Threat Explorer in Microsoft 365 Defender got a refresh

Hi All,

I am pretty sure, i did not read anything about this refresh of Explorer in Microsoft 365 Defender (Security Admin Center) ttps://security.microsoft.com/threatexplorer


It has also been renamed from "Threat Explorer" just to "Explorer".
What i absolutely love about this, is that the default now points to "All email" instead of "Malware" like before.


You sill have a lot of Filtering possibilities


And also the Chart view has diffrent Filtering options


A quick check in the Advanced Hunting shows, that here also were made some changes


After a Moment (15-30 Minutes) i was able to execute the Querys again.



Regards
Andres Bohren


Microsoft Teams Export assigned Phonenumbers to CSV

Hi All,

Did you ever wanted to have a List of all assigned Phone Numbers in Teams?

For CallQueues and Autoattendant you can find the List of ResourceAccounts in Teams Admin Center (TAC) under Voice > Resouce accounts


Sadly, the same does not apply for Users. Under "Phone Numbers" you will find only a List of Numbers if you're using Operator connect.


For the Users you have to go to Users > Manage users. But here are all Users not only the ones with Phone Numbers


Maybe you can use a Filter. Best fit would probably to query the voice routing policy - given you have set that for every user correctly.


I found a handy Script from Andrew Morpheth on Github

The Script will export all Numbers to a CSV


Make sure you have these Azure AD Roles assigned:
Skype for Business Administrator
Teams Administrator


Otherwise you will run into this Error


Here is the Export.

Sadly the Callqueues and Autoattendands are listed double (Type User and CallQueue/Autoattendant)
But hey, i think the Script is still handy
Regards
Andres Bohren

Upload file to SharePoint Online with PnP.PowerShell

Hi All,

A few weeks ago i had to upload a File to a SharePoint Site with a PowerShell Script.
In this Blog Article i explain how i did it.

All you need is

Here is the File i want to upload and replace with my PowerShell Script (Documents/Project/Script/AADUsers.csv)


Azure AD Application

You need to create an Azure AD Application. Copy the Application ID, you will need that later for the PowerShell Script


The Application need to have a ClientSecret. Copy the ClientSecret, you will need that later for the PowerShell Script.
Sadly you can't use Certificates with PnPPowerShell for Authentication.


You don't need any Permissions. These will be set in the Sharepoint Site.



SharePoint Permission

Go to the Sharepoint Site you want to Upload open the "/_layouts/appinv.aspx" and enter the App ID and klick on lookup.
https://[tenant].sharepoint.com/sites/[siteName]/_layouts/appinv.aspx


Now we add the Permission. It has to be done with an XML File

Add-in permissions in SharePoint
https://docs.microsoft.com/en-us/sharepoint/dev/sp-add-ins/add-in-permissions-in-sharepoint

http://sharepoint/content/tenant                     #Tenancy
http://sharepoint/content/sitecollection             #Site Collection   
http://sharepoint/content/sitecollection/web        #Website
http://sharepoint/content/sitecollection/web/list    #List

In this Example the Following XML is Sufficient

<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="FullControl"/>
</AppPermissionRequests>


On the next Page we select "Documents" and hit "Trust it"


You can't change the Settings. But under the Site Settings > Site collection App permissions you can view the Applications


As mentioned, you can't edit. Simply delete the App.


PowerShell Script

And here is the PowerShell Script to Upload a File with PnPPowerShell

###############################################################################
# Upload file to SharePoint with PnP.PowerShell
# 23.01.2022 - Andres Bohren
###############################################################################
#Variables
$AppID = "0d1c73de-c74d-4b06-8a35-e53c8e190258"
$ClientSecret = "YourClientSecret"
$SiteURL = "https://icewolfch.sharepoint.com/sites/DemoTemplate/"
$FileURL = "Freigegebene Dokumente/Project/Script/AADUsers.csv"

#Connect-PnPOnline
Write-Output "Connect-PnPOnline"
Connect-PnPOnline -Url $SiteURL -ClientId $AppID -ClientSecret $ClientSecret -WarningAction Ignore
Get-PnPContext

#Items in Folder
$RelativeURL = "Freigegebene Dokumente/Project/Script"
$Items = Get-PnPFolderItem -FolderSiteRelativeUrl $RelativeURL
$Items

#Upload File
$CSVFile = "C:\GIT_WorkingDir\PowerShellScripts\SharePoint\AADUsers.csv"
Write-Output "Uploading CSV to Sharepoint"
$FolderObject = Get-PnPFolder -Url $RelativeURL
$Upload = Add-PnPFile -Path $CSVFile -Folder $FolderObject
If ($Upload -ne $null)
{
    Write-Output "File sucessfully uploaded"
}





Regards
Andres Bohren


M365 Import List from Excel File

Hi All,

Did you know, that you can create a Microsoft List in M365 from an Excel?

I have created this Example Excel


From the Office 365 Portal in the Browser i open Lists


Here i create a "New List"


I select "From Excel"


The Excel File has to be on your OneDrive


If the Table is not yet properly formated you need to fix that


With the klick on the above "Open" the Excel File will loaded in Excel Online. You then Select the Data and "Format as Table". Then close Excel Online



Now your are able to fix some collumn Namens an check the Type


Give the List a Name and Save it


And here you go: A List imported from Excel


With "New" you can add new Entrys


You will find your Lists under "My Lists"



Regards
Andres Bohren


DANE - DNS based Authentification of Named Entities

Hi All,

You might have stumbled over the Microsoft Anouncement of DNSSEC/DANE for Exchange Online.
In this Blog i would like to explain how it works in detail


Microsoft 365 roadmap


What is DANE?

DANE is the abbreviation for "DNS based Authentification of Named Entities".

Dane is defined in the RFC6698
The DNS-Based Authentication of Named Entities (DANE)
Transport Layer Security (TLS) Protocol: TLSA
https://datatracker.ietf.org/doc/html/rfc6698

Requires a TLSA DNS Record. In the RFC above there is this Statement:
TSLA Record ("TLSA" does not stand for anything; it is just the name of the RRtype)

Maybe that's true. I would consider it as a TLS Anchor.

Kind of HTTP Public Key Pinning (HPKP) Pinning for SMTP.
Interesting Note is that, HPKP is already depreciated and not supported anymore in any browser.

How does DANE work?

In short, these are the Steps that are performed
  • MX Lookup
  • DANE Lookup (TLSA Record for the Mailserver Hostname)
  • Connect to the Mailserver and get the TLS Certificate
  • Check if the Certificate matches the Hash of the TLSA Record


MX Lookup

As an Mailserver or Exchange Admin, you will be familiar with MX Lookups. There are many ways to do it.

With the Windows command prompt

nslookup -type=mx hostpoint.ch


With Powershell cmdlets

nslookup -type=mx hostpoint.ch
Resolve-DnsName -Name hostpoint.ch -Type MX


Via DNS over HTTPS

$Domain = "hostpoint.ch"
$json = Invoke-RestMethod -URI "https://dns.google/resolve?name=$Domain&type=MX"
$MX = $json.Answer.data
$MX


DNSSEC

But wait, didn't you say that the DNS Zone has to be Secured with DNSSEC?
Yes that's true. But how can i check that?

DNSSEC Analyzer



Another interesting Method is to use DNS over HTTPS with Powershell.
The DNS Zone hostpoint.ch is protected with DNSSEC, while the DNS Zone icewolf.ch is not.

$Domain = "hostpoint.ch"
$json = Invoke-RestMethod -URI "https://dns.google/resolve?name=$Domain&type=MX"
$json

As you can see there are some Flags in the Rest Response. AD = true is what we are looking for.
  • TC: TrunCation (truncated due to length greater than that permitted on the transmission channel)
  • RD: Recursion Desired
  • RA: Recursion Available
  • AD: Authentic Data
  • CD: Checking Disabled

My DNS Zone icewolf.ch is hosted on Azure DNS. Interesting sidenote is that Azure DNS does not support DNSSEC at this time


TLSA DNS Record

The TLSA DNS Record looks like this
_<Port>._tcp.<Servername> IN TLSA <Certificate usage> <Selector> <Matching Type> <Fingerprint>


Certificate Usage (0 - 3)

0 The Hash belongs to the Certificate Authority who is allowed to issue Certificates for this Host. The Client must trust this CA (Trusted Root CA or Trusted Subordinate CA)
1 The Hash belongs to the Servercertificate. It has to be from a CA that the Client trusts.
2 The Hash belongs to the Certificate Authority who is allowed to issue Certificates for this Host. The Client must thrust this CA even its not in the List of the Trusted Root CA or Trusted Subordinate CA of the Client
3 The Hash belongs to the Servercertificate and the Client shall trust it without having a look at the Certificate Chain

Selector (0 or 1)

0 Hash will be from the complete Certificate
1 Hash will only be from the Public Key and the algorithm

Matching Type (0-2)
0 Hash contains the full certificate
1 Hash contains a SHA-256 hash
2 Hash contains a SHA-512 hash

Let's check with the Windows command promt - that does not know that resource Record

nslookup -type=tlsa _25._tcp.mx.hostpoint.ch


Let's check with the Powershell Commandlets - same here, the Resource Type is not known

Resolve-DnsName -Name _25._tcp.mx.hostpoint.ch -Type TLSA


Let's try with DNS over HTTPS - here it works

$TLSAQuery = "_25._tcp.mx.hostpoint.ch"
$json = Invoke-RestMethod -URI "https://dns.google/resolve?name=$TLSAQuery&type=TLSA"
$TLSA = $json.Answer.data
$TLSA


If you're working on Linux, that's your command:

Install the Bind utils
sudo yum install bind-utils

DNS Query
dig _25._tcp.mx.hostpoint.ch IN TLSA +short


Most of the DNS Providers out there currently do not support tho create TLSA DNS Records

Even in the Control Panel of Hostpoint  (Remember it does support DNSSEC and has published it's own TLSA Record) it's not possible to publish a TLSA Record.

Same applies also to Azure DNS


Normally you can check any DNS Record with MXToolbox.com - not for TLSA Records. At least not for the moment. I guess that will change soon.


But there are alternatives like this one

DANE SMTP Validator



or this one


Mail Server Certificate

It's now time to get the Mailserver Certificate. A while ago i've created a Powershell Script for getting the SMTPCertificate.

\Get-SMTPCertificate.ps1 -ServerName $Mailserver -Port 25 -SendingDomain icewolf.ch -CertificateFilePath C:\GIT_WorkingDir\PowerShellScripts\mx.hostpoint.ch.cer


Create the Hash

To be honest, i was strugeling with that part. None of my effords in creating a SHA-256 Hash of the Certificate / Certificate Public Key did match the Hash in the TLSA Record.

It's not as simple as creating a SHA-256 Hash.

# The GetSpkiFingerprint method returns the SPKI Fingerprint suitable for use in pinning.
#  (See RFC 7469.)  An SPKI Fingerprint is defined as the output of a known cryptographic hash
#  algorithm whose input is the DER-encoded ASN.1 representation of  the Subject Public Key Info
# (SPKI) of an X.509 certificate.  The first argument specifies the hash algorithm and may be
# "sha256", "sha384", "sha512", "sha1", "md2", "md5", "haval", "ripemd128",
# "ripemd160","ripemd256", or "ripemd320".   
# The second argument specifies the encoding, and may be "base64", "hex",

But you can use Certutil with the *.cer File

certutil.exe -dump C:\GIT_WorkingDir\PowerShellScripts\mx.hostpoint.ch.cer


Or create a PowerShell Script around certutil

###############################################################################
# Hash with Powershell and Certutil
###############################################################################
$dump = certutil.exe -dump C:\GIT_WorkingDir\PowerShellScripts\mx.hostpoint.ch.cer
$line = $dump | Select-String -pattern "pin-sha256-hex"
$Line = $Line.Tostring()
$SpkiFingerprint = $line.Split(" ")[1]
$SpkiFingerprint


Or use openssl

openssl x509 -in hostpoint.cer -pubkey -noout | openssl pkey -pubin -outform DER | openssl sha256




If you need to create a TLSA DNS Entry, there are also Tools on the internet



Summary
The requirements for DANE are pretty high with DNSSEC and a TLSA Record.
Administrators need to understand how to create these DNS Records and how to rollover when a certificate expires.
Anyway i am exited to see that Exchange Online will support DANE soon.
So prepare yourself to be able to troubleshoot if something isn't set up correctly.

Regards
Andres Bohren


How does Brand Indicators for Message Identification (BIMI) work?

Hi all,

Recently i was stumbled over a new expression called "BIMI"

What is BIMI?
Brand Indicators for Message Identification or BIMI (pronounced: Bih-mee) is an emerging email specification that
enables the use of brand-controlled logos within supporting email clients. BIM' leverages the work an organization
has put into deploying DMARC protection, by bringing brand logos to the customers inbox. For the brands logo to
be displayed. the email must pass DMARC authentication checks. ensuring that the organization's domain has not
been impersonated.


The promise of BIMI is, that the Inbox shows your brand logo.



It's still an IETF Draft and started back in 2019 and had a new Version published in Oktober 2021

Azure Information Protection Unified Labeling (AIP UL) 2.13.49

Hi everybody

I've just seen that a new version of Microsoft Azure Information Protection (AIP UL) Client was released.

Apart from a few updates, fixes, and enhancements the new Client will only support x64 Plattform.

Azure Information Protection unified labeling client - Version release history and support policy