Office 365 Tools for Digital Forensics Still Scarce Since the Magic Unicorn Tool’s Untimely Demise

While there have been multiple important updates to Office 365 tools and logging, on the anniversary of the infamous “Magic Unicorn Tool”, Microsoft still has not replaced this valuable resource after its release and subsequent untimely death.

What was the Magic Unicorn Tool?

Back in 2018, LMG Security created a wrapper script that we called the Magic Unicorn Tool. This unique tool leveraged CrowdStrike’s Python module to access data from an undocumented Microsoft API and produce human-readable reports that were incredibly useful for business email compromise cases.

Unfortunately, Microsoft quickly removed access to this data, rendering the tool inoperative. Prior to the public release of the Magic Unicorn Tool, most victims had no publicly available way to determine the full scope of an Office 365 breach. While the secret utility had been leaked to a few organizations, most Office 365 users were out of luck. As a result, many organizations couldn’t “rule out” a data breach and were forced to notify users unnecessarily. The Magic Unicorn tool filled a need for better Office 365 tools for digital forensics incident response.

Sadly, Microsoft removed access to this API two years ago, saying the data was not confirmed, complete, or meant for use in a forensic investigation. With the Activities API unavailable, the Magic Unicorn Tool was rendered useless, and cybersecurity teams had to return to relying on audit logging, message tracing, and inbox rules to complete their investigations. Today, forensics utilities are still a gaping hole in the line-up of Office 365 tools, and Microsoft still hasn’t provided a solution to see read events or get timestamped searches unless clients are willing to pay for top tier subscriptions with addon services, a price that many small and medium businesses are not able to realistically afford.

What Office 365 Tools are Currently Available for Digital Forensics?

The current Office 365 audit logging tool collects information about multiple facets of the tenant. You can learn how to search the audit log in the Security & Compliance Center here.

The main fields that are typically used in the event of a digital forensics incident include:

• User logins containing username, IP address, date/time, and operation
• Connection methods containing what agent was used to view or download the mailbox information in the successfully logged in session.
• Inbox and Forwarding Rules, SMTP addresses, and forwarding flags
• Configuration and permission changes for privilege escalation

On new Office 365 tenants, audit logging is enabled by default. To set up unified audit logging, go to Office.com, log into the admin portal, then select security. From there, select search, then audit log search, and enable audit logging.

Once audit logging has been enabled, Microsoft will start collecting information on the tenant and will have a retention based on the level of license subscription that ranges from 90 – 365 days, depending on the subscription level and the security addons selected for the tenant.

When working on a Business Email Compromise, unified audit logging is especially helpful for finding the connection methods used to access accounts. This information can be used to determine if mailboxes were accessed via web or downloaded via sync, such as IMAP. Specifically, being able to identify these different types of data can help pinpoint exactly whose account was compromised and whose wasn’t, reducing the number of people who need to be notified.

Additional Office 365 Tools for Digital Forensics

• Forwarding rules that were created under compromised logins can also help determine if mail was forwarded to external addresses. Often, mailbox rules will be put in place to obfuscate mail from the intended recipient, so a malicious actor can interact with the sender without being detected.
• Message Trace is another powerful tool that can be used in the event of an incident. This tool can be requested through the mail flow tab under Security and Compliance. Within this module you can select messages that were inbound or outbound from a particular mailbox. It has a lot of useful information such as subject, size, and message details (subject, body, attachments), as well as the original sender IP address and the mail server IP address the mail was transported through. Many times, this can help identify mail that was a phishing attempt or mail that was sent from a mailbox in your tenant, but not from an IP address used by your organization. In addition, if there were forwarding rules set on an account, you would see the transfer of messages going from and to the other account.
• eDiscovery and Content Search can also be found in Office 365 under Security and Compliance. These modules allow you to search for specific details in mailboxes and further investigate an incident. It enables you to search through the emails in specific mailboxes or the whole tenant. You can search for keywords in the body of the emails or subject lines and even see if an email contains a specific type of attachment. During an investigation where you are searching for a phishing or spam email that caused malicious activity, you can quickly pinpoint and identify emails that contain specific content related to the activity.
• Microsoft Application Guard is the newest feature of the applicable Office 365 tools. It acts as a sandbox for attachments that are opened through Microsoft products. When enabled, it will act as a first defense against malicious files. Application Guard works by testing email attachments in a sandboxed environment to ensure they do not contain malware or any type of malicious code. This new tool will dramatically decrease the number of malicious documents that execute code and compromise users.

Our Wishlist for Future Office 365 Tools

Looking forward, our team would love to see Microsoft add the following features for all tenant levels:

• Access to additional logging
• Collection of more data points
• The ability to capture the search history for user’s mailboxes
• Mailbox activity auditing, such as what was clicked, opened, or read
• Additional information about the devices used and geolocations assigned to IP addresses

Problems still arise where there is just not enough data to determine the entire scope of an incident and most of the time, it results in unnecessary breach notifications. We know that there was compromise in an account, but we don’t know exactly what was modified, read, searched for, or exported during that timeframe. As malware keeps evolving, so do the tools. We look forward to what comes next for Office 365 digital forensics resources.

Contact us if you need help with Office 365 incident response. Our expert team can help.