Open-Source, Automated Microsoft 365 Security Assessment: Announcing Soteria 365 Inspect
Try it for yourself here: https://github.com/soteria-security/365Inspect
Although infrastructure deployment technologies like Amazon Web Services and Microsoft Azure steal the headlines, the shift of business productivity tools to the cloud was just as rapid. For many, that need is served by Office 365, Microsoft’s entry in the cloud productivity suite segment. Microsoft 365 (Formerly Office365 or “O365”) merges the well-known Microsoft Office applications with Microsoft’s messaging and video call environments Skype/Teams and several additional Microsoft technologies. This creates an organizational productivity environment that rivals Google’s Workspace. Put simply, M365 is everywhere.
The rise of M365 has not gone unnoticed by cyber adversaries. Many have demonstrated that they understand the value of compromising M365 accounts and navigating M365 infrastructure to either gain entrance to an organization’s IT systems or extract sensitive information after the fact. From 2018 to 2021, the prevalence of M365 attacks even prompted multiple intelligence agencies to release case studies, advisories, and recommendations warning of the increasing prevalence of M365 compromise.
The issue is further exacerbated by an atmosphere of uncertainty in M365 security:
- M365 contains a full array of commendable security options…so full, in fact, that it can be intimidating to organizations. Many M365 administrators don’t know where to begin.
- M365 users are often small businesses. They sometimes do not have M365 security experts on staff, or the money and partnerships required to engage with consultants. Some organizations may not even be aware that M365 is a significant risk surface, and if they do, tooling and assessment expertise to help improve its security posture may prove elusive and expensive.
The end result is that securing M365, or performing one’s own M365 security audit, is an opaque process that can be just as complex and daunting as securing the on-premises networks and software that M365 replaces. Furthermore, this creates a frustrating asymmetry wherein those who require a cloud office suite the most may have the fewest resources and education opportunities when it comes to securing that suite.
As hackers and security incident responders ourselves, Soteria is both aware of these growing problems and uniquely poised to offer a technical solution. We took to the R&D lab and combined our knowledge of M365 security with the simple and modular principles behind modern security testing toolkits like Nessus, BurpSuite, Metasploit, and nmap. Today we proudly release the result to the world. It is affectionately named Soteria 365Inspect, and you can grab it here.
365Inspect is a command-line utility that automatically audits an M365 environment. 365Inspect retrieves configuration information from your M365 instance and validates whether or not a series of security best practices have been followed.
365Inspect then creates a simple graphical report that provides descriptions of any discovered security flaws as well as actionable recommendations you can use to improve the security state of your M365 instance.
365Inspect is open-source and completely free. It is authored in PowerShell, and all you need to use it are the appropriate PowerShell modules and credentials to your M365 administrator account. For our fellow tinkerers and security analysts out there, 365Inspect also supports a simple module system that allows you to easily author your own additions to the audit functionality. This means you can use it out of the box as a powerful M365 security scanner, or nerd out and expand the functionality using your own or other modules. Detailed directions are provided on the project’s Github page.
At the time of release, 365Inspect contains modules that allow you to easily answer the following…
- Can users run third-party apps that access your M365 data?
- Do users have multi-factor authentication configured?
- Can your mail rules identify when internal users are sending malware?
- Can you monitor outgoing sharing invitations?
- Are legacy email protocols such as POP, IMAP, and SMTP disabled?
- Are Sender Policy Framework (SPF), DMARC, and DKIM appropriately configured?
…and many more. 365Inspect supports over 45 M365 security checks like those above at the time of release, which additionally map to several security frameworks. Soteria will continue to develop and expand this list. We will release additional modules and functionality over time, so check our blog and GitHub for updates.
We love community outreach and we wrote this tool to aid the M365 community! Feel free to contact us with new modules you’ve authored, suggestions for improvement, bug reports, or just to say “hey.” Thank you for reading, and good luck in the M365 wilderness.