다음을 통해 공유

Office 365 Security impact of Whitelisted Domains

  • 아티클

 

Introduction

 

Many institutions and organizations add the relevant domain address to the whitelist when they cannot receive mail from somewhere. In this way, we ensure that the mail from the other party is received and reaches the mailbox of the relevant person. Yes, the problem is solved. Any trouble does not appear. But a new problem arises in the background. E-mail spoofing Yes, domain Whitelist has been added, but in the background, the system will deliver the incoming e-mail to the user's mailbox without any policy or rule. What will happen if the relevant domain is spoofed? Let's see the answer to our question with an application.

 

We will perform this test with The Social-Engineer Toolkit (SET) tool built into Kali Linux. I will not explain this application at length. When you search from Google, many informative articles, videos etc.

 

Step By Step

 

Now let's run our Setookit tool. And let's try to send a phishing mail as above. The domain address I use is abc.com, this domain does not belong to me in any way. Is it active or not? I do not know.

 

I waited for a while, looked at my user's mailbox, but I checked the quarantine on Office 365, since there was no mail in the mailbox. The mail I sent with Setoolkit has been in quarantine. So AntiPhishPolicy, which comes default on Office 365, is installed. This tells me that Exchange Online Protection is working correctly. Currently abc.com domain address is not attached on whitelist.

 

Let's have a phishing email again. On the screen you see in the image above, there are two different terminals open and the first fake e-mail I sent on the left. The e-mail I send in the red square is the e-mail I send after adding the abc.com domain address to the whitelist.

When I check my e-mail box again, we see that a phishing mail has arrived. It fell into my mailbox, almost without delay, without any hindrance. If there is an illegal situation on this mai, if my user makes a wrong move,

 

wow

 

Now we will do a different action. Let's draw a report using the Recommended Configuration Analyzer Report (ORCA) tool, which is to configure our Exchange Online Protection and Office 365 Advanced Threat Protection (Office 365 ATP) services according to the best practice proposed by Microsoft. If you have never used ORCA before , you can find out how it is used and what it does via this link . In this way, you will tighten your mail infrastructure and use it more securely.

 

Conclusion

 

We have pulled our ORCA report. Domain Whitelisting under the Anti-Spam Policies category gives a warning. The reason for the warning is that I added the abc.com domain address to the whitelist. When we check its description “Emails coming from whitelisted domains bypass several layers of protection within Exchange Online Protection. If domains are whitelisted, they are open to being spoofed from malicious .Domains are vulnerable to leaks from malicious actors if they are acquired whitelist. If you are adding, you will be taking the risk of attacks from here.