Tag Archives: Office365

DMARC and why should you give a damn

So for the very first time our company received a phishing email attempt. The asshole supposedly sent a message from the CEO’s mailbox to the CFO’s and requested a very large amount of cash to be wired to some unknown off-shore account. Imagine the depth that fucker went into to get all that info, huh? Luckily, the CFO sensed something in the context was wrong so she called yours truely. Baffled by this mystery and with a lot of curiousity I sat down and began my investigation.

I literally didnt sleep that night. Not because I fought aimlessly trying to figure out how he did it, but because I discovered how INCREDIBLY EFFORTLESS it was to spoof an undefended domain’s email address. Within a few hours I managed to send an email to a friend from his employer telling him he’s fired and another to my wife from her Bank Manager telling her she got promoted. Just for the record, this could probably be done with ANY domain out there that doesnt enforce DMARC or any special email filter inspection like Forti Mail, Pineapp etc. So without a due, this is why you should give a damn.

DMARC – Domain-based Message Authentication, Reporting & Conformance

DMARC – What does it do?

Easily put, it’s a mechanism that stops assholes from spoofing YOUR email addresses. But the biggest thing about DMARC is that it prevents them from spoofing your emails against OTHER domains as well. Meaning it doesnt allow for an unknown source to send emails on your behalf to different organizations, NOT just from you to yourself. Moreover, it encompasses ways to receive reports about external attempts being made at forging your domain.

DMARC – How does it do it?

  1. Policy – When you receive an email the MAILFROM header domain is being checked for a published DMARC policy (based on DNS). What this policy basically says is that the domain owner has a working set of SPF and DKIM records and that it’s 100% “aligned” which I’ll be explaining shortly. On top of it, it tells or better yet recommends the receiver what to do if the message he received fails DMARC and where to send the report to. Need I say that without such policy DMARC is bypassed.
  2. Alignment – All an attacker really needs to do in order to spoof the common domain email address today is to use a MAILFROM address of a domain that does NOT have an SPF record while forging the FROM header to be from your domain. What this check does is it compares between the two and SPF\DKIM. SPF: smtp.MAILFROM domain must match RFC5322.From domain; DKIM: d= domain must match RFC5322.From.
  3. SPF Records – At this point if the SPF record passes then it’s extremely likely that the sender is indeed legitimate. His FROM and MAILFROM addresses checked out and his physical IP address is within the bounds of the allowed IPS in the sender’s record. No further checks will be required but if SPF fails then the final decision will be made according to DKIM.
  4. DKIM Records – You cant go wrong if an encrypted email header did not decrypt properly with the public key hanging, well, publically out in the open. This method of cryptography by itself is enough to tell if the sender is who he’s telling he is. The decision whether or not to accept the email will be made accordingly.

If like me you’re running Office 365 or Google Apps, chances are that all you have right now for email verification is an SPF record. That of course is laughably not enough to stop someone from forging your emails. Thankfully DKIM is being rolled out in Office 365 as we speak (already supported in GoogleApps) and DMARC is already fully supported.  This sent me at the right path. Hopefully it will do someone else good as well.


How to create and publish online a Calendar in Office 365

My superiors wanted a Calendar they could easily manage from Outlook and give it to external users\customers who naturally did not have access to our organization’s resources. Moreover, they wanted to comfortably control and decline\accept meetings from their own mailbox without adding an additional mailbox of some sort.

Where I work we have Office365.
In Office365 you have 3 options for creating individual Calendars:

1 – Public Folder
2 – Shared Mailbox
3 – Room Resource

1 and 2 were instantly discouraged.

A Public Folder is just as it sounds – public. You could add a Calendar to it but It is automatically added to the entire organization which is not what I wanted.

A Shared Mailbox “nails” it with one exception – no auditing for the incoming requests. That means that only after the invites are posted on the Calendar will you be able to delete them if necessary.

My manager wanted to be able to approve\decline the invites from the comfort of his own mailbox. So I was left with Room Resource which thankfully provided all my needs with a little help from Powershell.

Step #1

Connect to Office365 via Powershell and Create a Resource Room

New-MailBox -Name FL-ROOM1 -Room

Step #2

Assign a user to accept\decline the Resource Room’s calendar requests
NOTE: Each invite will be sent to the user’s mailbox for approval before showing up on the calendar.

set-calendarprocessing FL-ROOM1 –ResourceDelegates John

Step #3 (optional)

Give the user full permission on the Resource Room

Add-MailBoxPermission FL-ROOM1 -User John   -AccessRights FullAccess

Step #4 (optional)

Allow conflicts to occur (for an example, if 2 employees reported they’d like to take the same day off)

Set-CalendarProcessing FL-ROOM1 -AllowConflicts $true

Step $5

Create a Sharing Policy to allow anonymous access to the calendar from outside

New-SharingPolicy -name “NameOfSharingPolicy” -Domains anonymous:calendarsharingfreebusyreviewer

Step #6

Assign the newly created policy to the Room Mailbox
NOTE: This usually takes a few minutes.

Set-Mailbox -Identity FL-ROOM1 -SharingPolicy “NameOfSharingPolicy”

Step #7

Publish the Room Calendar

Set-MailboxCalendarFolder -Identity FL-ROOM1:\calendar -PublishEnabled $true

Step #8

Set the calendar to show full details rather than “busy\available”

Set-MailboxCalendarFolder -DetailLevel fulldetail-Identity FL-ROOM1:\calendar

Step #9

Generate public links for iPhone\Android and Web browsers to give to customers
NOTE: Notice the “PublishedCalendarUrl” and “PublishedICaUrl”.

Get-MailboxCalendarFolder -identity FL-ROOM1:\calendar