How to setup SMTP Relay in Office 365

If you plan to keep your existing on-prem exchange server then it can be used / utilized as a SMTP Relay server. Else, if you plan to decommission the exchange server for good, you can utilize Office365 as a SMTP Relay server to relay the emails.

There are three ways to setup SMTP Relay in Office 365:

  • SMTP Auth client Submission
  • Direct Send
  • Office 365 SMTP Relay

I recommend using either Office 365 SMTP Relay method or Direct Send method to configure SMTP Relay in Office 365. Please refer to the section Direct Send vs Office 365 SMTP Relay which will help you decide which one to use for your organization.

Below are some suggestions which can help you choose between Office 365 SMTP Relay and Direct Send method.

đź“Ś Direct Send Method does not work if you want to send the email to External recipients for example any Gmail, Yahoo, Hotmail email address. Direct End method can send an email to External recipients if the External Organization is also using Office 365 to host the mailboxes.

đź“ŚIf your requirement is to send emails to Internal and any External domain recipients then choose Office 365 SMTP Relay Method.

1. SMTP Auth client Submission Method

Below are the Pre-requisites for using SMTP Auth client submission method to configure SMTP relay in Office365:

  • Licensed Office365 User Mailbox is required.
  • SMTP AUTH must be enabled for Mailbox which will be used to send the emails.
  • Device must support TLS 1.2 or above (Please check the vendor documentation to confirm this).

If your authentication policy disables basic authentication for SMTP, clients cannot use the SMTP AUTH protocol. Microsoft will disable Basic authentication for all new and existing tenants starting from 1st Oct 2022. Therefore, this is my least recommended option for configuration of SMTP relay in Office 365.

Direct Send vs Office 365 SMTP Relay

Direct Send method and Office 365 SMTP Relay method both use MX Endpoint of your domain to configure SMTP Relay. Both can be used when your environment has SMTP AUTH disabled.

Use Direct Send when you need to send messages to recipients in your own organization who have mailboxes in Office 365. Direct send will not work if you want to send email to External email address (Gmail, yahoo, hotmail etc.). However, If the external recipient mailboxes are also hosted on Office 365, it will work fine.

Direct Send does not require your device or application to have a static IP address to configure it. However, Static IP address is recommended so that an SPF record can be created for your domain. The SPF record helps avoid your messages being flagged as spam.

Direct Send and Office 365 Relay both does not require your device to Support TLS.

Direct Send method Office 365 SMTP Relay
Source:Microsoft. How Direct Send Works ?
FeatuesDirect SendOffice 365 SMTP Relay
Send to Internal UsersYesYes
Send to External UsersNo (Yes, for external recipients having Office365 Mailboxes)Yes
Network Port RequirementPort 25Port 25
TLS RequirementOptionalOptional
Requires AuthenticationNoneDevice / Printer / Application must have Static IP address assigned.

2. Configure SMTP Relay in Office 365 using Direct Send method

In the previous section of this blog post, I have explianed the difference between Direct Send and Office 365 SMTP Relay method. If Direct Send meets your requirements and you do not have any requirements for sending an email to External recipients like Gmail, yahoo, hotmail etc. You can follow below steps to configure it.

1. Find MX Endpoint of your Domain

To find the MX Endpoint of your domain, You need to follow below steps:

  1. Login on Microsoft 365 admin center.
  2. Go to Settings and click on Domains.
  3. Click on your organization domain name. For example: techpress.net.
  4. Click on DNS records Tab.
  5. You can find MX Endpoint on DNS records tab. Click on it to Open.

You will find the MX Endpoint under Points to address or value column. Click on it to copy it on a notepad.

The format of the MX Endpoint is yourdomain-com.mail.protection.outlook.com

Locate MX Endpoint of your domain from Microsoft 365 admin center
Locate MX Endpoint of your domain from Microsoft 365 admin center

2. Find the Static IP Address of the Device or Application [Optional]

As Microsoft Recommends to use Static IP Address for Direct Send Method but its not mandatory. If your Device or Application is not using a static IP address, make sure you assign a static IP address and then note down the IP Address of the device on a notepad. We will add static IP address of the device in your domain’s SPF record.

3. Update SPF Record [Optional]

This is also an optional step but highly recommended by Microsoft. Updating SPF record with Static IP Address of your Device or Application will help to avoid your emails being marked as SPAM. SPF records identifies which servers are allowed to send emails on behalf of the your domain.

Example:

  • Device / Printer IP Address: 10.20.1.56
  • Currently configured SPF recordv=spf1 include:spf.protection.outlook.com -all

Add your Device / Application IP Address in the SPF record as below:

v=spf1 ip4:10.20.1.56 include:spf.protection.outlook.com -all

4. Configure your Device / Application for Direct Send SMTP Relay

Last and final step is to configure your Device / Application and add SMTP relay details so that Device / Application can send emails using the Direct Send SMTP Relay. In our Example, we will be using a Printer to configure Direct Send. Let’s see which SMTP settings needs to be configured on the Printer.

If you want to configure SMTP Relay for a device other than your printer, You can still use below SMTP details to configure it.

SMTP ServerPortTLSUserNamePassword
MX Endpoint

For Example:
<yourdomain>-<domain extension.mail.protection.outlook.com
25Not Required (Recommendation is to enable if this option is available)Any Email Address of your domain. This user does not require a mailbox.
For example: myscanner@techpress.net
Not required (you can turn off SMTP Authentication)

Example:

I have captured a screenshot of one of my Printers to show you how to configure Direct Send. You can use the same settings to configure Direct Send on any other device as well. This screenshot is just for your reference:

Office 365 SMTP Relay Direct Send method Configuration on Konika Minolta printer
Office 365 SMTP Relay Direct Send method Configuration on Konika Minolta printer

5. Create Bypass Spam Filtering Rule [Optional]

This step is optional and you do not need to create a bypass SPAM Filtering rule in Exchange Online. You have updated SPF record with your device IP address which should avoid the emails sent from your device to be marked as SPAM.

If your emails are still going into the SPAM folder. You can create a SPAM Bypass rule in office365 for the email ID which you have used to send the email from on the device. 

  • Login to Exchange online management portal
  • Click on Mail flow -> Rule -> Create a Rule.
Create SPAM Bypass rule for the Device IP on Exchange Admin Center
Create SPAM Bypass rule for the Device IP on Exchange Admin Center

3. Configure using Office 365 SMTP Relay Method

Office 365 SMTP Relay Method - How it Works?
Source: Microsoft. Office 365 SMTP Relay Method – How it Works?

Direct Send method has limitations of sending the emails to external recipients. However, Office 365 SMTP Relay does not have that kind of limitation in place. You can use Office 365 SMTP Relay Method to send the email to any External recipient. Let’s check the steps to configure Office 365 Relay on your Device.

1. Find Public IP Address of the Device or Application

First thing you need to do is to find the public IP address of the Device or Application. If your device is not assigned with a Public IP and is using Dynamic IP address, Please update it to use Static IP Address. Copy the IP address in a notepad. We will need this IP Address while configuring a Connector in Exchange Online.

2. Create a Connector on Exchange Admin Center

Next step is to create a connector on Exchange Admin Center. Please follow below steps to create a connector:

  1. Login on Microsoft Exchange Admin Center
  2. Click on Mail Flow and then Connectors
  3. Click on + Add a connector
  4. On Add a Connector Page. Select Connection from Your organization’s email server and Connection to Office 365 and click on Next to proceed.
Create a new connector on Exchange Admin Center for configuration of SMTP Relay
Create a new connector on Exchange Admin Center for configuration of SMTP Relay
  1. Provide a Connector Name and Description. Click on Next to Proceed.
Provide a Name and Description of the Connector
Provide a Name and Description of the Connector
  1. On Authenticating sent email page. Select the option “By verifying that the IP address of the sending server matches one of the following addresses, which belongs exclusively to your organization“.

Add your Device / Application IP Addresses into the list. Add all Device’s IP addresses which you want to configure for Office 365 SMTP Relay. For example, In my organization I have 3 Printers which I want to configure for SMTP Relay. Therefore I have added the IP addresses of those 3 printers here.

Add Printer IP Addresses in Authenticating sent email
Add Printer IP Addresses in Authenticating sent email
  1. On Review connector page, you can review the connector configuration and click on Create connector to create this Connector.
Review Connector page on Exchange Admin Center
Review Connector page on Exchange Admin Center

3. Update SPF Record

Now you need to update the SPF record and add all the Device IP’s in the SPF record which you added in the connector created on Exchange Admin Center.

Example:

  • Device / Printer IP Addresses: 10.1.20.122, 10.2.1.11 and 10.2.5.89.
  • Currently configured SPF recordv=spf1 include:spf.protection.outlook.com -all

Add your Device / Application IP Addresses in the SPF record as below:

v=spf1 ip4:10.1.20.122 ip4:10.2.1.11 ipv4:10.2.5.89 include:spf.protection.outlook.com -all

4. Find MX Endpoint of your Domain

To find the MX Endpoint of your domain, You need to follow below steps:

  1. Login on Microsoft 365 admin center.
  2. Go to Settings and click on Domains.
  3. Click on your organization domain name. For example: techpress.net.
  4. Click on DNS records Tab.
  5. You can find MX Endpoint on DNS records pag. Click on it to Open.

You will find the MX Record under Points to address or value column. Click on it to copy it on a notepad.

The format of the MX Endpoint is yourdomain-com.mail.protection.outlook.com

Locate MX Endpoint of your domain from Microsoft 365 admin center
Locate MX Endpoint of your domain from Microsoft 365 admin center

5. Configure your Device / Application for Office 365 SMTP Relay

Last and final step is to configure your Device / Application and add SMTP relay details so that Device / Application can send emails using the Office 365 SMTP Relay.

SMTP ServerPortTLSUserNamePassword
MX Endpoint

For Example:
<yourdomain>-<domain extension.mail.protection.outlook.com
25Not Required (Recommendation is to enable if this option is available)Any Email Address of your domain. This user does not require a mailbox.
For example: myscanner@techpress.net
Not required (you can turn off SMTP Authentication)

6. Create SPAM Bypass rule [Optional]

Please refer to the section of Configuration of SMTP Relay using Direct Send method where the steps to create SPAM bypass rule is given. This is an optional troubleshooting step and can be used in case the emails are being marked as SPAM.

Troubleshooting Office 365 SMTP Relay

Now we have setup Office 365 SMTP Relay. In case of any issues in email delivery, you can use below steps to troubleshoot.

Check SMTP AUTH at organization level

You can use below command to check SMTP AUTH at organization level. As we are not using SMTP client submission method, SMTP AUTH should be disabled.

Get-TransportConfig | Format-List SmtpClientAuthenticationDisabled

Copy

Check SMTP AUTH at Mailbox level

Get-CASMailbox "Sonia Neil " | fl SmtpClientAuthenticationDisabled

Copy

If you see the output of the command as SmtpClientAuthenticationDisabled: That means this setting is controlled by the corresponding SmtpClientAuthenticationDisabled parameter on the Set-TransportConfig cmdlet for the whole organization.

Test Port 25 using Telnet

If you are facing any issues in email delivery then you can verify if Port 25 is opened or blocked on the Firewall. If Port 25 is blocked then you may need to ask the Network admin to open it for the device IP which is sending emails. You can follow below steps to test Port 25 via Telnet.

  1. Launch Command Prompt on a PC (IP of the PC should be in the same subnet as Device / Printer / Application)
  2. Type Command telnet <MX EndPoint> 25 and press Enter.

(If telnet command is not recognized on the Windows 10 or Windows 11 PC. The Please first Install Telnet Client by going to Start menu -> Type “Turn Windows featured on or off” and find Telnet Client, Select it and click OK).

Install Telnet Client on Windows
Install Telnet Client on Windows
  1. Once Telnet is installed on your Windows device. You can open a command prompt and type below command to test if Port 25 is opened or not.

Telnet <your MX endpoint> 25

Test Port 25 using Telnet
Test Port 25 using Telnet

Once you enter on the above command, you should get a response from the server. Which means that Port 25 is opened.

Test Port 25 using Telnet
Test Port 25 using Telnet

Send a Test email using Telnet

If you want to check the email delivery then you can use the Telnet command and send a test email. This test can confirm if there are any issues in email delivery. You can follow below steps to test a test email using telnet.

  1. Login on a computer in the same subnet as the Device / Printer / Application.
  2. Open Command prompt as administrator.
  3. Type command Telnet <your MX endpoint> 25.
Send a Test email using Telnet
Send a Test email using Telnet
  1. You will get a response back after press enter on the Telnet command. On Telnet Console Type below commands:

ehlo

mail from â€“ Type from email address

rcpt to â€“ Type recipient email address to send a test email.

If the recipient receives this test email then there is no issue witth email delivery.

ehlo
MAIL FROM:<myscanner@techpress.net>
250 2.1.0 Sender OK
RCPT TO:<internal email ID>
250 2.1.5 Recipient OK
DATA
354 Start mail input; end with <CRLF>.<CRLF>
SUBJECT:Hello World

This is a test message

Thanks,
John A.

. <Dot to end the email>

Copy

Check if ISP Public IP Address is banned

When you are sending an email using Telnet and if you get a message saying that your sending IP is banned. Then you need to unblock / remove your IP from banned list so that Devices on your network can send email.

Check if ISP Public IP Address is banned using Telnet
Check if ISP Public IP Address is banned using Telnet

To remove your ISP Public IP Address from banned list, you need to login on https://senders.office.com and type your email ID and ISP Public IP Address of your organization. Follow the instuctions on the site to get your IP De-listed. This may take from 30 minutes to couple of hours to unblock your IP.

After you get your IP De-listed from https://senders.office.com. Try to send an email using Telnet again. This time if your IP is successfully de-listed, the recipient should receive the email.

Check if ISP Public IP Address is banned using Telnet
Check if ISP Public IP Address is banned using Telnet

Test email has been received successfully.

Test email received using Telnet
Test email received using Telnet

Delisting / Unblock of ISP Public IP on Spamhaus.org

When you are sending an email using Telnet and if you get a message saying that service unavailable, Client host <your ISP Public IP address> blocked using Spamhaus. You need to visit the URL https://www.spamhaus.org/query/ip/<ISP Public IP Address> to get your IP De-listed.

Delisting / Unblock of ISP Public IP on Spamhaus.org
Delisting / Unblock of ISP Public IP on Spamhaus.org

How to unblock your ISP Public IP on spamhaus.org

Please follow below steps to unblock your ISP Public IP from spamhaus.org.

  1. Once you land on https://www.spamhaus.org/query/ip/<ISP Public IP Address> site. Click on Show details and then click on “I am running my own mail server“.
Delisting / Unblock of ISP Public IP on Spamhaus.org
Delisting / Unblock of ISP Public IP on Spamhaus.org
  1. Select I am running my own mail server and clicon on Next steps.
Delisting / Unblock of ISP Public IP on Spamhaus.org
Delisting / Unblock of ISP Public IP on Spamhaus.org
  1. Complete the form for unblocking your ISP Public IP. Provide a NameEmail Address and Provide details regarding the issue. Once you complete this form. click on Submit button.
Delisting / Unblock of ISP Public IP on Spamhaus.org
Delisting / Unblock of ISP Public IP on Spamhaus.org
  1. Form has been submitted. You can now wait for email verification link from Spamhaus.org.
Delisting / Unblock of ISP Public IP on Spamhaus.org
Delisting / Unblock of ISP Public IP on Spamhaus.org
  1. Below is the email I received to verify my email address. Click on the link in the email for Email Verification.
Delisting / Unblock of ISP Public IP on Spamhaus.org
Delisting / Unblock of ISP Public IP on Spamhaus.org
  1. Delisting has been successful. You can now try to use Telnet to send a test email to confirm email delivery issue has been rectifed. You can also check the Device / Printer / application to confirm if its able to send the email now.
Delisting / Unblock of ISP Public IP on Spamhaus.org
Delisting / Unblock of ISP Public IP on Spamhaus.org

Conclusion

In this blog post, we have seem how to setup SMTP Relay in Office 365. There are three ways to configure it. But the most recommended option is Office 365 SMTP Relay Method. Second best method is Direct Send method which can be used if you do not have the requirements to send the emails to External recipients like gmail, yahoo etc.

Third method which is least recommended is SMTP Auth Submisson method. As It requires a licensed mailbox and SMTP AUTH to be enabled for that mailbox. There is a cost associated with licensed mailbox and Microsoft does not recommend SMTP AUTH to be enabled.

We have also see the troubleshooting steps in case of email delivery issues. These troubleshooting steps helped me fixed issues while working on Office 365 relay for Multiple clients.

Source :
https://techpress.net/office-365-smtp-relay-setup-and-configuration/

SSL/TLS connection issue fix: out-of-band update status and affected applications (Oct. 21, 2022)

[German]As of October 17, 2022, Microsoft has released several unscheduled updates for Windows. These updates fix a connection problem that can occur with SSL and TLS connections. Affected by this problem are probably all Windows client and server. Below I have listed all available updates and also give some hints where problems occur without these updates.


Advertising


Out-of-band updates with TLS fix

Microsoft made a mistake with the last updates for Windows (preview updates from September, security updates from October). As a result, various problems with SSL and TLS connections can occur. Microsoft has therefore released some : out-of-band updates on October 17, 2022 to fix the problem.

I had reportedthat  in the blog post Out-of-band updates for Windows fixes SSL-/TLS connection issues (also with Citrix) – October 17, 2022. However, Microsoft had not linked all the updates in its status pages (thanks to EP for pointing out the links), so that I could complete the list of updates for the affected Windows versions below:

The out-of-band updates KB5020439 and KB5020440 were added on October 18th.  These updates are only available for download in the Microsoft Update Catalog and have to be installed manually (just search for the KB numbers). Details about these updates can be found in the linked KB articles.

So only Windows 11 22H2 is missing the corresponding fix update. EP writes here that this fix will be added with the upcoming update KB5018496. This is currently released in the Windows Insider program as a pre-release version in the Release Preview channel (see).

Problems fixed with the updates

People have asked in comments which applications are actually affected by the TLS bugs. I don’t have a complete list, but would like to give some hints below as to what has come to my attention as a fix. Thanks to blog readers for the pointers.


Advertising


Citrix connectivity issue

With the October 2022 updates, administrators found that Citrix clients could no longer communicate with Citrix netscalers. I had reported on this in the blog postCitrix connections broken after Windows update KB5018410 (October 2022) (TLS problem). Affected people who installed the above updates reported that this fixed the connection problem.

KB5020387 fixes TLS 1.3 problem on Windows 10

On Windows, there was also the issue that there TLS 1.3 implementation was buggy on Windows 10 (it only works in Windows 11). I had raised a conflict case in the blog post Bug: Outlook no longer connects to the mail server (October 2022). Microsoft suggested disabling TLS 1.3 via registry intervention as a workaround. In this comment, someone suggests uninstalling updates KB5018410 (Windows 10) and KB5018427 (Windows 11).

Blog reader Harvester asked here, whether TLS 1.3 works with Windows 10 after installing the special updates, and then followed up with the results of his own tests.

Self-reply after tests : Schannel is working properly after having applied KB5020387 on a LTSC 2021 IoT Enterprise image (21H2), where Schannel was previously broken (on build 19044.2130, from October 11 2022)

We initially guessed that the IoT Enterprise SKU wasn’t supporting TLS 1.3, but now we confirmed that we hit the bug mentioned in the post.

“Fun” fact : while it as initially reported that TLS 1.3 was available starting from Windows 10 1903, the Schannel documentation was changed recently, and now state that only Windows 11 and Server 2022 support TLS 1.3: Protocols in TLS/SSL (Schannel SSP)

VPN and WebEx Meetings App

Within this German comment blog reader Marten reported, that the WebEx Meetings App could no longer connect to the WebEx Server (OnPrem) via VPN. The issue has been fixed via update.

Quest Migration Manager for Exchange

On Twitter, enno0815de has sent the following tweet, which refers to my message about the out-of-band updates with TLS fix. It says, anyone planning a domain migration using Quest Migration Manager for Exchange should also install the updates. Otherwise, the account will be locked out for the migration.


In a follow up tweet he adds: By some circumstance the Atelia class (Quest component) is deleted from the registry. Without the TLS fix, you lock the user out of AD completely.

Similar article:
Windows 10: Beware of a possible TLS disaster on October 2022 patchday
Citrix connections broken after Windows update KB5018410 (October 2022) (TLS problem)
Bug: Outlook no longer connects to the mail server (October 2022)
Out-of-band updates for Windows fixes SSL-/TLS connection issues (also with Citrix) – October 17, 2022

Source :
https://borncity.com/win/2022/10/22/fix-des-ssl-tls-verbindungsproblems-stand-der-sonderupdates-und-betroffene-anwendungen-21-10-2022/

Confirmed: Metro Group victim of cyber attack

[German]Since Monday, October 17, 2022, many Metro stores worldwide have been struggling with severe IT problems. I had already suspected a cyber attack on the Metro Group in a post and I had reports from Austria, from France as well as comments from German Metro customers as well as employees. However, a cyber attack remained unconfirmed so far. Now Metro AG has confirmed such an attack to heise – and on its website.


Advertising


Metro Group with IT problems

I had already reported about the IT problems at Metro Group in the blog post Cyber attack on Metro AG or just a IT break down? Austria, France, German (and more countries?) affected. Since Monday, October 17, 2022, Metro wholesales stores have been struggling with massive IT problems. No invoices or daily passes could be issued and online orders had also disappeared, Metro customers reported. A blog reader had provided me with the following photo of a Metro notice board.

IT-Störung bei Metro
Notification about IT disruption at a Metro wholesale store

The suspicion of a cyber attack has not been confirmed by company spokespersons till today (October 21, 2022). But I have had reports from German blog readers, reporting IT issues since days and some people told me, it’s a cyber attack as a root cause.

Not only Austria and France are affected, but Metro AG worldwide. In Germany, too, the same problem has existed since last Monday. No more stock or prices can be updated or checked in the store. The checkout system is still working but also sluggishly, resulting in long lines. If you want to reserve something digitally, that doesn’t work either.

One reader noted that from what he observed, the IT problems have been going on since Friday afternoon (October 14, 2022). A reader informed me on Facebook that their email systems had delivered a 442 connection Failed-Error when communicating with the Metro mail system last Monday. By the afternoon of October 19, 2022, communication with the Metro Group email system was working again – so something is happening.


Advertising


Metro confirms cyber attack

First a speaker from Metro AG confired to German IT magazine heise a cyber attack on it’s IT systems. After searching the Metro AG site today, I finally found the following statement. It says (translated in English):

Metro cyber attack confirmation
Metro cyber attack confirmation (addenum: here is an English version)

T-Security Incident at METRO

METRO/MAKRO is currently experiencing a partial IT infrastructure outage for several technical services. METRO’s IT team, together with external experts, immediately launched a thorough investigation to determine the cause of the service disruption. The latest results of the analysis confirm a cyber attack on METRO systems as the cause of the IT infrastructure outage. METRO AG has informed all relevant authorities about the incident and will of course cooperate with them in every possible way.

During the operation of METRO stores and the regular availability of services, disruptions and delays may occur. The teams in the stores have quickly set up offline systems to process payments. Online orders via the web app and online store are being processed, but there may be individual delays here as well.

We will continue to analyze and monitor the situation intensively and provide updates if necessary.
METRO sincerely apologizes for any inconvenience this incident may cause to customers and business partners.

So they confirmed just a cyber attack, but stay tight lipped about the details. No information, whether it’s a ransomware infection nor about a possible attack vector.

Metro AG is a listed group of wholesale companies (for purchases in the gastronomy sector). Headquartered in DĂĽsseldorf, the group employs more than 95,000 people in 681 stores worldwide, most of them in Germany. In Germany, the company mainly operates the Metro wholesale stores. Sales are 24.8 billion euros (2020).

Similar articles:
Cyber attack on Metro AG or just a IT break down? Austria, France, German (and more countries?) affected
Ransomware Attack on electronic retail markets of Media Markt/Saturn
Media Markt/Saturn: Ransomware attack by hive gang, $240 million US ransom demand

Source :
https://borncity.com/win/2022/10/21/metro-gruppe-doch-opfer-eines-cyberangriffs/

Over 45,000 VMware ESXi servers just reached end-of-life

Over 45,000 VMware ESXi servers inventoried by Lansweeper just reached end-of-life (EOL), with VMware no longer providing software and security updates unless companies purchase an extended support contract.

Lansweeper develops asset management and discovery software that allows customers to track what hardware and software they are running on their network.

As of October 15, 2022, VMware ESXi 6.5 and VMware ESXi 6.7 reached end-of-life and will only receive technical support but no security updates, putting the software at risk of vulnerabilities.

The company analyzed data from 6,000 customers and found 79,000 installed VMware ESXi servers.

Of those servers, 36.5% (28,835) run version 6.7.0, released in April 2018, and 21.3% (16,830) are on version 6.5.0, released in November 2016. In total, there are 45,654 VMware ESXi servers reaching End of Life as of today

The findings of Lansweeper are alarming because apart from the 57% that enter a period of elevated risk, there are also another 15.8% installations that run even older versions, ranging from 3.5.0 to 5.5.0, which reached EOL quite some time ago.

In summary, right now, only about one out of four ESXi servers (26.4%) inventoried by Lansweeper are still supported and will continue to receive regular security updates until April 02, 2025.

However, in reality, the number of VMware servers reaching EOL today, is likely far greater, as this report is based only on Lansweeper’s customers.

VMWare versions detected on net scans
VMWare versions detected on net scans (Lansweeper)

The technical guidance for ESXi 6.5 and 6.7 will carry on until November 15, 2023, but this concerns implementation issues, not including security risk mitigation.

The only way to ensure you can continue to use older versions securely is to apply for the two-year extended support, which needs to be purchased separately. However, this does not include updates for third-party software packages.

For more details about EOL dates on all VMware software products, check out this webpage.

What does this mean?

When a software product reaches the end-of-life date, it stops receiving regular security updates. This means that admins should have already planned ahead and upgraded all deployments to a newer release.

While it’s not unlikely that VMware will still offer some critical security patches for these older versions, it’s not guaranteed and certainly won’t release patches for all new vulnerabilities that are discovered.

Once an unsupported ESXi server has carried on for long enough without patches, it will have accumulated so many security vulnerabilities that attackers would have multiple ways to breach it.

Due to ESXi hosting virtual machines, attacking the server can potentially cause severe and wide-scale disruption to business operations, which is why ransomware gangs are so focused on targeting it.

This year, ESXi VMs were targeted by the likes of Black BastaRedAlertGwisinLockerHive, and the Cheers ransomware gangs.

More recently, Mandiant discovered that hackers found a new method to establish persistence on VMware ESXi hypervisors that lets them control the server and hosted VMs without being detected.

All that said, ESXi already enjoys ample attention from threat actors, so running outdated and vulnerable versions of the software would no doubt be a terrible idea.

Related Articles:

VMware: 70% drop in Linux ESXi VM performance with Retbleed fixes

Microsoft October 2022 Patch Tuesday fixes zero-day used in attacks, 84 flaws

Microsoft adds new RSS feed for security update notifications

VMware vCenter Server bug disclosed last year still not patched

Windows 11 KB5018427 update released with 30 bug fixes, improvements

Source :
https://www.bleepingcomputer.com/news/security/over-45-000-vmware-esxi-servers-just-reached-end-of-life/

Bringing passkeys to Android & Chrome

Posted by Diego Zavala, Product Manager (Android), Christiaan Brand, Product Manager (Account Security), Ali Naddaf, Software Engineer (Identity Ecosystems), Ken Buchanan, Software Engineer (Chrome)

Explore passkeys on Android & Chrome starting today

Starting today, Google is bringing passkey support to both Android and Chrome.

Passkeys are a significantly safer replacement for passwords and other phishable authentication factors. They cannot be reused, don’t leak in server breaches, and protect users from phishing attacks. Passkeys are built on industry standards and work across different operating systems and browser ecosystems, and can be used for both websites and apps.

Passkeys follow already familiar UX patterns, and build on the existing experience of password autofill. For end-users, using one is similar to using a saved password today, where they simply confirm with their existing device screen lock such as their fingerprint. Passkeys on users’ phones and computers are backed up and synced through the cloud to prevent lockouts in the case of device loss. Additionally, users can use passkeys stored on their phone to sign in to apps and websites on other nearby devices.

Today’s announcement is a major milestone in our work with passkeys, and enables two key capabilities:

  1. Users can create and use passkeys on Android devices, which are securely synced through the Google Password Manager.
  2. Developers can build passkey support on their sites for end-users using Chrome via the WebAuthn API, on Android and other supported platforms.

To try this today, developers can enroll in the Google Play Services beta and use Chrome Canary. Both features will be generally available on stable channels later this year.

Our next milestone in 2022 will be an API for native Android apps. Passkeys created through the web API will work seamlessly with apps affiliated with the same domain, and vice versa. The native API will give apps a unified way to let the user pick either a passkey or a saved password. Seamless, familiar UX for both passwords and passkeys helps users and developers gradually transition to passkeys.

Signing in to a website on an Android device with a passkey

For the end-user, creating a passkey requires just two steps: (1) confirm the passkey account information, and (2) present their fingerprint, face, or screen lock when prompted.

Signing in is just as simple: (1) The user selects the account they want to sign in to, and (2) presents their fingerprint, face, or screen lock when prompted.

Signing in to a website on a nearby computer with a passkey on an Android device

A passkey on a phone can also be used to sign in on a nearby device. For example, an Android user can now sign in to a passkey-enabled website using Safari on a Mac. Similarly, passkey support in Chrome means that a Chrome user, for example on Windows, can do the same using a passkey stored on their iOS device.

Since passkeys are built on industry standards, this works across different platforms and browsers – including Windows, macOS and iOS, and ChromeOS, with a uniform user experience.

We will continue to do our part for a passwordless future

We have worked with others in the industry, including Apple and Microsoft, and members within the FIDO Alliance and the W3C to drive secure authentication standards for years. We have shipped support for W3C Webauthn and FIDO standards since their inception.

Today is another important milestone, but our work is not done. Google remains committed to a world where users can choose where their passwords, and now passkeys, are stored. Please stay tuned for more updates from us in the next year as we introduce changes to Android, enabling third party credential managers to support passkeys for their users.

Source :
https://android-developers.googleblog.com/2022/10/bringing-passkeys-to-android-and-chrome.html

Windows 11 22H2 breaks provisioning with 0x800700b7 errors

Microsoft says the Windows 11 2022 Update is breaking provisioning, leaving Windows 11 enterprise endpoints partially configured and failing to finish installing.

According to Microsoft, this known issue most likely affects provisioning packages (.PPKG files used to configure new endpoints on enterprise or school networks without imaging) during the initial setup phase.

“Using provisioning packages on Windows 11, version 22H2 (also called Windows 11 2022 Update) might not work as expected,” Redmond explained.

“Windows might only be partially configured, and the Out Of Box Experience might not finish or might restart unexpectedly.”

Microsoft added that this issue would not impact IT administrators provisioning Windows devices on their network. The list of unaffected devices also includes Windows systems used in home or small office networks.

Windows admins have been experiencing provisioning problems for more than a week, as confirmed by multiple reports on Microsoft’s Q&A platform.

“Sadly that is true, packages working fine on 21H2 but fail miserably on 22H2 with error 0x800700b7,” one report reads.

“Seems that the package gets indeed installed, just not processed and then errors out for whatever reason.”

Installing Windows 11 provisioning packages
Installing Windows 11 provisioning packages (Microsoft)

Workaround available

Microsoft says it’s currently investigating this newly acknowledged issue and will provide an update with an upcoming release.

Until an official fix for these provisioning problems is available, Redmond suggests provisioning end-user devices before the Windows 11 22H2 upgrade.

“If you can provision the Windows device before upgrading to Windows 11, version 22H2, this will prevent the issue,” Microsoft said.

The company is also investigating user reports of issues with Remote Desktop after installing the Windows 11 22H2 update, causing Remote Desktop clients not to connect, randomly disconnect, or freeze without warning.

Microsoft has also added compatibility holds to block the Windows 11 2022 Update on some systems due to printer issues or blue screens.

Since Tuesday, October 4, Windows 11 22H2 has entered a new deployment phase as it is now available to all seekers on eligible devices.

Related Articles:

Microsoft investigates Windows 11 22H2 Remote Desktop issues

Windows 11 22H2 blocked on some systems due to printer issues

Windows 11 22H2 blocked due to blue screens on some Intel systems

NVIDIA GeForce Experience beta fixes Windows 11 22H2 gaming issues

Microsoft: Windows 11 22H2 now available for all eligible devices

Source :
https://www.bleepingcomputer.com/news/microsoft/windows-11-22h2-breaks-provisioning-with-0x800700b7-errors/

Alert (AA22-277A) Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization

Summary

Actions to Help Protect Against APT Cyber Activity:

• Enforce multifactor authentication (MFA) on all user accounts.
• Implement network segmentation to separate network segments based on role and functionality.
• Update software, including operating systems, applications, and firmware, on network assets.
• Audit account usage.

From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to advanced persistent threat (APT) activity on a Defense Industrial Base (DIB) Sector organization’s enterprise network. During incident response activities, CISA uncovered that likely multiple APT groups compromised the organization’s network, and some APT actors had long-term access to the environment. APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim’s sensitive data.

This joint Cybersecurity Advisory (CSA) provides APT actors tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) identified during the incident response activities by CISA and a third-party incident response organization. The CSA includes detection and mitigation actions to help organizations detect and prevent related APT activity. CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) recommend DIB sector and other critical infrastructure organizations implement the mitigations in this CSA to ensure they are managing and reducing the impact of cyber threats to their networks.

Download the PDF version of this report: pdf, 692 KB

For a downloadable copy of IOCs, see the following files:

Technical Details

Threat Actor Activity

NoteThis advisory uses the MITRE ATT&CK® for Enterprise framework, version 11. See the MITRE ATT&CK Tactics and Techniques section for a table of the APT cyber activity mapped to MITRE ATT&CK for Enterprise framework.

From November 2021 through January 2022, CISA conducted an incident response engagement on a DIB Sector organization’s enterprise network. The victim organization also engaged a third-party incident response organization for assistance. During incident response activities, CISA and the trusted –third-party identified APT activity on the victim’s network.

Some APT actors gained initial access to the organization’s Microsoft Exchange Server as early as mid-January 2021. The initial access vector is unknown. Based on log analysis, the actors gathered information about the exchange environment and performed mailbox searches within a four-hour period after gaining access. In the same period, these actors used a compromised administrator account (“Admin 1”) to access the EWS Application Programming Interface (API). In early February 2021, the actors returned to the network and used Admin 1 to access EWS API again. In both instances, the actors used a virtual private network (VPN).

Four days later, the APT actors used Windows Command Shell over a three-day period to interact with the victim’s network. The actors used Command Shell to learn about the organization’s environment and to collect sensitive data, including sensitive contract-related information from shared drives, for eventual exfiltration. The actors manually collected files using the command-line tool, WinRAR. These files were split into approximately 3MB chunks located on the Microsoft Exchange server within the CU2\he\debug directory. See Appendix: Windows Command Shell Activity for additional information, including specific commands used.

During the same period, APT actors implanted Impacket, a Python toolkit for programmatically constructing and manipulating network protocols, on another system. The actors used Impacket to attempt to move laterally to another system.

In early March 2021, APT actors exploited CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 to install 17 China Chopper webshells on the Exchange Server. Later in March, APT actors installed HyperBro on the Exchange Server and two other systems. For more information on the HyperBro and webshell samples, see CISA MAR-10365227-2 and -3.

In April 2021, APT actors used Impacket for network exploitation activities. See the Use of Impacket section for additional information. From late July through mid-October 2021, APT actors employed a custom exfiltration tool, CovalentStealer, to exfiltrate the remaining sensitive files. See the Use of Custom Exfiltration Tool: CovalentStealer section for additional information.

APT actors maintained access through mid-January 2022, likely by relying on legitimate credentials.

Use of Impacket

CISA discovered activity indicating the use of two Impacket tools: wmiexec.py and smbexec.py. These tools use Windows Management Instrumentation (WMI) and Server Message Block (SMB) protocol, respectively, for creating a semi-interactive shell with the target device. Through the Command Shell, an Impacket user with credentials can run commands on the remote device using the Windows management protocols required to support an enterprise network.

The APT cyber actors used existing, compromised credentials with Impacket to access a higher privileged service account used by the organization’s multifunctional devices. The threat actors first used the service account to remotely access the organization’s Microsoft Exchange server via Outlook Web Access (OWA) from multiple external IP addresses; shortly afterwards, the actors assigned the Application Impersonation role to the service account by running the following PowerShell command for managing Exchange:

powershell add-pssnapin *exchange*;New-ManagementRoleAssignment – name:”Journaling-Logs” -Role:ApplicationImpersonation -User:<account>

This command gave the service account the ability to access other users’ mailboxes.

The APT cyber actors used virtual private network (VPN) and virtual private server (VPS) providers, M247 and SurfShark, as part of their techniques to remotely access the Microsoft Exchange server. Use of these hosting providers, which serves to conceal interaction with victim networks, are common for these threat actors. According to CISA’s analysis of the victim’s Microsoft Exchange server Internet Information Services (IIS) logs, the actors used the account of a former employee to access the EWS. EWS enables access to mailbox items such as email messages, meetings, and contacts. The source IP address for these connections is mostly from the VPS hosting provider, M247.

Use of Custom Exfiltration Tool: CovalentStealer

The threat actors employed a custom exfiltration tool, CovalentStealer, to exfiltrate sensitive files.

CovalentStealer is designed to identify file shares on a system, categorize the files, and upload the files to a remote server. CovalentStealer includes two configurations that specifically target the victim’s documents using predetermined files paths and user credentials. CovalentStealer stores the collected files on a Microsoft OneDrive cloud folder, includes a configuration file to specify the types of files to collect at specified times and uses a 256-bit AES key for encryption. See CISA MAR-10365227-1 for additional technical details, including IOCs and detection signatures.

MITRE ATT&CK Tactics and Techniques

MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. CISA uses the ATT&CK Framework as a foundation for the development of specific threat models and methodologies. Table 1 lists the ATT&CK techniques employed by the APT actors.

Initial Access
Technique TitleIDUse
Valid AccountsT1078Actors obtained and abused credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. In this case, they exploited an organization’s multifunctional device domain account used to access the organization’s Microsoft Exchange server via OWA.
Execution
Technique TitleIDUse
Windows Management InstrumentationT1047Actors used Impacket tools wmiexec.py and smbexec.py to leverage Windows Management Instrumentation and execute malicious commands.
Command and Scripting InterpreterT1059Actors abused command and script interpreters to execute commands.
Command and Scripting Interpreter: PowerShellT1059.001Actors abused PowerShell commands and scripts to map shared drives by specifying a path to one location and retrieving the items from another. See Appendix: Windows Command Shell Activity for additional information.
Command and Scripting Interpreter: Windows Command ShellT1059.003Actors abused the Windows Command Shell to learn about the organization’s environment and to collect sensitive data. See Appendix: Windows Command Shell Activity for additional information, including specific commands used.The actors used Impacket tools, which enable a user with credentials to run commands on the remote device through the Command Shell.
Command and Scripting Interpreter: PythonT1059.006The actors used two Impacket tools: wmiexec.py and smbexec.py.
Shared ModulesT1129Actors executed malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths.
System ServicesT1569Actors abused system services to execute commands or programs on the victim’s network.
Persistence
Technique TitleIDUse
Valid AccountsT1078Actors obtained and abused credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Create or Modify System ProcessT1543Actors were observed creating or modifying system processes.
Privilege Escalation
Technique TitleIDUse
Valid AccountsT1078Actors obtained and abused credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. In this case, they exploited an organization’s multifunctional device domain account used to access the organization’s Microsoft Exchange server via OWA.
Defense Evasion
Technique TitleIDUse
Masquerading: Match Legitimate Name or LocationT1036.005Actors masqueraded the archive utility WinRAR.exe by renaming it VMware.exe to evade defenses and observation.
Indicator Removal on HostT1070Actors deleted or modified artifacts generated on a host system to remove evidence of their presence or hinder defenses.
Indicator Removal on Host: File DeletionT1070.004Actors used the del.exe command with the /f parameter to force the deletion of read-only files with the *.rar and tempg* wildcards.
Valid AccountsT1078Actors obtained and abused credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. In this case, they exploited an organization’s multifunctional device domain account used to access the organization’s Microsoft Exchange server via OWA.
Virtualization/Sandbox Evasion: System ChecksT1497.001Actors used Windows command shell commands to detect and avoid virtualization and analysis environments. See Appendix: Windows Command Shell Activity for additional information.
Impair Defenses: Disable or Modify ToolsT1562.001Actors used the taskkill command to probably disable security features. CISA was unable to determine which application was associated with the Process ID.
Hijack Execution FlowT1574Actors were observed using hijack execution flow.
Discovery
Technique TitleIDUse
System Network Configuration DiscoveryT1016Actors used the systeminfo command to look for details about the network configurations and settings and determine if the system was a VMware virtual machine.The threat actor used route print to display the entries in the local IP routing table.
System Network Configuration Discovery: Internet Connection DiscoveryT1016.001Actors checked for internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways.
System Owner/User DiscoveryT1033Actors attempted to identify the primary user, currently logged in user, set of users that commonly use a system, or whether a user is actively using the system.
System Network Connections DiscoveryT1049Actors used the netstat command to display TCP connections, prevent hostname determination of foreign IP addresses, and specify the protocol for TCP.
Process DiscoveryT1057Actors used the tasklist command to get information about running processes on a system and determine if the system was a VMware virtual machine.The actors used tasklist.exe and find.exe to display a list of applications and services with their PIDs for all tasks running on the computer matching the string “powers.”
System Information DiscoveryT1082Actors used the ipconfig command to get detailed information about the operating system and hardware and determine if the system was a VMware virtual machine.
File and Directory DiscoveryT1083Actors enumerated files and directories or may search in specific locations of a host or network share for certain information within a file system.
Virtualization/Sandbox Evasion: System ChecksT1497.001Actors used Windows command shellcommands to detect and avoid virtualization and analysis environments.
Lateral Movement
Technique TitleIDUse
Remote Services: SMB/Windows Admin SharesT1021.002Actors used Valid Accounts to interact with a remote network share using Server Message Block (SMB) and then perform actions as the logged-on user.
Collection
Technique TitleIDUse
Archive Collected Data: Archive via UtilityT1560.001Actor used PowerShell commands and WinRAR to compress and/or encrypt collected data prior to exfiltration.
Data from Network Shared DriveT1039Actors likely used net share command to display information about shared resources on the local computer and decide which directories to exploit, the powershell dircommand to map shared drives to a specified path and retrieve items from another, and the ntfsinfo command to search network shares on computers they have compromised to find files of interest.The actors used dir.exe to display a list of a directory’s files and subdirectories matching a certain text string.
Data Staged: Remote Data StagingT1074.002The actors split collected files into approximately
3 MB chunks located on the Exchange server within the CU2\he\debug directory.
Command and Control
Technique TitleIDUse
Non-Application Layer ProtocolT1095Actors used a non-application layer protocol for communication between host and Command and Control (C2) server or among infected hosts within a network.
Ingress Tool TransferT1105Actors used the certutil command with three switches to test if they could download files from the internet.The actors employed CovalentStealer to exfiltrate the files.
ProxyT1090Actors are known to use VPN and VPS providers, namely M247 and SurfShark, as part of their techniques to access a network remotely.
Exfiltration
Technique TitleIDUse
Schedule TransferT1029Actors scheduled data exfiltration to be performed only at certain times of day or at certain intervals and blend traffic patterns with normal activity.
Exfiltration Over Web Service: Exfiltration to Cloud StorageT1567.002The actor’s CovalentStealer tool stores collected files on a Microsoft OneDrive cloud folder.

DETECTION

Given the actors’ demonstrated capability to maintain persistent, long-term access in compromised enterprise environments, CISA, FBI, and NSA encourage organizations to:

  • Monitor logs for connections from unusual VPSs and VPNs. Examine connection logs for access from unexpected ranges, particularly from machines hosted by SurfShark and M247.
  • Monitor for suspicious account use (e.g., inappropriate or unauthorized use of administrator accounts, service accounts, or third-party accounts). To detect use of compromised credentials in combination with a VPS, follow the steps below:
    • Review logs for “impossible logins,” such as logins with changing username, user agent strings, and IP address combinations or logins where IP addresses do not align to the expected user’s geographic location.
    • Search for “impossible travel,” which occurs when a user logs in from multiple IP addresses that are a significant geographic distance apart (i.e., a person could not realistically travel between the geographic locations of the two IP addresses in the time between logins). Note: This detection opportunity can result in false positives if legitimate users apply VPN solutions before connecting to networks.
    • Search for one IP used across multiple accounts, excluding expected logins.
      • Take note of any M247-associated IP addresses used along with VPN providers (e.g., SurfShark). Look for successful remote logins (e.g., VPN, OWA) for IPs coming from M247- or using SurfShark-registered IP addresses.
    • Identify suspicious privileged account use after resetting passwords or applying user account mitigations.
    • Search for unusual activity in typically dormant accounts.
    • Search for unusual user agent strings, such as strings not typically associated with normal user activity, which may indicate bot activity.
  • Review the YARA rules provided in MAR-10365227-1 to assist in determining whether malicious activity has been observed.
  • Monitor for the installation of unauthorized software, including Remote Server Administration Tools (e.g., psexec, RdClient, VNC, and ScreenConnect).
  • Monitor for anomalous and known malicious command-line use. See Appendix: Windows Command Shell Activity for commands used by the actors to interact with the victim’s environment.
  • Monitor for unauthorized changes to user accounts (e.g., creation, permission changes, and enabling a previously disabled account).

CONTAINMENT AND REMEDIATION

Organizations affected by active or recently active threat actors in their environment can take the following initial steps to aid in eviction efforts and prevent re-entry:

  • Report the incident. Report the incident to U.S. Government authorities and follow your organization’s incident response plan.
  • Reset all login accounts. Reset all accounts used for authentication since it is possible that the threat actors have additional stolen credentials. Password resets should also include accounts outside of Microsoft Active Directory, such as network infrastructure devices and other non-domain joined devices (e.g., IoT devices).
  • Monitor SIEM logs and build detections. Create signatures based on the threat actor TTPs and use these signatures to monitor security logs for any signs of threat actor re-entry.
  • Enforce MFA on all user accounts. Enforce phishing-resistant MFA on all accounts without exception to the greatest extent possible.
  • Follow Microsoft’s security guidance for Active Directory—Best Practices for Securing Active Directory.
  • Audit accounts and permissions. Audit all accounts to ensure all unused accounts are disabled or removed and active accounts do not have excessive privileges. Monitor SIEM logs for any changes to accounts, such as permission changes or enabling a previously disabled account, as this might indicate a threat actor using these accounts.
  • Harden and monitor PowerShell by reviewing guidance in the joint Cybersecurity Information Sheet—Keeping PowerShell: Security Measures to Use and Embrace.

Mitigations

Mitigation recommendations are usually longer-term efforts that take place before a compromise as part of risk management efforts, or after the threat actors have been evicted from the environment and the immediate response actions are complete. While some may be tailored to the TTPs used by the threat actor, recovery recommendations are largely general best practices and industry standards aimed at bolstering overall cybersecurity posture.

Segment Networks Based on Function

  • Implement network segmentation to separate network segments based on role and functionality. Proper network segmentation significantly reduces the ability for ransomware and other threat actor lateral movement by controlling traffic flows between—and access to—various subnetworks. (See CISA’s Infographic on Layering Network Security Through Segmentation and NSA’s Segment Networks and Deploy Application-Aware Defenses.)
  • Isolate similar systems and implement micro-segmentation with granular access and policy restrictions to modernize cybersecurity and adopt Zero Trust (ZT) principles for both network perimeter and internal devices. Logical and physical segmentation are critical to limiting and preventing lateral movement, privilege escalation, and exfiltration.

Manage Vulnerabilities and Configurations

  • Update softwareincluding operating systemsapplicationsand firmwareon network assets. Prioritize patching known exploited vulnerabilities and critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.
  • Implement a configuration change control process that securely creates device configuration backups to detect unauthorized modifications. When a configuration change is needed, document the change, and include the authorization, purpose, and mission justification. Periodically verify that modifications have not been applied by comparing current device configurations with the most recent backups. If suspicious changes are observed, verify the change was authorized.

Search for Anomalous Behavior

  • Use cybersecurity visibility and analytics tools to improve detection of anomalous behavior and enable dynamic changes to policy and other response actions. Visibility tools include network monitoring tools and host-based logs and monitoring tools, such as an endpoint detection and response (EDR) tool. EDR tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
  • Monitor the use of scripting languages (e.g., Python, Powershell) by authorized and unauthorized users. Anomalous use by either group may be indicative of malicious activity, intentional or otherwise.

Restrict and Secure Use of Remote Admin Tools

  • Limit the number of remote access tools as well as who and what can be accessed using them. Reducing the number of remote admin tools and their allowed access will increase visibility of unauthorized use of these tools.
  • Use encrypted services to protect network communications and disable all clear text administration services(e.g., Telnet, HTTP, FTP, SNMP 1/2c). This ensures that sensitive information cannot be easily obtained by a threat actor capturing network traffic.

Implement a Mandatory Access Control Model

  • Implement stringent access controls to sensitive data and resources. Access should be restricted to those users who require access and to the minimal level of access needed.

Audit Account Usage

  • Monitor VPN logins to look for suspicious access (e.g., logins from unusual geo locations, remote logins from accounts not normally used for remote access, concurrent logins for the same account from different locations, unusual times of the day).
  • Closely monitor the use of administrative accounts. Admin accounts should be used sparingly and only when necessary, such as installing new software or patches. Any use of admin accounts should be reviewed to determine if the activity is legitimate.
  • Ensure standard user accounts do not have elevated privileges Any attempt to increase permissions on standard user accounts should be investigated as a potential compromise.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA, FBI, and NSA recommend exercising, testing, and validating your organization’s security program against threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA, FBI, and NSA recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Table 1).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze the performance of your detection and prevention technologies.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA, FBI, and NSA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

CISA offers several no-cost scanning and testing services to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. See cisa.gov/cyber-hygiene-services.

U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System (PDNS) services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov.

ACKNOWLEDGEMENTS

CISA, FBI, and NSA acknowledge Mandiant for its contributions to this CSA.

APPENDIX: WINDOWS COMMAND SHELL ACTIVITY

Over a three-day period in February 2021, APT cyber actors used Windows Command Shell to interact with the victim’s environment. When interacting with the victim’s system and executing commands, the threat actors used /q and /c parameters to turn the echo off, carry out the command specified by a string, and stop its execution once completed.

On the first day, the threat actors consecutively executed many commands within the Windows Command Shell to learn about the organization’s environment and to collect sensitive data for eventual exfiltration (see Table 2).

CommandDescription / Use
net shareUsed to create, configure, and delete network shares from the command-line.[1] The threat actor likely used this command to display information about shared resources on the local computer and decide which directories to exploit.
powershell dirAn alias (shorthand) for the PowerShell Get-ChildItem cmdlet. This command maps shared drives by specifying a path to one location and retrieving the items from another.[2] The threat actor added additional switches (aka options, parameters, or flags) to form a “one liner,” an expression to describe commonly used commands used in exploitation: powershell dir -recurse -path e:\<redacted>|select fullname,length|export-csv c:\windows\temp\temp.txt. This particular command lists subdirectories of the target environment when.
systeminfoDisplays detailed configuration information [3], tasklist â€“ lists currently running processes [4], and ipconfig â€“ displays all current Transmission Control Protocol (TCP)/IP network configuration values and refreshes Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings, respectively [5]. The threat actor used these commands with specific switches to determine if the system was a VMware virtual machine: systeminfo > vmware & date /T, tasklist /v > vmware & date /T, and ipconfig /all >> vmware & date /.
route printUsed to display and modify the entries in the local IP routing table. [6] The threat actor used this command to display the entries in the local IP routing table.
netstatUsed to display active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics, and IPv6 statistics.[7] The threat actor used this command with three switches to display TCP connections, prevent hostname determination of foreign IP addresses, and specify the protocol for TCP: netstat -anp tcp.
certutilUsed to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.[8] The threat actor used this command with three switches to test if they could download files from the internet: certutil -urlcache -split -f https://microsoft.com temp.html.
pingSends Internet Control Message Protocol (ICMP) echoes to verify connectivity to another TCP/IP computer.[9] The threat actor used ping -n 2 apple.com to either test their internet connection or to detect and avoid virtualization and analysis environments or network restrictions.
taskkillUsed to end tasks or processes.[10] The threat actor used taskkill /F /PID 8952 to probably disable security features. CISA was unable to determine what this process was as the process identifier (PID) numbers are dynamic.
PowerShell Compress-Archive cmdletUsed to create a compressed archive or to zip files from specified files and directories.[11] The threat actor used parameters indicating shared drives as file and folder sources and the destination archive as zipped files. Specifically, they collected sensitive contract-related information from the shared drives.

On the second day, the APT cyber actors executed the commands in Table 3 to perform discovery as well as collect and archive data.

CommandDescription / Use
ntfsinfo.exeUsed to obtain volume information from the New Technology File System (NTFS) and to print it along with a directory dump of NTFS meta-data files.[12]
WinRAR.exeUsed to compress files and subsequently masqueraded WinRAR.exe by renaming it VMware.exe.[13]

On the third day, the APT cyber actors returned to the organization’s network and executed the commands in Table 4.

CommandDescription / Use
powershell -ep bypass import-module .\vmware.ps1;export-mft -volume eThreat actors ran a PowerShell command with parameters to change the execution mode and bypass the Execution Policy to run the script from PowerShell and add a module to the current section: powershell -ep bypass import-module .\vmware.ps1;export-mft -volume e. This module appears to acquire and export the Master File Table (MFT) for volume E for further analysis by the cyber actor.[14]
set.exeUsed to display the current environment variable settings.[15] (An environment variable is a dynamic value pointing to system or user environments (folders) of the system. System environment variables are defined by the system and used globally by all users, while user environment variables are only used by the user who declared that variable and they override the system environment variables (even if the variables are named the same).
dir.exeUsed to display a list of a directory’s files and subdirectories matching the eagx* text string, likely to confirm the existence of such file.
tasklist.exe and find.exeUsed to display a list of applications and services with their PIDs for all tasks running on the computer matching the string “powers”.[16][17][18]
ping.exeUsed to send two ICMP echos to amazon.com. This could have been to detect or avoid virtualization and analysis environments, circumvent network restrictions, or test their internet connection.[19]
del.exe with the /f parameterUsed to force the deletion of read-only files with the *.rar and tempg* wildcards.[20]

References

[1] Microsoft Net Share

[2] Microsoft Get-ChildItem

[3] Microsoft systeminfo

[4] Microsoft tasklist

[5] Microsoft ipconfig

[6] Microsoft Route

[7] Microsoft netstat

[8] Microsoft certutil

[9] Microsoft ping

[10] Microsoft taskkill

[11] Microsoft Compress-Archive

[12] NTFSInfo v1.2

[13] rarlab

[14] Microsoft Import-Module

[15] Microsoft set (environment variable)

[16] Microsoft tasklist

[17] Mitre ATT&CK – Sofware: TaskList

[18] Microsoft find

[19] Microsoft ping

[20] Microsoft del

Revisions

October 4, 2022: Initial version

Source :
https://www.cisa.gov/uscert/ncas/alerts/aa22-277a

Macros from the internet will be blocked by default in Office

VBA macros are a common way for malicious actors to gain access to deploy malware and ransomware. Therefore, to help improve security in Office, we’re changing the default behavior of Office applications to block macros in files from the internet.

With this change, when users open a file that came from the internet, such as an email attachment, and that file contains macros, the following message will be displayed:

Security risk banner about blocked macros with a Learn More button

The Learn More button goes to an article for end users and information workers that contains information about the security risk of bad actors using macros, safe practices to prevent phishing and malware, and instructions on how to enable these macros (if absolutely needed).

In some cases, users will also see the message if the file is from a location within your intranet that’s not identified as being trusted. For example, if users are accessing files on a network share by using the share’s IP address. For more information, see Files centrally located on a network share or trusted website.

 Important

Even before this change we’re introducing, organizations could use the Block macros from running in Office files from the Internet policy to prevent users from inadvertently opening files from the internet that contain macros. We recommend enabling this policy as part of the security baseline for Microsoft 365 Apps for enterprise. If you do configure the policy, your organization won’t be affected by this default change.

For more information, see Use policies to manage how Office handles macros.

Prepare for this change

To prepare for this change, we recommend that you work with the business units in your organization that use macros in Office files that are opened from locations such as intranet network shares or intranet websites. You’ll want to identify those macros and determine what steps to take to keep using those macros. You’ll also want to work with independent software vendors (ISVs) that provide macros in Office files from those locations. For example, to see if they can digitally sign their code and you can treat them as a trusted publisher.

Also, review the following information:

Preparation actionMore information
Understand which versions and which update channels have this change (as we roll out this change)Versions of Office affected by this change
See a flow chart of the process Office takes to determine whether to run macros in a fileHow Office determines whether to run macros in files from the internet
Identify files with VBA macros that might be blocked using the Readiness ToolkitUse the Readiness Toolkit to identify files with VBA macros that might be blocked
Learn about policies that you can use to control VBA macro executionUse policies to manage how Office handles macros

Steps to take to allow VBA macros to run in files that you trust

How you allow VBA macros to run in files that you trust depends on where those files are located or the type of file.

The following table list different common scenarios and possible approaches to take to unblock VBA macros and allow them to run. You don’t have to do all possible approaches for a given scenario. In the cases where we have listed multiple approaches, pick the one that best suits your organization.

ScenarioPossible approaches to take
Individual files• Select the Unblock checkbox on the General tab of the Properties dialog for the file
• Use the Unblock-File cmdlet in PowerShell

For more information, see Remove Mark of the Web from a file.
Files centrally located on a network share or trusted websiteUnblock the file using an approach listed under “Individual files.”

If there isn’t an Unblock checkbox and you want to trust all files in that network location:
• Designate the location as a Trusted site
• Add the location to the Local intranet zone

For more information, see Files centrally located on a network share or trusted website.
Files stored on OneDrive or SharePoint, including a site used by a Teams channel• Have users directly open the file by using the Open in Desktop App option
• If users download the file locally before opening it, remove Mark of the Web from the local copy of the file (see the approaches under “Individual files”)
• Designate the location as a Trusted site

For more information, see Files on OneDrive or SharePoint.
Macro-enabled template files for Word, PowerPoint, and ExcelIf the template file is stored on the user’s device:
• Remove Mark of the Web from the template file (see the approaches under “Individual files”)
• Save the template file to a Trusted Location

If the template file is stored on a network location:
• Use a digital signature and trust the publisher
• Trust the template file (see the approaches under “Files centrally located on a network share or trusted website”)

For more information, see Macro-enabled template files for Word, PowerPoint, and Excel.
Macro-enabled add-in files for PowerPoint• Remove Mark of the Web from the Add-in file
• Use a digital signature and trust the publisher
• Save the Add-in file to a Trusted Location

For more information, see Macro-enabled add-in files for PowerPoint and Excel.
Macro-enabled add-in files for Excel• Remove Mark of the Web from the Add-in file
• Save the Add-in file to a Trusted Location

For more information, see Macro-enabled add-in files for PowerPoint and Excel.
Macros that are signed by a trusted publisher• [recommended] Deploy the public code-signing certificate for the trusted publisher to your users and prevent your users from adding trusted publishers themselves.
• Remove Mark of the Web from the file, and have the user add the publisher of the macro as a trusted publisher.

For more information, see Macros that are signed by a trusted publisher
.
Groups of files saved to folders on the user’s deviceDesignate the folder a Trusted Location

For more information, see Trusted Locations.

Versions of Office affected by this change

This change only affects Office on devices running Windows and only affects the following applications: Access, Excel, PowerPoint, Visio, and Word.

The change began rolling out in Version 2203, starting with Current Channel (Preview) in early April 2022. Later, the change will be available in the other update channels, such as Monthly Enterprise Channel and Semi-Annual Enterprise Channel.

The following table shows the forecasted schedule of when this change will be available in each update channel. Information in italics is subject to change.

Update channelVersionDate
Current Channel (Preview)Version 2203Started rolling out on April 12, 2022
Current ChannelVersion 2206Started rolling out on July 27, 2022
Monthly Enterprise ChannelVersion 2208October 11, 2022
Semi-Annual Enterprise Channel (Preview)Version 2208October 11, 2022
Semi-Annual Enterprise ChannelVersion 2208January 10, 2023

 Note

As we roll out this change to Current Channel over the next few weeks, not all customers will see the change right away.

The change doesn’t affect Office on a Mac, Office on Android or iOS devices, or Office on the web.

How Office determines whether to run macros in files from the internet

The following flowchart graphic shows how Office determines whether to run macros in a file from the internet.

Flowchart that shows how Office determines whether to run macros in files from the internet

The following steps explain the information in the flowchart graphic, except for Excel Add-in files. For more information about those files, see Macro-enabled add-in files for PowerPoint and Excel. Also, if a file is located on a network share that isn’t in the Local intranet zone or isn’t a trusted site, macros will be blocked in that file.

  1. A user opens an Office file containing macros obtained from the internet. For example, an email attachment. The file has Mark of the Web (MOTW).

 Note

  • Mark of the Web is added by Windows to files from an untrusted location, such as the internet or Restricted Zone. For example, browser downloads or email attachments. For more information, see Mark of the Web and zones.
  • Mark of the Web only applies to files saved on an NTFS file system, not files saved to FAT32 formatted devices.
  1. If the file is from a Trusted Location, the file is opened with the macros enabled. If the file isn’t from a Trusted Location, the evaluation continues.
  2. If the macros are digitally signed and the matching Trusted Publisher certificate is installed on the device, the file is opened with the macros enabled. If not, then the evaluation continues.
  3. Policies are checked to see if macros are allowed or blocked. If the policies are set to Not Configured, the evaluation continues to Step 6.
  4. (a) If macros are blocked by policy, the macros are blocked.
    (b) If the macros are enabled by policy, the macros are enabled.
  5. If the user had previously opened the file, before this change in default behavior, and had selected Enable content from the Trust Bar, then the macros are enabled because the file is considered trusted.

 Note

  • For more information, see New security hardening policies for Trusted Documents.
  • For perpetual versions of Office, such as Office LTSC 2021 or Office 2019, this step occurs after Step 3 and before Step 4, and isn’t affected by the change coming to Current Channel.
  1. This step is where the change to the default behavior of Office takes effect. With this change, macros in files from the internet are blocked and users will see the Security Risk banner when they open the file.

 Note

Previously, before this change in default behavior, the app would check to see if the VBA Macro Notification Settings policy was enabled and how it was configured.

If the policy was set to Disabled or Not Configured, then the app would check the settings under File > Options > Trust Center > Trust Center Settings… > Macro Settings. The default is set to “Disable all macros with notification,” which allows users to enable content in the Trust Bar.

Guidance on allowing VBA macros to run in files you trust

Remove Mark of the Web from a file

For an individual file, such as a file downloaded from an internet location or an email attachment the user has saved to their local device, the simplest way to unblock macros is to remove Mark of the Web. To remove, right-click on the file, choose Properties, and then select the Unblock checkbox on the General tab.

File properties dialog showing the choice to unblock

 Note

  • In some cases, usually for files on a network share, users might not see the Unblock checkbox for a file where macros are being blocked. For those cases, see Files centrally located on a network share or trusted website.
  • Even if the Unblock checkbox is available for a file on a network share, selecting the checkbox won’t have any effect if the share is considered to be in the Internet zone. For more information, see Mark of the Web and zones.

You can also use the Unblock-File cmdlet in PowerShell to remove the ZoneId value from the file. Removing the ZoneId value will allow VBA macros to run by default. Using the cmdlet does the same thing as selecting the Unblock checkbox on the General tab of the Properties dialog for the file. For more information about the ZoneId value, see Mark of the Web and zones.

Files centrally located on a network share or trusted website

If you have your users access files from a trusted website or an internal file server, you can do either of the following steps so that macros from those locations won’t be blocked.

  • Designate the location as a Trusted site
  • If the network location is on the intranet, add the location to the Local intranet zone

 Note

  • If you add something as a trusted site, you’re also giving the entire site elevated permissions for scenarios not related to Office.
  • For the Local intranet zone approach, we recommend you save the files to a location that’s already considered part of the Local intranet zone, instead of adding new locations to that zone.
  • In general, we recommend that you use trusted sites, because they have some additional security compared to the Local intranet zone.

For example, if users are accessing a network share by using its IP address, macros in those files will be blocked unless the file share is in the Trusted sites or the Local intranet zone.

 Tip

  • To see a list of trusted sites or what’s in the Local intranet zone, go to Control Panel > Internet Options > Change security settings on a Windows device.
  • To check if an individual file is from a trusted site or local intranet location, see Mark of the Web and zones.

For example, you could add a file server or network share as a trusted site, by adding its FQDN or IP address to the list of trusted sites.

Trusted sites dialog

If you want to add URLs that begin with http:// or network shares, clear the Require server verification (https:) for all sites in this zone checkbox.

 Important

Because macros aren’t blocked in files from these locations, you should manage these locations carefully. Be sure you control who is allowed to save files to these locations.

You can use Group Policy and the “Site to Zone Assignment List” policy to add locations as trusted sites or to the Local intranet zone for Windows devices in your organization. This policy is found under Windows Components\Internet Explorer\Internet Control Panel\Security Page in the Group Policy Management Console. It’s available under both Computer Configuration\Policies\Administrative Templates and User Configuration\Policies\Administrative Templates.

Files on OneDrive or SharePoint

  • If a user downloads a file on OneDrive or SharePoint by using a web browser, the configuration of the Windows internet security zone (Control Panel > Internet Options > Security) will determine whether the browser sets Mark of the Web. For example, Microsoft Edge sets Mark of the Web on a file if it’s determined to be from the Internet zone.
  • If a user selects Open in Desktop App in a file opened from the OneDrive website or from a SharePoint site (including a site used by a Teams channel), then the file won’t have Mark of the Web.
  • If a user has the OneDrive sync client running and the sync client downloads a file, then the file won’t have Mark of the Web.
  • Files that are in Windows known folders (Desktop, Documents, Pictures, Screenshots, and Camera Roll), and are synced to OneDrive, don’t have Mark of the Web.
  • If you have a group of users, such as the Finance department, that need to use files from OneDrive or SharePoint without macros being blocked, here are some possible options:
    • Have them open the file by using the Open in Desktop App option
    • Have them download the file to a Trusted Location.
    • Set the Windows internet security zone assignment for OneDrive or SharePoint domains to Trusted Sites. Admins can use the “Site to Zone Assignment List” policy and configure the policy to place https://{your-domain-name}.sharepoint.com (for SharePoint) or https://{your-domain-name}-my.sharepoint.com (for OneDrive) into the Trusted Sites zone.
      • This policy is found under Windows Components\Internet Explorer\Internet Control Panel\Security Page in the Group Policy Management Console. It’s available under both Computer Configuration\Policies\Administrative Templates and User Configuration\Policies\Administrative Templates.
      • SharePoint permissions and OneDrive sharing aren’t changed by adding these locations to Trusted Sites. Maintaining access control is important. Anyone with permissions to add files to SharePoint could add files with active content, such as macros. Users who download files from domains in the Trusted Sites zone will bypass the default to block macros.

Macro-enabled template files for Word, PowerPoint, and Excel

Macro-enabled template files for Word, PowerPoint, and Excel that are downloaded from the internet will have Mark of the Web. For example, template files with the following extensions:

  • .dot
  • .dotm
  • .pot
  • .potm
  • .xlt
  • .xltm

When the user opens the macro-enabled template file, the user will be blocked from running the macros in the template file. If the user trusts the source of the template file, they can remove Mark of the Web from the template file, and then reopen the template file in the Office app.

If you have a group of users that need to use macro-enabled templates without macros being blocked, you can take either of the following actions:

  • Use a digital signature and trust the publisher.
  • If you’re not using digital signatures, you can save the template file to a Trusted Location and have users get the template file from that location.

Macro-enabled add-in files for PowerPoint and Excel

Macro-enabled Add-in files for PowerPoint and Excel that are downloaded from the internet will have Mark of the Web. For example, Add-in files with the following extensions:

  • .ppa
  • .ppam
  • .xla
  • .xlam

When the user tries to install the macro-enabled Add-in, by using File > Options > Add-ins or by using the Developer ribbon, the Add-in will be loaded in a disabled state and the user will be blocked from using the Add-in. If the user trusts the source of the Add-in file, they can remove Mark of the Web from the Add-in file, and then reopen PowerPoint or Excel to use the Add-in.

If you have a group of users that need to use macro-enabled Add-in files without macros being blocked, you can take the following actions.

For PowerPoint Add-in files:

  • Remove Mark of the Web from the .ppa or .ppam file.
  • Use a digital signature and trust the publisher.
  • Save the Add-in file to a Trusted Location for users to retrieve.

For Excel Add-in files:

  • Remove Mark of the Web from the .xla or .xlam file.
  • Save the Add-in file to a Trusted Location for users to retrieve.

 Note

Using a digital signature and trusting the publisher doesn’t work for Excel Add-in files that have Mark of the Web. This behavior isn’t new for Excel Add-in files that have Mark of the Web. It’s worked this way since 2016, as a result of a previous security hardening effort (related to Microsoft Security Bulletin MS16-088).

Macros that are signed by a trusted publisher

If the macro is signed and you’ve validated the certificate and trust the source, you can make that source a trusted publisher. We recommend, if possible, that you manage trusted publishers for your users. For more information, see Trusted publishers for Office files.

If you have just a few users, you can have them remove Mark of the Web from the file and then add the source of the macro as a trusted publisher on their devices.

 Warning

  • All macros validly signed with the same certificate are recognized as coming from a trusted publisher and are run.
  • Adding a trusted publisher could affect scenarios beyond those related to Office, because a trusted publisher is a Windows-wide setting, not just an Office-specific setting.

Trusted Locations

Saving files from the internet to a Trusted Location on a user’s device ignores the check for Mark of the Web and opens with VBA macros enabled. For example, a line of business application could send reports with macros on a recurring basis. If files with macros are saved to a Trusted Location, users won’t need to go to the Properties for the file, and select Unblock to allow the macros to run.

Because macros aren’t blocked in files saved to a Trusted Location, you should manage Trusted Locations carefully and use them sparingly. Network locations can also be set as a Trusted Location, but it’s not recommended. For more information, see Trusted Locations for Office files.

Additional information about Mark of the Web

Mark of the Web and Trusted Documents

When a file is downloaded to a device running Windows, Mark of the Web is added to the file, identifying its source as being from the internet. Currently, when a user opens a file with Mark of the Web, a SECURITY WARNING banner appears, with an Enable content button. If the user selects Enable content, the file is considered a Trusted Document, and macros are allowed to run. The macros will continue to run even after the change of default behavior to block macros in files from the internet is implemented, because the file is still considered a Trusted Document.

After the change of default behavior to block macros in files from the internet, users will see a different banner the first time they open a file with macros from the internet. This SECURITY RISK banner doesn’t have the option to Enable content. But users will be able to go to the Properties dialog for the file, and select Unblock, which will remove Mark of the Web from the file and allow the macros to run, as long as no policy or Trust Center setting is blocking.

Mark of the Web and zones

By default, Mark of the Web is added to files only from the Internet or Restricted sites zones.

 Tip

To see these zones on a Windows device, go to Control Panel > Internet Options > Change security settings.

You can view the ZoneId value for a file by running the following command at a command prompt, and replacing {name of file} with your file name.

ConsoleCopy

notepad {name of file}:Zone.Identifier

When you run this command, Notepad will open and display the ZoneId under the [ZoneTransfer] section.

Here’s a list of ZoneId values and what zone they map to.

  • 0 = My Computer
  • 1 = Local intranet
  • 2 = Trusted sites
  • 3 = Internet
  • 4 = Restricted sites

For example, if the ZoneId is 2, VBA macros in that file won’t be blocked by default. But if the ZoneId is 3, macros in that file will be blocked by default.

You can use the Unblock-File cmdlet in PowerShell to remove the ZoneId value from the file. Removing the ZoneId value will allow VBA macros to run by default. Using the cmdlet does the same thing as selecting the Unblock checkbox on the General tab of the Properties dialog for the file.

Use the Readiness Toolkit to identify files with VBA macros that might be blocked

To identify files that have VBA macros that might be blocked from running, you can use the Readiness Toolkit for Office add-ins and VBA, which is a free download from Microsoft.

The Readiness Toolkit includes a standalone executable that can be run from a command line or from within a script. You can run the Readiness Toolkit on a user’s device to look at files on the user’s device. Or you can run it from your device to look at files on a network share.

When you run the standalone executable version of the Readiness Toolkit, a JSON file is created with the information collected. You’ll want to save the JSON files in a central location, such as a network share. Then you’ll run the Readiness Report Creator, which is a UI wizard version of the Readiness Toolkit. This wizard will consolidate the information in the separate JSON files into a single report in the form of an Excel file.

To identify files that might be impacted by using the Readiness Toolkit, follow these basic steps:

  1. Download the most current version of the Readiness Toolkit from the Microsoft Download Center. Make sure you’re using at least Version 1.2.22161, which was released on June 14, 2022.
  2. Install the Readiness Toolkit.
  3. From a command prompt, go to the folder where you installed the Readiness Toolkit and run the ReadinessReportCreator.exe command with the blockinternetscan option.For example, if you want to scan files in the c:\officefiles folder (and all its subfolders) on a device and save the JSON file with the results to the Finance share on Server01, you can run the following command.

ConsoleCopy

ReadinessReportCreator.exe -blockinternetscan -p c:\officefiles\ -r -output \\server01\finance -silent
  1. After you’ve done all your scans, run the Readiness Report Creator.
  2. On the Create a readiness report page, select Previous readiness results saved together in a local folder or network share, and then specify the location where you saved all the files for the scans.
  3. On the Report settings page, select Excel report, and then specify a location to save the report.
  4. When you open the report in Excel, go to the VBA Results worksheet.
  5. In the Guideline column, look for Blocked VBA file from Internet.

For more detailed information about using the Readiness Toolkit, see Use the Readiness Toolkit to assess application compatibility for Microsoft 365 Apps.

Use policies to manage how Office handles macros

You can use policies to manage how Office handles macros. We recommend that you use the Block macros from running in Office files from the Internet policy. But if that policy isn’t appropriate for your organization, the other option is the VBA Macro Notification Settings policy.

For more information on how to deploy these policies, see Tools available to manage policies.

 Important

You can only use policies if you’re using Microsoft 365 Apps for enterprise. Policies aren’t available for Microsoft 365 Apps for business.

Block macros from running in Office files from the Internet

This policy prevents users from inadvertently opening files containing macros from the internet. When a file is downloaded to a device running Windows, or opened from a network share location, Mark of the Web is added to the file identifying it was sourced from the internet.

We recommend enabling this policy as part of the security baseline for Microsoft 365 Apps for enterprise. You should enable this policy for most users and only make exceptions for certain users as needed.

There’s a separate policy for each of the five applications. The following table shows where each policy can be found in the Group Policy Management Console under User Configuration\Policies\Administrative Templates:

ApplicationPolicy location
AccessMicrosoft Access 2016\Application Settings\Security\Trust Center
ExcelMicrosoft Excel 2016\Excel Options\Security\Trust Center
PowerPointMicrosoft PowerPoint 2016\PowerPoint Options\Security\Trust Center
VisioMicrosoft Visio 2016\Visio Options\Security\Trust Center
WordMicrosoft Word 2016\Word Options\Security\Trust Center

Which state you choose for the policy determines the level of protection you’re providing. The following table shows the current level of protection you get with each state, before the change in default behavior is implemented.

IconProtection levelPolicy stateDescription
Green circle with white check markProtected [recommended]EnabledUsers will be blocked from running macros in files obtained from the internet.

Part of the Microsoft recommended security baseline.
Red circle with white XNot protectedDisabledWill respect the settings configured under File > Options > Trust Center > Trust Center Settings… > Macro Settings.
Red circle with white XNot protectedNot ConfiguredWill respect the settings configured under File > Options > Trust Center > Trust Center Settings… > Macro Settings.

 Note

  • If you set this policy to Disabled, users will see, by default, a security warning when they open a file with a macro. That warning will let users know that macros have been disabled, but will allow them to run the macros by choosing the Enable content button.
  • This warning is the same warning users have been shown previously, prior to this recent change we’re implementing to block macros.
  • We don’t recommend setting this policy to Disabled permanently. But in some cases, it might be practical to do so temporarily as you test out how the new macro blocking behavior affects your organization and as you develop a solution for allowing safe usage of macros.

After we implement the change to the default behavior, the level of protection changes when the policy is set to Not Configured.

IconProtection levelPolicy stateDescription
Green circle with white check markProtectedNot ConfiguredUsers will be blocked from running macros in files obtained from the internet.

Users will see the Security Risk banner with a Learn More button

VBA Macro Notification Settings

If you don’t use the “Block macros from running in Office files from the Internet” policy, you can use the “VBA Macro Notification Settings” policy to manage how macros are handled by Office.

This policy prevents users from being lured into enabling malicious macros. By default, Office is configured to block files that contain VBA macros and display a Trust Bar with a warning that macros are present and have been disabled. Users can inspect and edit the files if appropriate, but can’t use any disabled functionality until they select Enable Content on the Trust Bar. If the user selects Enable Content, then the file is added as a Trusted Document and macros are allowed to run.

There’s a separate policy for each of the five applications. The following table shows where each policy can be found in the Group Policy Management Console under User Configuration\Policies\Administrative Templates:

ApplicationPolicy location
AccessMicrosoft Access 2016\Application Settings\Security\Trust Center
Excel [1]Microsoft Excel 2016\Excel Options\Security\Trust Center
PowerPointMicrosoft PowerPoint 2016\PowerPoint Options\Security\Trust Center
VisioMicrosoft Visio 2016\Visio Options\Security\Trust Center
WordMicrosoft Word 2016\Word Options\Security\Trust Center

 Note

  • [1] For Excel, the policy is named Macro Notification Settings.
  • The “VBA Macro Notification Settings” policy is also available for Project and Publisher.

Which state you choose for the policy determines the level of protection you’re providing. The following table shows the level of protection you get with each state.

IconProtection levelPolicy statePolicy value
Green circle with white check markProtected [recommended]EnabledDisable all except digitally signed macros (and select “Require macros to be signed by a trusted publisher”)
Green circle with white check markProtectedEnabledDisable all without notification
Orange circle with white check markPartially protectedEnabledDisable all with notification
Orange circle with white check markPartially protectedDisabled(Same behavior as “Disable all with notification”)
Red circle with white XNot protectedEnabledEnable all macros (not recommended)

 Important

Securing macros is important. For users that don’t need macros, turn off all macros by choosing “Disable all without notification.”

Our security baseline recommendation is that you should do the following:

  • Enable the “VBA Macro Notification Settings” policy.
  • For users that need macros, choose “Disable all except digitally signed macros” and then select “Require macros to be signed by a trusted publisher.” The certificate needs to be installed as a Trusted Publisher on users’ devices.

If you don’t configure the policy, users can configure macro protection settings under File > Options > Trust Center > Trust Center Settings… > Macro Settings.

The following table shows the choices users can make under Macro Settings and the level of protection each setting provides.

IconProtection levelSetting chosen
Green circle with white check markProtectedDisable all macros except digitally signed macros
Green circle with white check markProtectedDisable all macros without notification
Orange circle with white check markPartially protectedDisable all macros with notification (default)
Red circle with white XNot protectedEnable all macros (not recommended; potentially dangerous code can run)

 Note

In the policy setting values and the product UI for Excel, the word “all” is replaced by “VBA.” For example, “Disable VBA macros without notification.”

Tools available to manage policies

There are several tools available to you to configure and deploy policy settings to users in your organization.

Cloud Policy

You can use Cloud Policy to configure and deploy policy settings to devices in your organization, even if the device isn’t domain joined. Cloud Policy is a web-based tool and is found in the Microsoft 365 Apps admin center.

In Cloud Policy, you create a policy configuration, assign it to a group, and then select policies to be included in the policy configuration. To select a policy to include, you can search by the name of the policy. Cloud Policy also shows which policies are part of the Microsoft recommended security baseline. The policies available in Cloud Policy are the same User Configuration policies that are available in the Group Policy Management Console.

For more information, see Overview of Cloud Policy service for Microsoft 365.

Microsoft Endpoint Manager admin center

In the Microsoft Endpoint Manager admin center, you can use either the Settings catalog (preview) or Administrative Templates to configure and deploy policy settings to your users for devices running Windows 10 or later.

To get started, go to Devices > Configuration profiles > Create profile. For Platform, choose Windows 10 and later and then choose the profile type.

For more information, see the following articles:

Group Policy Management Console

If you have Windows Server and Active Directory Domain Services (AD DS) deployed in your organization, you can configure policies by using Group Policy. To use Group Policy, download the most current Administrative Template files (ADMX/ADML) for Office, which include the policy settings for Microsoft 365 Apps for enterprise. After you copy the Administrative Template files to AD DS, you can use the Group Policy Management Console to create Group Policy Objects (GPOs) that include policy settings for your users, and for domain joined devices.

Enabling & Managing Windows Firewall Settings

About this article

In this article, we are going to start by describing what the Windows Firewall feature is and what it is used for. This information will then allow you to enable and manage the Windows Firewall on your Windows PC or laptop. We will cover all the different versions of the Windows operating system that are currently supported by the Secure Remote Worker Validation Tool.

Lets first describe what a firewall actually is.

What is a firewall?

A firewall can be either a physical hardware device, software-based application that you install on your PC, or in the case of the Windows Firewall, an integrated feature of the operating system that is designed to protect your PC against the attack of malicious files. The firewall checks information and data sent across the internet or other networks to your PC. If the firewall detects that the information may contain malicious files then it will block them from reaching your PC, therefore protecting your PC from that threat. Equally, it can prevent you PC sending malicious content to other PCs.

Windows Firewall is an integrated firewall solution that is part of the Windows operating system. In this article, we are going to configure the Windows Firewall to work with Secure Remote Worker. In the following sections, we are going to discuss the process for each of the different version of the Windows operating, starting with Windows 10.

Important configuration note:

You should only have one software firewall solution installed at any one time. If you install additional security software on your PC that also has its own software-based firewall solution, then you will need to disable this if you are to use the Windows Firewall solution.

Enabling the firewall on Windows 10 devices

In this section, we are going to describe the process for enabling the Windows Firewall feature on Windows 10. Follow the steps below to work through the process of enabling the firewall:

  1. Press the Windows key on your keyboard and then start to type in “control panel” in the search box highlighted (1). You will then see the Control Panel App appear at the top of the list as the best match, highlighted (2). Click on the Control Panel App to launch it as shown in the following screenshot:

Click to Zoom

2. You will now see the Control Panel as shown in the following screenshot:

Click to Zoom

3. Now click on System and Security as highlighted (3) in the screenshot above.

4. You will now see the System and Security configuration options as shown in the following screenshot:

Click to Zoom

5. Click on Windows Defender Firewall as highlighted (4) in the above screenshot.

6. You will now see the Windows Defender Firewall configuration screen as shown in the following screenshot:

Click to Zoom

7. Click on Turn Windows Defender Firewall on or off as highlighted (5) in the above screenshot.

8. You will now see the Customize settings for each type of network as shown in the following screenshot:

Click to Zoom
9. First, enable the firewall for private networks. To do this click the radio button for Turn on Windows Defender Firewall under the Private network settings section as highlighted (6) in the previous screenshot.

10. Next, enable the firewall for public networks. To do this click the radio button for Turn on Windows Defender Firewall under the Public network settings section as highlighted (7) in the previous screenshot.

11. The other thing to configure is to make sure that you check the box for Notify me when Windows Defender Firewall blocks a new app for both network settings, so Public and Private. This means that you will be notified when something potentially malicious is blocked.

12. Finally, once configured, click the OK button to close the configuration window, and then click the red X button in the top right-hand corner to close the control panel.

You have now successfully enabled the Windows Firewall for Windows 10 operating systems.

Enabling the firewall on Windows 8.1 devices

In this section, we are going to describe the process for enabling the Windows Firewall feature on Windows 10. Follow the steps below to work through the process of enabling the firewall:

1. Press the Windows key on your keyboard and then start to type in “control panel” in the search box highlighted (1). You will then see the Control Panel icon appear at the top left of the screen in the Results section, highlighted (2). Double click on the Control Panel icon to launch it as shown in the following screenshot:

Click to Zoom

2. You will now see the Control Panel as shown in the following screenshot:

Click to Zoom

3. Now click on System and Security as highlighted (3) in the screenshot above.

4. You will now see the System and Security configuration options as shown in the following screenshot:

Click to Zoom

5. Click on Windows Firewall as highlighted (4) in the above screenshot.

6. You will now see the Windows Firewall configuration screen as shown in the following screenshot:

Click to Zoom

7. Click on Turn Windows Firewall on or off as highlighted (5) in the above screenshot.

8. You will now see the Customize settings for each type of network as shown in the following screenshot:

Click to Zoom

9. First, enable the firewall for domain networks. To do this click the radio button for Turn on Windows Defender Firewall under the Domain network settings section as highlighted (6) in the previous screenshot.

10. Next, enable the firewall for private networks. To do this click the radio button for Turn on Windows Defender Firewall under the Private network settings section as highlighted (7) in the previous screenshot.

11. The final one to enable is the firewall for public networks. To do this click the radio button for Turn on Windows Defender Firewall under the Public network settings section as highlighted (8) in the previous screenshot.

12. The other thing to configure is to make sure that you check the box for Notify me when Windows Firewall blocks a new app for domain settings, public settings, and private settings. This means that you will be notified when something potentially malicious is blocked.

13. Finally, once configured, click the OK button to close the configuration window, and then click the red X button in the top right-hand corner to close the control panel.

You have now successfully enabled the Windows Firewall for Windows 8.x operating systems.

Enabling the firewall on Windows 7 devices

In this section, we are going to describe the process for enabling the Windows Firewall feature on Windows 7. Follow the steps below to work through the process of enabling the firewall:

1. Press the Windows key on your keyboard and then start to type in “control panel” in the search box highlighted (1). You will then see the Control Panel icon appear at the top of the screen under Programs(1), highlighted (2). Double click on the Control Panel icon to launch it as shown in the following screenshot:

Click to Zoom

2. You will now see the Control Panel as shown in the following screenshot:

Click to Zoom

3. Now click on System and Security as highlighted (3) in the screenshot above.

4. You will now see the System and Security configuration options as shown in the following screenshot:

Click to Zoom

5. Click on Windows Firewall as highlighted (4) in the above screenshot.

6. You will now see the Windows Firewall configuration screen as shown in the following screenshot:

Click to Zoom

7. Click on Turn Windows Firewall on or off as highlighted (5) in the above screenshot.

8. You will now see the Customize settings for each type of network as shown in the following screenshot:

Click to Zoom

9. First, enable the firewall for domain networks. To do this click the radio button for Turn on Windows Defender Firewall under the Domain network location settings section as highlighted (6) in the previous screenshot.

10. Next, enable the firewall for private networks. To do this click the radio button for Turn on Windows Defender Firewall under the Home or work (private) network location settings section as highlighted (7) in the previous screenshot.

11. The final one to enable is the firewall for public networks. To do this click the radio button for Turn on Windows Defender Firewall under the Public network location settings section as highlighted (8) in the previous screenshot.

12. The other thing to configure is to make sure that you check the box for Notify me when Windows Firewall blocks a new program for domain settings, public settings, and private settings. This means that you will be notified when something potentially malicious is blocked.

13. Finally, once configured, click the OK button to close the configuration window, and then click the red X button in the top right-hand corner to close the control panel.

You have now successfully enabled the Windows Firewall for Windows 7 operating systems.

Source :
https://kb.thinscale.com/secure-remote-worker-validation-tool/enabling-managing-windows-firewall-settings

What are webhooks?

A simple guide to connecting web apps with webhooks

By Matthew Guay Â· September 20, 2022

what-are-webhooks primary img

You might have seen webhooks mentioned in your apps’ settings and wondered if they’re something you should use. The answer, in a nutshell, is probably yes.

Webhooks are one way that apps can send automated messages or information to other apps. It’s how PayPal tells your accounting app when your clients pay you, how Twilio routes phone calls to your number, and how WooCommerce can notify you about new orders in Slack.

They’re a simple way your online accounts can “speak” to each other and get notified automatically when something new happens. In many cases, you’ll need to know how to use webhooks if you want to automatically push data from one app to another.

Let’s break it down, learn how to speak webhook, and get your favorite apps to talk to each other.

Here’s what we’ll cover:

What are webhooks?

Example SMS message with a sender, receiver, and message

There are two ways your apps can communicate with each other to share information: polling and webhooks. As one of our customer champion’s friends has explained it: polling is like knocking on your friend’s door and asking if they have any sugar (aka information), but you have to go and ask for it every time you want it. Webhooks are like someone tossing a bag of sugar at your house whenever they buy some. You don’t have to ask—they just automatically punt it over every time it’s available.

Automate your way forward with Zapier

Sign up

Webhooks are automated messages sent from apps when something happens. They have a message—or payload—and are sent to a unique URL—essentially the app’s phone number or address. Webhooks are almost always faster than polling, and require less work on your end.

They’re much like SMS notifications. Say your bank sends you an SMS when you make a new purchase. You already told the bank your phone number, so they knew where to send the message. They type out “You just spent $10 at NewStore” and send it to your phone number +1-234-567-8900. Something happened at your bank, and you got a message about it. All is well.

Webhooks work the same way.

Example webhook data

Take another look at our example message about a new order. Bob opened your store’s website, added $10 of paper to his shopping cart, and checked out. Boom, something happened, and the app needs to tell you. Time for the webhook.

Wait: who’s the app gonna call? Just like you need to tell the bank your phone number before they can text you, for webhooks, you need to tell the originating app—your eCommerce store, in this case—the webhook URL of the receiving app, the app where you want the data to be sent.

Say you want to make an invoice for this new order. The app that creates this invoice is on the receiving end—it’s the app that needs the order data.

Automate workflows that drive success

Learn from expert Zapier users, receive personalized support, and find ways to scale your impact at our free user conference.

Register for ZapConnect

You’d first open your invoice app, make an invoice template, and copy its webhook URL—something like yourapp.com/data/12345. Then open your eCommerce store app, and add that URL to its webhook settings. That URL is your invoice app’s phone number, essentially. If another app pings that URL (or if you enter the URL in your browser’s address bar), the app will notice that someone is trying to send it data.

Ok. Back to the order. Your eCommerce store got the order and knows it needs to send the details to yourapp.com/data/12345. It then writes the order in a serialization format. The simplest of those formats is called “form-encoded”, and means your customer’s order would look something like this:

Customer=bob&value=10.00&item=paper

Now your eCommerce store needs to send the message. The simplest way to send data to a webhooks URL is with an HTTP GET request. Literally, that means to add the data to the URL and ping the URL (or enter it in your browser’s address bar). The same way you can open Zapier’s about page by typing /about after zapier.com, your apps can send messages to each other by tagging extra text with a question mark on the end of a website address. Here’s the full GET request for our order:

https://yourapp.com/data/12345?Customer=bob&value=10.00&item=paper

Deep inside your invoice app, something dings and says “You’ve got mail!” and the app gets to work, making a new invoice for Bob’s $10 paper order. That’s webhooks in action.

Remember when you had to check your email to see if you had new messages—and how freeing push email (“You’ve got mail!”) was? That’s what webhooks are for your apps. They don’t have to check for new info anymore. Instead, when something happens, they can push the data to each other and not waste their time checking and waiting.

→ Ready to start using webhooks? Jump ahead to skip the geeky details—or keep reading to learn more about the terms you’ll often see used with webhooks.


That’s the simple version. Technically, webhooks are “user-defined callbacks made with HTTP” according to Jeff Lindsay, one of the first people to conceptualize webhooks. Webhooks are data and executable commands sent from one app to another over HTTP instead of through the command line in your computer, formatted in XML, JSON, or form-encoded serialization. They’re called webhooks since they’re software hooks—or functions that run when something happens—that work over the web. And they’re typically secured through obscurity—each user of an application gets a unique, random URL to send webhook data to—though they can optionally be secured with a key or signature.

Webhooks typically are used to connect two different applications. When an event happens on the trigger application, it serializes data about that event and sends it to a webhook URL from the action application—the one you want to do something based on the data from the first application. The action application can then send a callback message, often with an HTTP status code like 302 to let the trigger application know if the data was received successfully or 404 if not.

Webhooks are similar to APIs—but simpler. An API is a full language for an app with functions or calls to add, edit, and retrieve data. The difference is, with an API, you have to do the work yourself. If you build an application that connects to another with an API, your application will need to have ways to ask the other app for new data when it needs it. Webhooks, on the other hand, are for one specific part of an app, and they’re automated. You might have a webhook just for new contacts—and whenever a new contact is added, the application will push the data to the other application’s webhooks URL automatically. It’s a simple, one-to-one connection that runs automatically.

How to use webhooks

Video Thumbnail

You know the lingo, understand how apps can message each other with webhooks, and can even figure out what the serialized data means. You speak webhook.

It’s time to use it. The best way to make sure you understand how webhooks work is to test it out, try making your own webhooks, and see if they work. Or, you can jump ahead and just drop your webhook URL into an app to share data—after all, you don’t have to know how to make webhooks to use them.

Here are the resources you need:

Test webhooks with RequestBin and Postman

The quickest way to learn is to experiment—and it’s best to experiment with something you can’t break. With webhooks, there are two great tools for that: RequestBin (owned by Pipedream) and Postman.

How data appears in Requestbin

How data appears in Requestbin

RequestBin lets you create a webhooks URL and send data to it to see how it’s recognized. Go to RequestBin, click Create a RequestBin, then copy the URL it gives you.You’ll need to have a Pipedream account (created with Google or GitHub) before you can view and use a URL.

Now, serialize some data in form encoded style—or copy our example form copy above. Open a new tab, paste your RequestBin URL in the URL bar, add a ? to the end, then paste your serialized data. You’ll end up with something like this:

https://requestbin.com/19uynve1?customer=bob&value=10.00&item=paper

Press enter in your browser’s address bar, and you’ll get a simple message back: success:true. Refresh your RequestBin tab, and you’ll see the data listed at the bottom as in the screenshot above.

Click REST under INTEGRATIONS to see the data.

Click REST under INTEGRATIONS to see the data.

You can then try sending POST requests in Terminal or from your own app’s code, if you’d like, using RequestBin’s sample code. That’s a bit more complex—but gives you a way to play with JSON or XML encoding, too.

The setup in Postman

The setup in Postman

Or, use another app for that. The app Postman lets you make custom HTTP requests for an easy way to send customized data to a webhooks URL. Enter the URL, then choose the HTTP request method you want to use (GET, POST, PUT, etc), and add the body data. That’ll let you send far more detailed requests to your webhook URL without having to use more code.

Add webhooks to your apps

Testing webhooks and serializing data by hand is tricky—as is copying and pasting data from your apps. Let’s skip both, and just get our apps talking to each other.

We’re using WordPress-powered form tool Gravity Forms and document template-builder app WebMerge as the examples here—but the same general idea works in most other apps that support webhooks. Here’s essentially what you need to do:

Gravity Forms Webhook data

Open your form’s Webhook settings in Gravity Forms

First, enable webhooks in your app if they’re not already and open the webhooks settings (in Gravity Forms, for instance, you need to install an add-on; in Active Campaign or WooCommerce, you’ll find webhooks under the app’s default settings). Your app might have one set of webhook settings for the entire app—or, often, it’ll have a specific webhook for each form, document, or other items the app maintains.

We want the data to come from Gravity Forms, so we’ll open the Webhooks settings under the form we want to use. That gives us a URL field (this lets us tell Gravity Forms where we want to send the data) and options to specify the webhook HTTP request method (how to send the data).

WebMerge webhook

Each WebMerge document template has a unique webhook URL.

Now let’s get that URL from the app that will receive the data—WebMerge, in this case. In WebMerge, each document has its own “merge URL”—and it wants the data in form encoded serialization, as you can tell from the ampersands in the example data. Copy the merge URL—or whatever URL your app offers, as it may have a different name.

Tip: You’ll often find webhook URLs and related settings under the “integration”, “webhook”, or “workflow” settings, depending on your app.

Add webhooks URL to Gravity Forms

Add the webhooks URL to your trigger app so it can share data when something happens

Finally, go back to your trigger app—Gravity Forms in our case—and paste the webhook URL in Gravity Forms’ URL field. You may also be able to set the correct request method and the specific field values to ensure only the data you want is sent, and is shared with the same variable names as the receiving app uses. Save the settings, and you’re good to go.

The next time someone fills out our form that Bob ordered 10.00 of paper, Gravity Forms will send the data to WebMerge’s URL as https://www.webmerge.me/merge/149933/gxszxg?Name=Bob&Item=Paper&Value=10.00 and WebMerge will turn that into a complete invoice.


PayPal IPN

PayPal IPN is very similar to webhooks—and you can add a webhook URL to PayPal to get payment notifications

Once you start using webhooks, you’ll notice them (or similar links) everywhere, in places you never thought they’d show up. PayPal, for instance, uses Instant Payment Notifications or IPNs to send notifications whenever you receive a payment. Have an app that you’d like to do something whenever you get a PayPal payment? Add its webhooks URL to PayPal’s IPN settings and that app will get a message the next time you get money.

Or take TwimletsTwilio‘s simple apps to forward calls, record voicemail messages, start a conference call, and more. To, say, forward a call, you’ll add a familiar, webhook-style Twimlet address like http://twimlets.com/forward?PhoneNumber=415-555-1212 to your Twilio phone number settings. Want to build your own phone-powered app, or notify another app when a new call comes in? Put your webhook URL in Twilio’s settings instead.

They might go by different names, but once you notice places where apps offer to send notifications to a unique link, you’ll often have found somewhere else webhooks can work. Now that you know how to use webhooks, you can use them to make software do whatever you want.

Use webhooks in any app with Zapier

Many apps on Zapier use webhooks behind the scenes already. You may not realize it, since Zapier apps generally handle all the actual setup for you. If you come across an app that offers webhooks as an option, you can use a webhooks step in a Zap to set that up yourself using what you’ve learned about webhooks. Note: Webhooks by Zapier is a built-in tool only available to Zapier users on a paid plan or during their trial period.

Copy Webhooks URL from Zapier

Say you have an app that can send data to a webhooks URL. To connect it to other apps, you’ll make a new Zap—what we call Zapier’s automated app workflows—and choose Webhooks by Zapier as the trigger app. Select Catch Hook, which can receive a GET, POST, or PUT request from another app. Zapier will give you a unique webhooks URL—copy that, then add it to your app’s webhooks URL field in its settings.

GET requests ask the server for data. POST requests send data to a computer. PUSH requests ask the server for specific data, typically to update it.

Test webhooks in Zapier

Zapier will parse each serialized item from your webhook data

Then have your app test the URL, or perhaps just add a new item (a new form entry, contact, or whatever thing your app makes) to have your app send the data to the webhook. Test the webhook step in Zapier, and you’ll see data from the webhook listed in Zapier.

Use webhooks in action app in Zapier

You can add each data item from your webhook to another app in Zapier

Now you can use that data in another app. Select the action app—the app you want to send data to. You’ll see form fields to add data to that app. Click in the field where you want to add webhooks data and select it from the dropdown. Test your Zap and it’s now ready to use. Now the next time your trigger app sends data to the webhook, Zapier will automatically add it to the action app you selected.


Zapier webhook action

Zapier can send any data you want to a webhooks URL

The reverse works as well. Want to send data from one app to another via webhooks? Zapier can turn the data from the trigger app into a serialized list and send it to any webhooks URL you want.

First, select the trigger app you want to send data from, and set it up in Zapier as normal. Then select Webhooks as the action app, and choose how you want to send the data (POST is typically the best option for most webhook integrations).

Finally, paste the webhooks URL from the app you want to receive the data into the URL field in Zapier’s webhook settings. You can choose how to serialize the data (form or JSON are typically best). Zapier will then automatically send all of the data from your trigger app to the webhook—or you can set the specific data variables from the Data fields below.

Zapier send data to webhook URL

You can specify how Zapier serializes your data and choose the specific data it sends to your webhook

You’re now ready to use your Zap. Now whenever something new happens in your trigger app, Zapier will copy the data and send it to your other app’s webhooks URL.


Webhooks are one of the best ways to connect apps that wouldn’t otherwise work with Zapier. Have a Mac or iPhone app that doesn’t connect with Zapier? Using Alfred or Siri Shortcuts—plus a Zapier Webhooks URL—you can connect them to your Zapier workflows. Here’s how:

Or, automate any other app that uses webhooks with Zapier’s webhook integrations or use one of these popular Zap templates to get started quickly:

Add info to a Google Sheet from new Webhook POST requests

Try it

  • Google Sheets logo
  • Webhooks by Zapier logo

Google Sheets, Webhooks by Zapier

Google Sheets + Webhooks by ZapierMore details

Send webhooks with new items in RSS feeds

Try it

  • RSS by Zapier logo
  • Webhooks by Zapier logo

RSS by Zapier, Webhooks by Zapier

RSS by Zapier + Webhooks by ZapierMore details

POST new Facebook Lead Ads to a webhook

Try it

  • Facebook Lead Ads logo
  • Webhooks by Zapier logo

Facebook Lead Ads, Webhooks by Zapier

Facebook Lead Ads + Webhooks by ZapierMore details

Send emails with new caught webhooks

Try it

  • Email by Zapier logo
  • Webhooks by Zapier logo

Email by Zapier, Webhooks by Zapier

Email by Zapier + Webhooks by ZapierMore details

POST new user tweets to a webhook

Try it

  • Twitter logo
  • Webhooks by Zapier logo

Twitter, Webhooks by Zapier

Twitter + Webhooks by ZapierMore details


Time to start using webhooks

Ok, you’ve got this. Armed with your newfound knowledge about webhooks and their confusing terminology, you’re ready to start using them in your work. Poke around your favorite web apps’ advanced settings and see if any of them support webhooks. Think through how you could use them—then give it a shot.

And bookmark this article. Next time you read something about a GET request needing to make an HTTP callback, or see a URL with ?name=bob&value=10 and such at the end, you’ll know what it actually means.

Further Reading: Want to learn more about webhooks? Read up on our Webhooks documentation page for all the details.

Source :
https://zapier.com/blog/what-are-webhooks/