News

Exchange Online Forensics Now Bolstered by Session ID Info

• By Kurt Mackie
• 01/04/2019

Organizations using the Exchange Online e-mail messaging service now are getting the ability to use session ID information in Exchange Online audit logs to better detect attacks.

The ability to use session ID information in Exchange Online audit logs kicked off on Friday, according to this Microsoft announcement. It adds yet another tool that IT pros can leverage to detect untoward activities.

Tapping the session ID information permits the logging of all Exchange Online activities, even when an attacker has used the same IP address as a particular end user for an attack. IT pros can see the activities of an attacker even when IP addresses get obscured by the use of third-party virtual private networks (VPNs) or Tor networks, or even when an organization's own VPN has been compromised, Microsoft's announcement explained. Attacker actions get traced via the session ID, on top of the IP address.

Audit log information for Exchange Online, including session ID info, can be found in Microsoft's Security and Compliance Center and Microsoft Cloud App Security products. However, the information also is available for use with other non-Microsoft security information and event management products, according to Microsoft.

Auditing was turned on by default for Exchange Online users starting this year, according to the announcement. However, IT pros should check to make sure that it really is turned on. Here's how Microsoft expressed that idea:

To get the full range of audit data in Exchange, you need to make sure mailbox auditing is turned on. Starting from the 2019 calendar year, auditing will be enabled by default but you should check if your organization has auditing enabled from this blogpost.

Microsoft first said it would turn on Exchange Online auditing by default back in July, according to the "blogpost" referenced above. However, it seems that some Office 365 tenancies may be just starting to get it this year.

The session ID information pushed into the Exchange Online audit logs actually comes from Azure Active Directory tokens, so organizations will need to be using that identity and access management service to leverage the session ID information. Furthermore, organizations need to have so-called "modern authentication" in place. Modern authentication is Microsoft's phrase for the use of Active Directory Authentication Library and OAuth 2.0 technologies.

The use of modern authentication further requires blocking Microsoft's "legacy" or older authentication schemes that are associated with Exchange Online clients older than Outlook 2013. Microsoft also refers to these legacy authentication methods as "basic authentication." Basic authentication doesn't permit improved schemes like multifactor authentication, where a secondary means of verifying the user's identity is required, typically via a phone call or messaging service.

Microsoft also really wants organizations using Exchange Online to block legacy or basic authentication. Here's how the announcement expressed that point:

The benefits of blocking basic authentication cannot be overstated; they enable a host of protection capabilities. You can find more information about how to block legacy authentication and the benefits in this blogpost.

In October, Microsoft had announced a preview of a new capability that permits IT pros to disable basic authentication across an Exchange Online tenancy using authentication policies. According to the Microsoft 365 roadmap page, that capability got launched in the third quarter of 2018. Modern authentication needs to be enabled first before disabling basic authentication, Microsoft's documentation explained.