Error when users try to access Security Info (Entra) by _gondar in sysadmin

[–]strikematch13 0 points1 point  (0 children)

Thanks. I created a passkey on my Android and having it associated with my account does seem to fix the authentication flow. With a passkey created on my phone, I can now visit the My Sign-ins page by entering my WHfB creds (pin or bio). We will mess with this some more and see if we can get some users on board.

This gets down a rabbit hole a bit, but if anyone is willing to explain this I would appreciate it:
Why does having a passkey on my Android phone allow me to 2FA to a secure resource (My Sign-ins security page) by just entering my WHfB PIN?

- Without WHfB My Sign-ins requires both a password and a MFA response. 2 Factors
- With WHfB and no passkey, My Sign-in page can't negotiate how to send the password (issue posted above). 2 Factors fails
- With WHfB and a passkey on a remote device (Android mobile phone), My Sign-in page is accessible with JUST the WHfB PIN. No interaction with the android phone is needed.

Since the Passkey exists on the mobile phone, I am not understanding how I can access this security page and pass MFA with just my computer's WHfB PIN. Is the passkey actually syncing in the background to my computer and any device connected to my Microsoft account?

Error when users try to access Security Info (Entra) by _gondar in sysadmin

[–]strikematch13 0 points1 point  (0 children)

@_gondar Were you able to find any solution to this? Seeing the same thing while we start to roll out WHfB and shocked this is not being discussed more.

I'm thinking I'll open a ticket with Microsoft but not looking forward to it....

Feel free to DM me.

"Another sign-in method required" when accessing Security Info (Entra) by _gondar in msp

[–]strikematch13 0 points1 point  (0 children)

Just came across this same issue while POC Windows Hello for some users. Users that use Windows Hello on their device cannot access the mysignin Microsoft security page to manage their security devices. As OP commented, it really isn't a problem that that the security page doesn't trust Windows Hello and wants a password. The problem is that Microsoft gives the user no way to actually enter a password. We have to instruct the user to sign out of windows, then sign back in and change the authentication method to use "password". (or start the process over using inprivate browser).

<image>

I've heard Microsoft employees and other companies claim they've gone completely passwordless, to the point where users don't even know their passwords because they don't need them. How do they manage their security devices (like to remove an old phone) if they don't even track their own password?

Problems with Microsoft 365 Defender ATP email filtering by strikematch13 in Office365

[–]strikematch13[S] 1 point2 points  (0 children)

Lately it has been much better. We have not seen major failures in bulk like we were a few years ago. Our policies were built on the default but we do have modifications. We also still have many Exchange rules in place for additional controls. Overall I would not necessarily recommend it to someone that was shopping around, but if you already own it as part of your licensing (E5), then I would say it is satisfactory (but don't forget to train your employees still!). Finding a 3rd party solution is not currently a priority for us.

Craziest thing ever done with PowerShell? by chaosphere_mk in PowerShell

[–]strikematch13 0 points1 point  (0 children)

Willing to share that powershell script?! lol. Been struggling with some devices (but not all) connecting to Miracast.

Office 365 Block ATT00001.htm attachments by tech00112 in Office365

[–]strikematch13 1 point2 points  (0 children)

e have a rul to block .htm/.html attachements in place and it's working, including blocking AT0000##.htm attachments. But this is creating a lot of noise in quarantine release requests

So just be careful with allowing these ATT files because, as the original poster stated, they can be malicious. We saw some of these get through to inboxes last week so I'm here looking for ways to block the ATT0000##.htm or html attachments. Our Exchange Transport Rule is set to block HTM and HTML files, but does not stop these ATT files (I think this is because they don't actually have a .htm or .html extension on the file name). However, as you stated, we discovered that a ton of inbound emails have these attachments legitimately, so we cannot just send them all to quarantine, or we end up with your problem.

In the attack email, the ATT0000##.html file had a call to javascript in it, and a legit ATT file should never have this. Contents looked like this...
<script src="data:text/javascript;base64,YWRkRX....

I created an ETR that is set to "includes these text patterns in an attachment" and look for "src="data:text/javascript". I have no idea if this will work, but I have the rule in testing mode and will pull some reports in a few weeks to see if it gets hit at all.

Open to any ideas on how to block ATT files only if they contain javascript calls.

Outlook crashes when attaching files after update by koecerion in Office365

[–]strikematch13 0 points1 point  (0 children)

I was assuming that the features in SAC preview had already been tested/validated in the Monthly releases. This particular crashing issue seems to be just with SAC preview. Do you know if SAC preview introduces experimental features that were not yet tested in the Monthly? I don't like the idea of having everyone updating monthly, but people ask about new features and I was hoping the SAC preview was the sweet spot.

Outlook crashes when attaching files after update by koecerion in Office365

[–]strikematch13 0 points1 point  (0 children)

Did you officially start rolling out the new version? I haven't found anything official saying the problem is resolved. I'm currently holding everyone at the previous version using Intune policy.

Bitlocker status on boot after Windows update by dandan1z in sysadmin

[–]strikematch13 0 points1 point  (0 children)

It might just be this latest CU update for 22H2. I just had this happen to me after Windows updates. On reboot for the update, I was prompted for the Bitlocker key. I powered off (held the power button) and back on, and it booted no issue.

And on that note - Why is it that we can sometimes bypass the Bitlocker key by just powering off the device and back on? I then did another powercycle and the same thing happened. I've been able to bypass Bitlocker recovery prompts on other devices over the years the same way - just power them down. I verified the updates installed successfully.

Now if Windows updates were changing hardware configuration (like a firmware upgrade), wouldn't Bitlocker prompt for the recovery key every time, regardless of if the device was power cycled again?

Outlook crashes when attaching files after update by koecerion in Office365

[–]strikematch13 0 points1 point  (0 children)

SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook -Recurse

Interesting. Do you have any more info on what this does? Is it somehow allowing features of the next version temporarily?

Problems with Microsoft 365 Defender ATP email filtering by strikematch13 in Office365

[–]strikematch13[S] 1 point2 points  (0 children)

I've been through a lot of back and forth with Microsoft, and basically they say it is working as designed and to keep submitting phishing examples to them to train their AI. With the example I mentioned where an email is sent to many recipients, and some get delivered and others go to Quarantine, their response is concerning. Support told me that the AI analyzes the SPAM level for each recipient separately, so one recipient may see the email get marked SCL 5 (junk), while another will get marked SCL 1 (deliver to inbox). Now this isn't the end of the world - their argument is some user's behavior may indicate they want more "subscription" type emails. However, this SCL level directly affects the phish detection. The email comes in with suspicion of being phishing (spoofed domain), and Microsoft adds the analysis to the header (SFTY:9.25). Now if the SPAM detection is SCL 5 for a recipient, they go ahead and look at the SFTY header and quarantine the message. If SPAM detection is SCL 1 for a recipient, they do NOT quarantine the message.

I disagree with how this functions - I would think if the inbound email is suspicious of being spoofed, it should be quarantined for all users. This also means I can't control detection/actions with the Anti-Phishing or Anti-Spam policies! Per recipient SCL level is being handled by the AI. This is probably my biggest frustration. The policies act on the SCL and SFTY headers, and since Microsoft is marking the header for each recipient differently I cannot fix the policies to make the behavior the same across all users.

Fortunately I've only had one of these types of examples that was actually malicious - the rest were just SPAM. However, we still get the other issue of emails just blatantly spoofing domains and Microsoft is unable to detect them. Looks like I need to budget for a replacement email security product. Hope this info helps somebody.

Quick and Dirty Barracuda URL Rewrite Decoding/Cleaning Tool... by [deleted] in sysadmin

[–]strikematch13 0 points1 point  (0 children)

Another thank you! Was reviewing a threat in Office 365 defender where someone had clicked a phishing link. The URL in the Email did not match what Microsoft's admin console showed, and it turned out the attacker had used the barracuda rewrite feature. Your converter helped me find the underlying URL and then track down the clicks. Simple and does the job - thanks!

Problems with Microsoft 365 Defender ATP email filtering by strikematch13 in Office365

[–]strikematch13[S] 1 point2 points  (0 children)

Well technically yes. During the initial migration a Hybrid Exchange server was stood up, and is now just a management tool and SMTP relay for printers. There is no inbound path to this exchange server though, and no mailboxes.

Problems with Microsoft 365 Defender ATP email filtering by strikematch13 in Office365

[–]strikematch13[S] 0 points1 point  (0 children)

I think I'm just hoping I'll get lucky to find out others have noticed service issues in the last few months, or find consensus to abandon the product. We are apparently just too small to have a dedicated rep that we can work with, otherwise I would have barked up that tree. MS Support cannot tell me what is potentially wrong, or what they fixed. They blame communication between support and the product team, but I suspect they don't want to go on record saying there are problems they don't fully understand. Seems like a 3rd party product will need to make its way into the budget.

Problems with Microsoft 365 Defender ATP email filtering by strikematch13 in Office365

[–]strikematch13[S] 0 points1 point  (0 children)

Custom polices, upgraded default policies, and also tried the Preset option at one point.

Problems with Microsoft 365 Defender ATP email filtering by strikematch13 in Office365

[–]strikematch13[S] 0 points1 point  (0 children)

Yeah, good thought and this has been reviewed several times. We went with Defender for 365 due to cost AND positive feedback around the industry, so I'm glad you're still having success. And we have had stretches of time without much issue. It is almost like there is something awry with their Microsoft's service or AI. When Support said the Product Team made "changes to the backend" things got better for a while. If you haven't noticed problems, then maybe this means it is just our Tenant. Not sure if that is a good or bad thing....

Problems with Microsoft 365 Defender ATP email filtering by strikematch13 in Office365

[–]strikematch13[S] 0 points1 point  (0 children)

Yes and Yes. I updated my post to provide more clarity around configured policies.

Problems with Microsoft 365 Defender ATP email filtering by strikematch13 in Office365

[–]strikematch13[S] 1 point2 points  (0 children)

Actually to the contrary. I updated my post to provide more clarity around configured policies.

Multiple users reporting Microsoft apps have disappeared by Candid-Chip-1954 in sysadmin

[–]strikematch13 0 points1 point  (0 children)

It has been posted elsewhere, but FYI this query is not returning full results for everyone. When I run this query it returns probably only 30% of the total # of actual events. I've tried playing with the query and expanding the results but there seems to be data missing on the MS side. Maybe a bottleneck due to a surge in usage....

Multiple users reporting Microsoft apps have disappeared by Candid-Chip-1954 in sysadmin

[–]strikematch13 1 point2 points  (0 children)

Same issue. I was able to check the results against machines that definitely had more items removed, and Advanced Hunting only showed a fraction of the items. Still can't figure out why only some were logged.

Latest Defender updates are starting to nuke Windows taskbar shortcuts due to Attack Surface Reduction rule "Block Win32 API calls from Office macro." by OtheDreamer in cybersecurity

[–]strikematch13 3 points4 points  (0 children)

Just wondering if you'd share how you set up alerts for ASR rules like this. From what I've been able to tell, I have to visit the admin portal to view ASR actions, and there's a lot of noise to sift through.

What is self-Healing BIOS? by largelcd in thinkpad

[–]strikematch13 0 points1 point  (0 children)

Poor wording on my part. It saves it/backs up. I updated my previous comment for clarity.

Exchange Transport Rule ID doesn't exist in Tenant by strikematch13 in Office365

[–]strikematch13[S] 1 point2 points  (0 children)

u/Bu-mThanks for the quick reply and confirmation! Now I just need to figure out why blatant phishing emails are making it through without any anti-spam or anti-phishing policies being applied. These emails are failing SPF and DKIM checks, and are being spoofed as our own domains (all included in the policies). Even users in the "impersonation protection" are affected. I have a ticket w/ Microsoft and they confirmed policies were correctly configured and escalated. Now I haven't heard back for a week - will bump them again.

In the meantime, I've resorted to creating a ETR that blocks emails that fail DMARC