TL;DR Ensure you can reliably take initial containment actions such as disabling accounts, resetting passwords, and revoking tokens. Token binding ensures that a token only works on the specific device the token was issued and is currently the best protection against token theft. As a minimum enable Security Defaults to require MFA for all privileged users. Look to enable Conditional Access policies which enforce location, device compliance, and session lifetime controls for high value identities and services. Validate configuration changes, such as checking CA policies are enforced as expected with sign-in log data. Ensure admin account separation with segregated cloud-only identity for cloud administrative activities, without access to ‘phishable’ services like email. Introduction This is the second in a three-part series looking at the key steps for an effective investigation, response, and remediation of email-based threat in M365. Part one looked at the key artefacts to optimise investigation outcomes for BEC in M365. Having the UAL enabled was critical to answering the investigation questions, and utilising Defender for Office and Defender for Cloud tables in Advanced Hunting provides the most granular detail and scalable analysis. Part two covers the response and remediation actions in M365. The response steps help to contain an incident and buy time to establish the scope of compromise. Short-term remediation actions help get things back to business as usual,…Read More