the cloud, is that Office 365 and Microsoft Azure provide all the tools to make a secure environment.
There are many different tools, policies, services, products, and solutions that we can implement to have a secure environment in the cloud. For example, ATP (Azure Threat Protection) policies where we can configure antimalware, Anti-Spam policies, safe attachments, safe links, data loss prevention (DLP), information protection (AIP), cloud application security (CAS), and much more security configurations!
This topic has much more to cover; this is only scratching the surface. I want to continue talking about this in other posts.
This is very helpful when you need to validate the last operation if it has information (values), in other words, if the last command was successfully.
For example, I want to validate if a folder exists in my computer:
PS C:\> $Folder = Get-ChildItem -Path c:\temp
if($?)
{
Write-Host “The folder Temp already exists” -ForegroundColor Yellow
}
else
{
Write-Host “The folder Temp does not exists” -ForegroundColor Yellow
}
The folder Temp already exists
PS C:\>
Let’s give it a try with a folder that doesn’t exist
Sometimes when we have some space problems, we need to know what information ewe must delete. The first step is get the folders with more space in the disk.
There is not a fast way to know that, worst-case scenario you have to go through all folders one by one and right click to see the size used on disk.
Researching on internet I found some PowerShell scripts to get folders details like name and size, but taking information from different sources I have created a script and even when I don’t get any error it takes more than an hour to finish, this is not a good idea for desperate people like me…. ¯\_(ツ)_/¯
This is the script… Not sure if it works because after an hour running without any error, it never finishes.
But as part of the research I found a very interesting site with a bunch of Microsoft tools, one of them is “Disk Usage” a very fast and reliable tool
After download and unzip the tool, this is the result:
You can copy and paste the information in a spreadsheet and you will be able to see the information as follow:
The command W32tm /query /configuration works in all windows versions and its helpful when a server takes another timeserver and can be different from other servers or computers running an application or service and there is a time discrepancy.
There are more tools and different parameters to use with that command but sometimes with /query /configuration are enough.
Once the module is installed, open your powershell as administrator.
To Create the session type these lines:
#only once
#Set-ExecutionPolicy RemoteSigned
$Cred=Get-Credential
$Session=New-CsOnlineSession-Credential$Cred
Import-PSSession$Session
NOTE: only the first time delete # in order to uncomment the second line to allow execute scripts. After that, you can comment this line again, is not needed the next time you execute this script to create the session.
Input the credentials to open the session
Once the session is established, the prompt will appear
And, you can type get-CsOnlineUser UserName and you will see all the user properties.
And that’s it. You can start using all cmdlets for Skype online.
When an email with malicious content like virus, phising, spam, etc is coming to the company we need to delete those emails from the recipients Inboxes, sometimes in the companies, an employee send an email with incorrect or offensive content, this process applies as well.
