BECs and Beyond: Investigating and Defending Office 365

ShmooCon XV - 2019

Presented by: Doug Bienstock
Date: Saturday January 19, 2019
Time: 11:00 - 11:50
Location: Belay It room
Track: Belay It

As organizations increase their adoption of cloud services, we see attackers following them to the cloud. Microsoft Office 365 is becoming the most common email platform in enterprises across the world and it is also becoming an increasingly relevant artifact for intrusion investigations. This presentation will discuss two real world attacks that targeted Office 365–one motivated by money and the other by information. Through the case studies we will analyze the TTPs of both threat actors and how they differ, describe how to optimize Office 365 for investigations, provide an overview of the log sources that are available (and their limitations), and provide recommendations for enhancing the security of Office 365.

Doug Bienstock

Doug Bienstock (@doughsec) splits his time at Mandiant performing Incident Response and Red Team work. He uses lessons learned from IRs to better simulate attacker techniques and aid organizations stay ahead of the bad guys.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats