13.12 Exchange Online Hardening

2–3 hours · Module 13

Exchange Online Hardening

The investigation revealed specific configuration gaps. This subsection documents each hardening action with the before state, the change, and the security impact.

Conditional access: require compliant device

Before: MFA required for all users. No device compliance check. Any device that presents valid credentials and MFA is allowed access.

After: Conditional access policy requires a compliant device (Intune-enrolled, meeting compliance policies) for Exchange Online and SharePoint Online access.

Impact: The attacker’s stolen token was replayed from an unmanaged device. With this policy, the sign-in would have been blocked at 09:22 — zero compromise, zero email access. This single control eliminates the entire AiTM attack chain for applications it covers.

1
2
3
4
5
6
7
8
9
// Verify the policy is working — check for blocked non-compliant sign-ins
SigninLogs
| where TimeGenerated > ago(7d)
| where ConditionalAccessStatus == "failure"
| mv-expand CAPolicy = parse_json(ConditionalAccessPolicies)
| where tostring(CAPolicy.displayName) has "compliant device"
| where tostring(CAPolicy.result) == "failure"
| summarize BlockedSignins = count() by bin(TimeGenerated, 1d)
| sort by TimeGenerated asc

This is the single most impactful AiTM countermeasure

Phishing-resistant MFA (FIDO2) prevents AiTM by design. But deploying FIDO2 to all users requires hardware procurement and user training. Requiring a compliant device is a configuration change that can be deployed immediately and blocks AiTM token replay from any unmanaged device.

Conditional access: block legacy authentication

Before: Legacy authentication protocols (IMAP, POP3, SMTP) not explicitly blocked. Attackers with stolen credentials could access email via IMAP without triggering MFA.

After: Conditional access policy blocks all legacy authentication protocols for all users, with a narrow exception for 2 multifunction printers using SMTP relay.

Impact: Eliminates the MFA bypass path via legacy protocols. Even if an attacker obtains credentials in a future attack, they cannot access the mailbox via IMAP.

Transport rules

Three transport rules deployed during the incident:

Rule 1: Phishing kit URL pattern block. Rejects emails containing URLs matching /auth/[a-f0-9]{32}/login. Blocked Waves 4 and 5 pre-delivery.

Rule 2: External sender banner. Prepends a warning banner to all external emails. Users reported this helped them identify the Wave 5 lure as external when the subject line implied an internal project update.

Rule 3: Lookalike domain block. Blocks external email from domains containing “northgate” — the organisation name. Catches future impersonation attempts regardless of TLD or prefix.

FIDO2 deployment plan

Deploying FIDO2 security keys to all 500 users is a multi-month project. The phased approach:

Phase	Users	Timeline	Cost
1	Global admins + IT admins (8 users)	Immediate	£640
2	Executives + finance (40 users)	4 weeks	£3,200
3	All remaining users (452 users)	3-6 months	£36,160

Phase 1 protects the accounts with the most privilege. Phase 2 protects the accounts most targeted by AiTM (finance was Wave 1’s target). Phase 3 is a long-term project requiring user training and distribution logistics.

Check your understanding

1. Why deploy "require compliant device" before FIDO2 keys?

Device compliance is a configuration change that can be deployed immediately. FIDO2 requires hardware procurement, distribution, and user training. Compliant device blocks AiTM token replay right now while FIDO2 is being planned.

Compliant devices are more secure than FIDO2

FIDO2 is not available for M365

Security improvements should be prioritised by impact-to-effort ratio. Device compliance: high impact, low effort, immediate deployment. FIDO2: highest impact (prevents AiTM by design), high effort (hardware, logistics, training), weeks-to-months deployment. Deploy the fast win first, then the comprehensive solution.

← 13.13 Detection Engineering 13.11 Writing the CISO Report →