A new attack technique called ‘GIFShell’ allows threat actors to abuse Microsoft Teams for novel phishing attacks and covertly executing commands to steal data using … GIFs.
The new attack scenario, shared exclusively with BleepingComputer, illustrates how attackers can string together numerous Microsoft Teams vulnerabilities and flaws to abuse legitimate Microsoft infrastructure to deliver malicious files, commands, and perform exfiltrating data via GIFs.
As the data exfiltration is done through Microsoft’s own servers, the traffic will be harder to detect by security software that sees it as legitimate Microsoft Team’s traffic.
Overall, the attack technique utilizes a variety of Microsoft Teams flaws and vulnerabilities:
Bypassing Microsoft Teams security controls allows external users to send attachments to Microsoft Teams users.
Modify sent attachments to have users download files from an external URL rather than the generated SharePoint link.
Spoof Microsoft teams attachments to appear as harmless files but download a malicious executable or document.
Insecure URI schemes to allow SMB NTLM hash theft or NTLM Relay attacks.
Microsoft supports sending HTML base64 encoded GIFs, but does not scan the byte content of those GIFs. This allows malicious commands to be delivered within a normal-looking GIF.
Microsoft stores Teams messages in a parsable log file, located locally on the victim’s machine, and accessible by a low-privileged user.
Microsoft servers retrieve GIFs from remote servers, allowing data exfiltration via GIF filenames.
GIFShell – a reverse shell via GIFs
The new attack chain was discovered by cybersecurity consultant and pentester Bobby Rauch, who found numerous vulnerabilities, or flaws, in Microsoft Teams that can be chained together for command execution, data exfiltration, security control bypasses, and phishing attacks.
The main component of this attack is called ‘GIFShell,’ which allows an attacker to create a reverse shell that delivers malicious commands via base64 encoded GIFs in Teams, and exfiltrates the output through GIFs retrieved by Microsoft’s own infrastructure.
To create this reverse shell, the attacker must first convince a user to install a malicious stager that executes commands, and uploads command output via a GIF url to a Microsoft Teams web hook. However, as we know, phishing attacks work well in infecting devices, Rauch came up with a novel phishing attack in Microsoft Teams to aid in this, which we describe in the next section.
GIFShell works by tricking a user into loading a malware executable called the “stager” on their device that will continuously scan the Microsoft Teams logs located at $HOME\AppData\Roaming\Microsoft\Teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb\*.log.
Microsoft Teams log folder Source: BleepingComputer
All received messages are saved to these logs and are readable by all Windows user groups, meaning any malware on the device can access them.
Once the stager is in place, a threat actor would create their own Microsoft Teams tenant and contact other Microsoft Teams users outside of their organization. Attackers can easily achieve this as Microsoft allows external communication by default in Microsoft Teams.
To initiate the attack, the threat actor can use Rauch’s GIFShell Python script to send a message to a Microsoft Teams user that contains a specially crafted GIF. This legitimate GIF image has been modified to include commands to execute on a target’s machine.
When the target receives the message, the message and the GIF will be stored in Microsoft Team’s logs, which the malicious stager monitors.
When the stager detects a message with a GIF, it will extract the base64 encoded commands and execute them on the device. The GIFShell PoC will then take the output of the executed command and convert it to base64 text.
This base64 text is used as the filename for a remote GIF embedded in a Microsoft Teams Survey Card that the stager submits to the attacker’s public Microsoft Teams webhook.
As Microsoft Teams renders flash cards for the user, Microsoft’s servers will connect back to the attacker’s server URL to retrieve the GIF, which is named using the base64 encoded output of the executed command.
The GIFShell server running on the attacker’s server will receive this request and automatically decode the filename allowing the attackers to see the output of the command run on the victim’s device, as shown below.
For example, a retrieved GIF file named ‘dGhlIHVzZXIgaXM6IA0KYm9iYnlyYXVjaDYyNzRcYm9iYnlyYXVJa0K.gif’ would decode to the output from the ‘whoami’ command executed on the infected device:
the user is:
bobbyrauch6274\bobbyrauIkBáë
The threat actors can continue using the GIFShell server to send more GIFs, with further embedded commands to execute, and continue to receive the output when Microsoft attempts to retrieve the GIFs.
As these requests are made by the Microsoft website, urlp.asm.skype.com, used for regular Microsoft Teams communication, the traffic will be seen as legitimate and not detected by security software.
This allows the GIFShell attack to covertly exfiltrate data by mixing the output of their commands with legitimate Microsoft Teams network communication.
Even worse, as Microsoft Teams runs as a background process, it does not even need to be opened by the user to receive the attacker’s commands to execute.
The Microsoft Teams logs folder have also been found accessed by other programs, including business monitoring software, such as Veriato, and potentially malware.
Microsoft acknowledged the research but said it would not be fixed as no security boundaries were bypassed.
“For this case, 72412, while this is great research and the engineering team will endeavor to improve these areas over time, these all are post exploitation and rely on a target already being compromised,” Microsoft told Rauch in an email shared with BleepingComputer.
“No security boundary appears to be bypassed. The product team will review the issue for potential future design changes, but this would not be tracked by the security team.”
Abusing Microsoft teams for phishing attacks
As we previously said, the GIFShell attack requires the installation of an executable that executes commands received within the GIFs.
To aid in this, Rauch discovered Microsoft Teams flaws that allowed him to send malicious files to Teams users but spoof them to look as harmless images in phishing attacks.
“This research demonstrates how it is possible to send highly convincing phishing attachments to victims through Microsoft Teams, without any way for a user to pre-screen whether the linked attachment is malicious or not,” explains Rauch in his writeup on the phishing method.
As we previously said in our discussion about GIFShell, Microsoft Teams allows Microsoft Teams users to message users in other Tenants by default.
However, to prevent attackers from using Microsoft Teams in malware phishing attacks, Microsoft does not allow external users to send attachments to members of another tenant.
While playing with attachments in Microsoft Teams, Rauch discovered that when someone sends a file to another user in the same tenant, Microsoft generates a Sharepoint link that is embedded in a JSON POST request to the Teams endpoint.
This JSON message, though, can then be modified to include any download link an attacker wants, even external links. Even worse, when the JSON is sent to a user via Teams’ conversation endpoint, it can also be used to send attachments as an external user, bypassing Microsoft Teams’ security restrictions.
For example, the JSON below has been modified to show a file name of Christmas_Party_Photo.jpeg but actually delivers a remote Christmas_Party_Photo.jpeg………….exe executable.
Microsoft Teams JSON to spoof an attachment Source: Bobby Rauch
When the attachment is rendered in Teams, it is displayed as Christmas_Party_Photo.jpeg, and when highlighting it, it will continue to show that name, as shown below.
Spoofing a JPEG file Source: Bobby Rauch
However, when the user clicks on the link, the attachment will download the executable from the attacker’s server.
In addition to using this Microsoft Teams spoofing phishing attack to send malicious files to external users, attackers can also modify the JSON to use Windows URIs, such as ms-excel:, to automatically launch an application to retrieve a document.
Rauch says this would allow attackers to trick users into connecting to a remote network share, letting threat actors steal NTLM hashes, or local attackers perform an NTLM relay attack to elevate privileges.
“These allowed, potentially unsafe URI schemes, combined with the lack of permissions enforcement and attachment spoofing vulnerabilities, can allow for a One Click RCE via NTLM relay in Microsoft Teams,” Rauch explains in his report on the spoofing attack.
Microsoft not immediately fixing bugs
Rauch told BleepingComputer that he disclosed the flaws to Microsoft in May and June of 2022, and despite Microsoft saying they were valid issues, they decided not to fix them immediately.
When BleepingComputer contacted Microsoft about why the bugs were not fixed, we were not surprised by their response regarding the GIFShell attack technique, as it requires the device to already be compromised with malware.
“This type of phishing is important to be aware of and as always, we recommend that users practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers.
We’ve assessed the techniques reported by this researcher and have determined that the two mentioned do not meet the bar for an urgent security fix. We’re constantly looking at new ways to better resist phishing to help ensure customer security and may take action in a future release to help mitigate this technique.” – a Microsoft spokesperson.
However, we were surprised that Microsoft did not consider the ability of external attackers to bypass security controls and send attachments to another tenant as not something that should be immediately fixed.
Furthermore, not immediately fixing the ability to modify JSON attachment cards so that Microsoft Teams recipients could be tricked to download files from remote URLs was also surprising.
However, Microsoft has left the door open to resolving these issues, telling BleepingComputer that they may be serviced in future versions.
“Some lower severity vulnerabilities that don’t pose an immediate risk to customers are not prioritized for an immediate security update, but will be considered for the next version or release of Windows,” explained Microsoft in a statement to BleepingComputer.
A vulnerability in the binding configuration of Cisco SD-WAN vManage Software containers could allow an unauthenticated, adjacent attacker who has access to the VPN0 logical network to also access the messaging service ports on an affected system.This vulnerability exists because the messaging server container ports on an affected system lack sufficient protection mechanisms. An attacker could exploit this vulnerability by connecting to the messaging service ports of the affected system. To exploit this vulnerability, the attacker must be able to send network traffic to interfaces within the VPN0 logical network. This network may be restricted to protect logical or physical adjacent networks, depending on device deployment configuration. A successful exploit could allow the attacker to view and inject messages into the messaging service, which can cause configuration changes or cause the system to reload.Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanage-msg-serv-AqTup7vs
Affected Products
Vulnerable ProductsThis vulnerability affects Cisco devices if they are running a vulnerable release of Cisco SD-WAN vManage Software.For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory.Products Confirmed Not VulnerableOnly products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.Cisco has confirmed that this vulnerability does not affect the following Cisco products:
IOS XE SD-WAN Software
SD-WAN vBond Orchestrator Software
SD-WAN vEdge Cloud Routers
SD-WAN vEdge Routers
SD-WAN vSmart Controller Software
Workarounds
There is a workaround that addresses this vulnerability.Administrators can use access control lists (ACLs) to block ports 4222, 6222, and 8222, which are used by Cisco SD-WAN vManage Software messaging services. They may be configured in the following ways depending on deployment:
Cisco Cloud Controllers ACLs (Inbound Rules allowed list) are managed through the Self-Service Portal. Customers will have to review their ACL configurations on the Self-Service Portal to ensure that they are correct. This does not involve updating the controller version. By default, Cisco-hosted devices are protected against the issue described in the advisory unless the customer has explicitly allowed access. For more information, see Cisco SD-WAN Cloud Hosted Controllers Provisioning.
While these workarounds have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.
Fixed Software
Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.htmlAdditionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.Customers Without Service ContractsCustomers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.htmlCustomers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.Fixed ReleasesCustomers are advised to upgrade to an appropriate fixed software release as indicated in the following table(s):Cisco SD-WAN vManage Software ReleaseFirst Fixed ReleaseEarlier than 20.3Migrate to a fixed release.20.3Migrate to a fixed release.20.620.6.420.7Migrate to a fixed release.20.8Migrate to a fixed release.20.920.9.1Note: It is the customer’s responsibility to upgrade their cloud controllers to the latest version in which this vulnerability is fixed.The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.
Exploitation and Public Announcements
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
Source
Cisco would like to thank Orange Business for reporting this vulnerability.
VersionDescriptionSectionStatusDate1.1Added cloud information.Workarounds and Fixed SoftwareFinal2022-SEP-091.0Initial public release.-Final2022-SEP-07
It is necessary to use content optimization tools to rank higher on SERPs. Optimizing your blog content and web pages using the SEO content optimizer is vital to the success of your content SEO strategy because you need to keep an eye on your competitors. In this post, let’s learn with seobase what content optimization is and what the best content optimization tools are.
What Is Content Optimization?
Understanding and improving content performance to interact with audience intentions is crucial to getting the number of clicks and traffic you aim for. Getting a higher ranking in search engine results pages (SERPs) and improving the readability of the content is not a simple process but is also not impossible. Now, many content optimization tools facilitate the content optimization process.
Here are some things that you need to optimize your content to address them:
Customer Needs: your content needs to adapt to the customer’s changed needs.
Search Intent: your content should be optimized to meet user intent
Competitors: it’s a risk of falling behind if your content is not optimized.
Search Engine Updates: static content will lose relevance as search engine updates make a piece of content irrelevant.
Market Trends: your content needs to stay current if you want to rank above your competitors.
Top 10 Content Optimization Tools For SEO
Searching for specific content may take a long time to arrive at valuable and helpful content. Here comes your role; you have to work to benefit your audience and not make them spend a lot of time getting some information. Dozens of content optimization tools are available on the market to help you write quality content on your blog or landing pages. seobase listed the 5 best content optimization tools you can use to research, identify, and optimize content for your blog or web pages right now.
Sign up to our blog to stay tuned about the latest industry news.Subscribe
Google Search Console
Google Search Console (GSC) is a great free tool to analyze SERPs performance of your site and content. Moreover, it contains cutting-edge features helping you know page speed, and structured data could impact your online performance. Furthermore, you can define the user intent and be aware of the organic traffic with impression and click data of specific queries.
However, you can’t filter multiple search query terms to determine keyword cannibalization or misspellings quickly. In addition, it doesn’t display a complete SEO backlink profile. Here are a few says GSC to optimize your content marketing strategy:
Keyword For Each Page.
Content Popularity.
Find Content Gaps.
Customer Search Intent.
seobase SEO Tools
seobase serves 15,000+ satisfied customers globally. Leaders of many industries rely on seobase for rank tracking and SERPs analysis. You can create your search tracking in seconds and get daily updates on how your website performs across search engines.
Furthermore, you can track desktop and mobile platforms to get a full picture of your site’s performance. All of seobase SEO tools will allow you to create a quality piece of content. You can explore your target keywords and use them to optimize your content to meet the audience’s needs. Here are some of the seobase SEO content tools and features:
Keyword explorer tool
SERP checker tool
Rank Tracker tool
Site profiler tool
Backlink checker tool
Grammarly
Content marketers need to create a quality piece of content to drive organic traffic and rank high on SERPs. However, that content must be readable to engage with the target audience, Grammarly offers this.
Grammarly is one of the most critical content optimization solutions. Grammarly makes content optimization much more manageable by offering detailed, real-time suggestions for improving content quality. The content optimizer doesn’t miss any spelling or grammar errors unless it fixes them immediately.
It offers you edits and suggestions using AI support to improve your choice of words and the context and tone of the content. As a content optimizer for search engine algorithms, Grammarly uses contextual cues and typing tone as ranking factors.
Hemingway Editor
Hemingway Editor helps you write better content and drive traffic and more website visitors. It is a free online tool to see if it has everything you need to make high-quality content.
The tool allows you to find the common grammatical issues and sentence structure that can distract your readers. In addition, it enhances the readability level.
The Hemingway Editor is such an efficient content optimization tool. However, it lacks a widget for Chrome and Safari. As a result, you must copy/paste your content manually to the online or desktop program to check it.
The Editor tool is AI-powered, but it only uses a handful of grammar choices when grading your content, so you could be missing other mistakes if you depend only on this tool. The tool doesn’t offer suggestions on how to fix the problem for the errors highlighted by the tool. This can be disturbing when you need to resolve issues quickly.
Google Docs
Google Docs is not the first content optimization tool that comes to your mind when you think about content optimization solutions. However, it offers features like a word processor, spreadsheets, and forms so you can communicate with your team and keep your projects on track.
Content marketers always seek the easiest way to manage multiple projects at once. Sometimes the content creators need to keep a list of dozens of topics to expand or manage writers. Google Docs gives content writers what they need exactly to help them and their teams to produce optimized content.
Conclusion
Choosing the best content optimization tools suitable for growing your business and making the most of your marketing budget is not impossible, but it is challenging. You can always stay informed of previously published content by using Google Search Console and other tools to get actual performance metrics. seobase provides you with the necessary SEO content optimization solutions to improve the content that you publish on your website.
SEO Niche keywords research is your way to attract your audience. The niche keywords are the particular long-tail keywords related to a specific industry. You can find your best niche keywords list using the best online SEO niche search tool. Do you know how valuable for your SEO plan to tailor your pay-per-click campaigns to niche keywords list and not just general and trending terms? It is challenging for general or short tail keywords to rank on the first page on search engines such as Google, especially on a new site.
When starting to manage a new venture, it can be challenging to predict the impact of a new research campaign on your industry niche. As a result, searching niche keywords is the perfect solution to avoid any risks that may occur and affect your growth.
In this post, seobase presents how to research keywords for a niche using the niche research tools and how to find a niche keywords list.
Use a seobase Keyword Research Tool to Find Niche Keywords
Choosing an adequate and effective niche search tool is just as important and valuable as determining and choosing your SEO niche. Let’s say you decided to create a site that provides SEO services like seobase. In this case, you may have already decided that your website targets the SEO niche.
It may not matter much how much you know about the SEO industry, whether with a high level of experience or a lack of knowledge. This means that understanding which keywords will be profitable for you early on can be quite a challenge.
Since your website is a rookie site, you don’t have much historical data to use as an indicator of future performance. The seobase Keyword Explorer Tool is the ideal and most effective niche search tool for the initial niche keywords research and creating a niche keywords list.
Take advantage of the seobase Keyword Explorer Tool features, learn how to find niche keywords, and try to create an extensive niche keywords list. It may include forms of SEO niche keywords that you may not be able to come up with on your own, but the tool does.
Refine Your Niche Keyword List
You need to realize that the niche keywords list you take from niche research tools is just suggestions. So it’s critical to find a compelling way to refine your niche keyword research list. There are several ways to refine your SEO niche keywords list when adding a keyword or URL:
Your keyword list should be as specific to your website’s SEO niche.
Sign up to our blog to stay tuned about the latest industry news.Subscribe
Determine How Competitive Your Keywords Are
As we mentioned in the previous step, you have to know how difficult it is for niche keywords to SEO. Analyze how competitive each keyword you have in the niche keywords list.
Don’t choose the most difficult niche keywords because they have a high volume. If you think about it this way, it can be difficult if not impossible to arrange.
If you choose less difficult niche keywords, even if they are only at volume 10, the ten visits you will get per month and counting all the keywords you will use over the month, the total clicks and visits will ultimately be rewarding.
Niche Keyword Research: Conclusion
Successful keyword targeting requires constant monitoring and modification, especially niche keyword research. It is essential to know that niche research tools return a keyword does not mean that you will be able to rank on search engines necessarily.
The traffic you send from search engines will not end up converting just because you used the niche keywords list. However, SEO checkpoints are well implemented to get optimum results. Moreover, you can use the SEO services of the seobase platform.
How to promote your blog without social media? The best way to boost your blog traffic is by using SEO (search engine optimization) techniques. This includes writing great content that people will want to read, creating high-quality images for your posts, and making sure your site loads quickly. However, you need to prompt your blog to attract more visitors and increase the traffic and clicks. Most webmasters ask themselves, how do I get people to read my blog? The answer is straightforward: you can follow the next few tips and get a boosted blog. In this post, seobase will explain how to promote your blog without social media, how to get your blog noticed, and how to get traffic to your website without social media.
Comment and Engage With Other Blogs.
There are compelling methods to get boosted blogs without using social media. Commenting and engaging with other blogs is key to getting your blog noticed. Some web admins create their website blogs and overlook that community is essential to achieve their goals from this post.
One of the most effective ways to promote your blog without social media you can do is to visit and read other bloggers’ content, and to boost your blog’s traffic is to comment and engage with other blogs. In this step all you need to do in this step is to visit other blogs and comment. As a result, your fellow bloggers might also return the favor to your blog website. You can do this through commenting on other blogs, sharing links to them on social media, or even asking questions on forums.
Write Authentic Blog Content.
To promote your blog posts without social media, you need to know some more creative ideas; one of them is unique content. Writing unique and authentic content will attract the readers. Catchy headlines and optimized blogging content will attract the most readers to your blog. Attracting more readers increases traffic, clicks, and converts to customers. Also, do not overlook including the right keywords. Learn how to set a successful SEO keyword strategy.
If you want to write authentic blog content, you need to think about what you would say to a friend who was writing a similar post. This will help you avoid sounding too much like everyone else. When you start writing, build the content structure so that readers can find answers to their queries and do not have to leave your site quickly or look for another blog that answers their queries and questions. To learn how to promote your blog without social media with unique content, check the new content ideas.
Sign up to our blog to stay tuned about the latest industry news.Subscribe
Share Your Blog Posts on Pinterest.
Suppose you don’t use the social media platforms or even if you don’t have social media yet to support your content promotion. Here’s a vital and valuable tip to follow regarding how to get traffic to your website without social media; you can share your posts on Pinterest to get boosted blog.
Just make sure you use the right hashtags and keywords so people can find your content easily. On Pinterest, users engage in niche topics; this will help you to get your blog noticed to increase your website position and rank #1 on Google SERPs. No worries, there are plenty of places to promote your blog without social media.
Write Guest Posts.
If you write guest posts to get boosted blog, you will not only gain exposure for your own website, but you will also help others by sharing their work. This is one of the easiest ways to generate new business leads and get people to read my blog. As a result, you will get traffic to your website without social media.
If you’re following the guest post way to get your blog noticed and promote your blog without social media, you may face only one problem; getting people from your guest post to your website is a bit challenging. According to Backlinko, one industry study found that the average guest post brings in only 50 visitors. To solve this problem, you need to use the Guest Post Bonuses. With a Guest Post Bonus, you give the readers and webmasters motivation to make them visit your website. Read Why Everyone Ignores Your Guest Post Outreach Email.
Start a Podcast.
A podcast is an audio show that usually records interviews with experts in various fields. You can record these yourself or use services such as Blubrry.com. Once your episodes are ready, you need to find a platform to host them. Several options are available, including iTunes, SoundCloud, Stitcher, Google Play Music, and more.
The podcast may be one of the best places to promote your blog. The podcast bonus strategy is similar to the Guest Post Bonus strategy discussed above. Instead of creating a reward for each guest post, you can create a set of bonuses for each podcast you go to as a guest.
Furthermore, you can inform about these rewards through email campaigns. But how does this strategy start? Follow these steps to implement a successful podcast strategy:
First, create content that your podcast listeners will care about.
Then, assign podcast rewards to what you’ll talk about in the podcast.
After that, play it by the podcast host.
Finally, host your rewards section landing page at a URL that’s easy to remember and write.
How to Promote Your Blog Without Social Media: Conclusion.
Blogging without social media is not very popular, and not many bloggers follow it. However, it is a very successful strategy by which you can get a boosted blog. There are a lot of places to promote your blog that no one has visited yet. The competition in blogging social media marketing is tough and fierce. Despite its outstanding results, it takes a lot of time and effort to get a high ranking on Google.
The SEO checkpoints best practices are crucial for your website’s ranking on SERPs. Implementing this blog post SEO checklist wouldn’t take so much time; however, it would lead you to achieve your SEO goals. 15 min SEO daily to make sure you are on the right track is your best option to get a higher rank. First, let’s refresh our memory with the SEO meaning, then we can discuss the best practices of the SEO checkpoints in detail.
SEO is an acronym for (Search engine optimization), a set of activities we do to create good content and design the website. It also includes defining the business strategy and how to produce content to gain a better position in Google search results and attract more visitors to the site.
The term SEO may broaden to include another definition: Search Engine Optimization (SEO) is optimizing your online content so that a search engine likes to display it as a higher result for searches around a particular keyword. In this post, seobase will explain SEO checklist best practices in simplified detail to the most critical SEO checkpoints, daily SEO tracking, monthly SEO tasks and show you some ideal ways to achieve advanced results in search engines.
How to Use This SEO Checklist?
We have divided the SEO checkpoints best practices into main points to facilitate their explanation. Therefore, we will separately focus on each SEO component in the following few lines. Here are the leading SEO components checkpoints:
Basic SEO Checklist
Technical SEO Checklist
Keyword Research Checklist
Content Checklist
On-page SEO Checklist
Link Building Checklist
To set a successful SEO strategy, you should focus on the above SEO checkpoints best practices and carefully apply them to your website. This SEO checklist best practices work for e-commerce stores, local businesses, and affiliate sites.
Basic SEO Checkpoints Best Practices
Set up Google Search Console.
Google offers free Google Search Console services to track your site’s organic search performance. The importance of this tool is that it shows you the effectiveness of the detailed SEO plan, and it is a reliable service since the Google search engine provides it.
You can find on GSC:
The keywords you rank for,
Your ranking positions,
Your website errors.
In addition, you can submit your sitemaps successfully to get the best and most accurate results.
Sign up to our blog to stay tuned about the latest industry news.Subscribe
Set up Bing Webmaster Tools.
This step is similar to what is applied to Google, but this time to Bing. Setting up the Bing Webmaster Tools is essential for implementing a successful SEO plan.
Set up seobase online SEO Tools.
You can use seobase best online SEO tool to get the best results on search engines and improve your rankings. seobase provides webmasters with the most powerful SEO tools to facilitate the implantation of their SEO strategy and make it easier to achieve their SEO goals in the long term. Here are a few key SEO tools from seobase:
Rank Tracker Tool: it keeps you up-to-date with your Google positions and ranking on other search engines.
SERP Checker Tool: a cloud-based tool that allows you to check your SERPs on Google and other search engines.
Set up Google Analytics.
Also, Google offers an additional free service, Google Analytics, which is essential because it shows how many people visit your site, how they found it, and how they interact with it.
You can link Google Search Console with Google Analytics to see Search Console data in Analytics.
Install an SEO plugin.
You can skip this step if you’re using a different website platform like Shopify. This step is for WordPress users. If you are using WordPress, you should install an additional SEO plugin. These plugins help you organize your sitemaps and place the proper meta tags. Despite the importance of these tools, you do not need more than one tool only.
Here are some tools you can choose from to install in WordPress:
We’ve already mentioned that the GSC tool enables you to set your sitemaps to get accurate data. In addition, it is essential to fine-tune your Sitemaps because they are the link between search engines and the main content on your site. Sitemaps tell search engines where to find content on your website so that their spiders can easily crawl and index your pages. You can use the seobase Site Profiler tool to get a certain answer confirming that your website can be crawled and indexed.
Usually, you can find your sitemap at one of these URLs:
Creating a robots.txt file is an essential step on your SEO checklist; if checks, you can improve your SEO performance. But what is a robots.txt file? Robots.txt is a text file; its job is to direct search engines to where they can crawl and where they are not allowed to.
A robots.txt file may be necessary if you do not want search engines to crawl a specific section of your website that does not have the required SEO factors, to not affect the SEO checklist of your website.
You can check your robots.txt file; all you have to do is write your domain name and robots.txt like this; yourdomain.com/robots.txt.
If you see a text file, you already have a robots.txt file. If not, search Google for “robots.txt generator” to create one, or you can ask for help from a professional SEO company.
Now, after performing all of the above steps, you just got the basic SEO checklist best practices done. Let’s move to the next level of your SEO strategy, the technical SEO checklist.
Technical SEO Checkpoints Best Practices
Implementing technical SEO checkpoints best practices helps you create reliable bases and ensure your site can be crawled and indexed. As a result, your website will rank higher than any other website in your industry on SERPs.
Here are the primary and most common technical SEO checkpoints best practices to follow.
Make sure your site is crawlable and indexable.
Google does not index any page or content its spiders have not crawled. So it is crucial to check that Google spiders have accessed your content constantly. You can do this through Google Search Console to search for any warnings or exceptions related to robots.txt files.
Many webmasters confuse indexing and crawling, although they are two completely different processes. The crawled pages do not have to be indexed by Google. If you found a ‘noindex’ meta tag for bots or an x-robots tag on the page, indexing will not be possible. You can conduct a live test on GSC to find your indexing issues. If during live testing, indexing issues were detected with the URL, then you can request indexing from Google. Also, Google will inform you about noindexed URLs in the Coverage report.
The good news is that you also can get this information using the seobase Site Profiler tool. The tool will give you a detailed report for your site audit, including this information.
Make sure you’re using HTTPs.
It is important to use HTTPS as it is an exemplary security standard and will protect the data of your visitors. This is even more important if you require passwords or payment information, then using HTTPS is a must.
If you don’t use HTTPS, it’s time to migrate now. First, ensure your site sits on HTTPS by checking your browser’s URL bar. If you see a “padlock” sign on the left side of the URL, then you’re using HTTPS. If you don’t see this sign, you are not.
Check for duplicate versions of your site in Google’s Index.
You may face a severe SEO issue if you allow Google to index more than one version of your website.
For example, you see that these links listed below are all the same and will not make a big difference or cause a glitch, but it is entirely different from the point of view of search engines:
https://www.domain.com
https://domain.com
http://www.domain.com
https://domain.com
Don’t let Google get distracted by all those links, and make sure only one format is indexed. It can lead to crawling, indexing, and security issues.
All other versions should redirect 301 to your main domain, and you can check for duplicate versions of your site in Google’s index by entering each variant into your browser bar. If you’ve set up redirects without issue, you’re good. But if you still find that you can access many versions, you must redirect immediately.
Check your site speed.
Since 2010, PageSpeed has been an important ranking factor on search engines for desktop. Since 2018, it has been included as a vital ranking factor on search engines for mobile.
If you think of it from the user’s point of view, it is tedious and frustrating if you go to a site to search for the information you need and it takes you a lot of time to load; Google also adopts this point of view. Therefore, if you slow site speed, Google does not consider this site worthy of ranking on the first page because it does not improve the user experience.
You can use tools like PageSpeed Insights. Also, you can use the seobase Site Profiler tool to give you deep insights about your PageSpeed and a whole site audit report to see how fast your web page loads.
Make sure your site is mobile-friendly.
There is no doubt that we are in a speedy era; many searches are done through mobile. So having a mobile-friendly website is more important than ever; it is no longer optional.
Check your site’s mobile-friendliness by using Google’s mobile-friendly testing tool. seobase Site Profiler tool gives you an excellent chance to check if your website is mobile-friendly.
Install an image compression plugin.
One of the most underrated factors on the SEO checklist is images. Compressing images and reducing the size of image files improves page speed. As a result, it will enhance your chances of ranking high on search engines.
For WordPress users, there are plenty of plugins available for that. For example, you can use one of the best free WordPress SEO tools, ShortPixel. It allows you to compress up to 100 images/month for free.
Furthermore, you can use Tinypng to compress images in general and use them on other platforms.
Fix broken pages (Broken Internal and Outbound Links.)
Broken links do not provide the best user experience and break the transfer of the domain authority DA to your site. The best way to find broken links on your website is to conduct a backlink audit or audit your site thoroughly. You can use Site Profiler and Backlink Checker tools from seobase to get the best results.
Fix duplicate content issues.
If you’re targeting e-commerce SEO, probably you’ll find duplicated content issues; it is very common in e-commerce SEO because of the faceted navigation. Make sure you don’t have any duplicate content on your website.
You can fix this SEO issue by canonicalizing the affected URLs where necessary.
Keyword Research SEO Checkpoints Best Practices
This part of the seobase SEO checklist guide is primarily directed at SEO content writers. Applying the following SEO checkpoints to your content will boost your search engine rankings. Choosing the right keyword is your key to reaching the audience, but all your efforts will be in vain if your content is not SEO-equipped. Follow the next few tips to get your website at the top of the first search engine results pages (SERPs).
Explore your primary keyword.
The right keywords allow you to reach your goal easily. However, using improper or consistent SEO keywords with your content may be reason enough to distract search engines. In addition, the main keyword will refer to different subjects; thus, the search engine will see that your site is not trustworthy enough to appear on the first page because it does not provide a good user experience.
How do you know the best keyword to focus on?
Do frequent keyword research to target the main keywords you can rank by on the SERPs, but you should also ensure that you target the best keyword each time you post new content. Also, you can find the right keywords using the seobase keyword explorer tool.
Assess search intent.
If your page doesn’t align with the search intent, your chances of ranking are tiny to none.
So how do you assess search intent?
After finding the primary keyword, look at the ranked pages on Google SERPs for your primary keyword.
Check the URLs and titles of the top-ranking results, for example, if a user searches for “SEO checkpoints best practices.” Given the researcher’s intention, it is clear that he wants to know the primary points that must be applied to obtain the best SEO results. If the user searches for “SEO,” it is likely that he wants to get an SEO service provider.
Assess your chances of ranking on Google to enhance your SEO checkpoints best practices.
Investigating the difficulty of the keywords you use helps you prioritize your chances of ranking on search engines. Use the seobse keyword explorer tool to find out the SEO difficulty of keywords. If you are a beginner, you can use low or medium-difficulty keywords to be able to compete.
Also, check the results for the things that may suggest a hard keyword to crack, like high-quality backlinks and high topical relevance of the top-ranking sites, etc.
Research what people want to know.
Suppose a user searches for an “SEO Checklist.” You can see from analyzing search intent that people are looking for specific practical steps to implement. However, you should ask yourself a couple of vital questions;
What other questions do they have?
What other information fits your content to include?
You can find the answer to your questions in Google’s “People Also Ask” box.
Also, you can use a content ideas generator to find new subjects to write about. Finally, using the keywords explorer tool gives you a good insight into your query.
One month from today, we’re going to start to turn off basic auth for specific protocols in Exchange Online for customers who use them.
Since our first announcement nearly three years ago, we’ve seen millions of users move away from basic auth, and we’ve disabled it in millions of tenants to proactively protect them.
We’re not done yet though, and unfortunately usage isn’t yet at zero. Despite that, we will start to turn off basic auth for several protocols for tenants not previously disabled.
Starting October 1st, we will start to randomly select tenants and disable basic authentication access for MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell. We will post a message to the Message Center 7 days prior, and we will post Service Health Dashboard notifications to each tenant on the day of the change.
We will not be disabling or changing any settings for SMTP AUTH.
If you have removed your dependency on basic auth, this will not affect your tenant or users. If you have not (or are not sure), check the Message Center for the latest data contained in the monthly usage reports we have been sending monthly since October 2021. The data for August 2022 will be sent within the first few days of September.
What If You Are Not Ready for This Change?
We recognize that unfortunately there are still many tenants unprepared for this change. Despite multiple blog posts, Message Center posts, interruptions of service, and coverage via tweets, videos, conference presentations and more, some customers are still unaware this change is coming. There are also many customers aware of the deadline who simply haven’t done the necessary work to avoid an outage.
Our goal with this effort has only ever been to protect your data and accounts from the increasing number of attacks we see that are leveraging basic auth.
However, we understand that email is a mission-critical service for many of our customers and turning off basic auth for many of them could potentially be very impactful.
One-Time Re-Enablement
Today we are announcing an update to our plan to offer customers who are unaware or are not ready for this change.
When we turn off basic auth after October 1st, all customers will be able to use the self-service diagnostic to re-enable basic auth for any protocols they need, once per protocol. Details on this process are below.
Once this diagnostic is run, basic auth will be re-enabled for those protocol(s). Selected protocol(s) will stay enabled for basic auth use until end of December 2022. During the first week of calendar year 2023, those protocols will be disabled for basic auth use permanently, and there will be no possibility of using basic auth after that.
Avoiding Disruption
If you already know you need more time and wish to avoid the disruption of having basic auth disabled you can run the diagnostics during the month of September, and when October comes, we will not disable basic for protocol(s) you specify. We will disable basic for any non-opted-out protocols, but you will be able to re-enable them (until the end of the year) by following the steps below if you later decide you need those too.
In other words – if you do not want basic for a specific protocol or protocols disabled in October, you can use the same self-service diagnostic in the month of September. Details on this process below.
Diagnostic Options
Thousands of customers have already used the self-service diagnostic we discussed in earlier blog posts (here and here) to re-enable basic auth for a protocol that had been turned off, or to tell us not to include them in our proactive protection expansion program. We’re using this same diagnostic again, but the workflow is changing a little.
Today, we have archived all prior re-enable and opt-out requests. If you have previously opted out or re-enabled basic for some protocol, you’ll need to follow the steps below during the month of September to indicate you want us to leave something enabled for basic auth after Oct 1.
To invoke the self-service diagnostic, you can go directly to the basic auth self-help diagnostic by simply clicking on this button (it’ll bring up the diagnostic in the Microsoft 365 admin center if you’re a tenant Global Admin):
Or you can open the Microsoft 365 admin center and click the green Help & support button in the lower right-hand corner of the screen.
When you click the button, you enter our self-help system. Here you can enter the phrase “Diag: Enable Basic Auth in EXO”
Customers with tenants in the Government Community Cloud (GCC) are unable to use the self-service diagnostic covered here. Those tenants may opt out by following the process contained in the Message Center post sent to their tenant today. If GCC customers need to re-enable a protocol following the Oct 1st deadline they will need to open a support ticket.
Opting Out
During the month of September 2022, the diagnostic will offer only the option to opt-out. By submitting your opt-out request during September, you are telling us that you do not want us to disable basic for a protocol or protocols during October. Please understand we will be disabling basic auth for all tenants permanently in January 2023, regardless of their opt-out status.
The diagnostic will show a version of the dialog below, and you can re-run it for multiple protocols. It might look a bit different if some protocols have already been disabled. Note too that protocols are not removed from the list as you opt-out but rest assured (unless you receive an error) we will receive the request.
Re-Enabling Basic for protocols
Starting October 1, the diagnostic will only allow you to re-enable basic auth for a protocol that it was disabled for.
If you did not opt-out during September, and we disabled basic for a protocol you later realize you need, you can use this to re-enable it.
Within an hour (usually much sooner) after you run the diagnostics and ask us to re-enable basic for a protocol, basic auth will start to work again.
At this point, we have to remind you that by re-enabling basic for a protocol, you are leaving your users and data vulnerable to security risks, and that we have customers suffering from basic auth-based attacks every single day (but you know that already).
Starting January 1, 2023, the self-serve diagnostic will no longer be available, and basic auth will soon thereafter be disabled for all protocols.
Summary of timelines and actions
Please see the following flow chart to help illustrate the changes and actions that you might need to take:
Blocking Basic Authentication Yourself
If you re-enable basic for a protocol because you need some extra time and then afterward no longer need basic auth you can block it yourself instead of waiting for us to do it in January 2023. The quickest and most effective way to do this is to use Authentication Policies which block basic auth connections at the first point of contact to Exchange Online.
Just go into the Microsoft 365 admin center, navigate to Settings, Org Settings, Modern Authentication and uncheck the boxes to block basic for all protocols you no longer need (these checkboxes will do nothing once we block basic for a protocol permanently, and we’ll remove them some time after January 2023).
Reporting Web Service Endpoint
For those of you using the Reporting Web Service REST endpoint to get access to Message Tracking Logs and more, we’re also announcing today that this service will continue to have basic auth enabled until Dec 31st for all customers, no opt-out or re-enablement is required. And, we’re pleased to be able to provide the long-awaited guidance for this too right here.
EOP/SCC PowerShell
Basic authentication will remain enabled until Dec 31st, 2022. Customers need to migrate to certificate based authentication. Follow the Instructions here: App-only authentication
One Other Basic Authentication Related Update
We’re adding a new capability to Microsoft 365 to help our customers avoid the risks posed by basic authentication. This new feature changes the default behavior of Office applications to block sign-in prompts using basic authentication. With this change, if users try to open Office files on servers that only use basic authentication, they won’t see any basic authentication sign-in prompts. Instead, they’ll see a message that the file has been blocked because it uses a sign-in method that may be insecure.
Office Team is looking for customers to opt-in to their Private Preview Program for this feature. Please send them an email if you are interested in signing up: basicauthdeprmailer@microsoft.com.
Summary
This effort has taken three years from initial communication until now, and even that has not been enough time to ensure that all customers know about this change and take all necessary steps. IT and change can be hard, and the pandemic changed priorities for many of us, but everyone wants the same thing: better security for their users and data.
Our customers are important to us, and we do not want to see them breached, or disrupted. It’s a fine balance but we hope this final option will allow the remaining customers using Basic auth to finally get rid of it.
The end of 2022 will see us collectively reach that goal, to Improve Security – Together.
If you’re heading out of the office on a well-deserved vacation, are you certain the security controls you have in place will let you rest easy while you’re away? More importantly – do you have the right action plan in place for a seamless return?
Whether you’re on the way out of – or back to – the office, our Security Validation Checklist can help make sure your security posture is in good shape.
1. Check the logs and security events of your key critical systems. Stay up-to-date on recent activities. Check for changes – and attempted changes – and any potential indicators of compromise. Planning to be gone for longer than a week? Designate a team member to perform a weekly review in your absence, reducing the chances of a critical event going undetected.
2. Check for any new security vulnerabilities that were identified on your vacation. Use your preferred scanning tool or check one of the regularly updated databases, such as CVE Details.
3. Investigate failures of critical components and the reasons behind them. If remediation is needed, create an action plan to address the immediate issues and prevent repeated failures in the future.
4. Review whether there were any key changes to your products and their corresponding security controls. While now isn’t the time to implement major changes to your EDR, SIEM system, or other corresponding solutions, do make sure you’re aware of any updates that were made in your absence. Once you’re back – and able to monitor the impact on your overall security posture – you can make larger-scale changes to your controls.
5. Check with HR for any relevant changes. Did any new employees join the company and therefore need access to specific systems? Conversely, did any employees leave and need their credentials revoked? Were there any other incidents or red flags that require your attention?
6. Be aware of new business orientations. Did the organization introduce any new services or products that expanded the potential attack surface? For instance, did a new website or mobile app go live, or was a new version of a software product rolled out? Make sure your team is up to speed on the latest changes.
7.Check your password policies. Password policies shouldn’t be dependent on your vacation status, but as you work through this security checklist, take the opportunity to make sure policies are appropriately protecting the organization. Consider reviewing length, complexity, and special character requirements, as well as expiration and re-use policies.
8.Review firewall configurations . With many security experts recommending a review of firewall configurations every three to six months, now is an opportune time for an audit. Review network traffic filtering rules, configuration parameters, and authorized administrators – among other configurations – to make sure you’re using the appropriate configurations
There are plenty of tools that can help work through this checklist – but do you have all the resources needed to make sure everything will be addressed?
If you need help automating and standardizing your processes – or making sure critical vulnerabilities aren’t slipping through the cracks – Automated Security Validation can help. With real-time visibility, complete attack surface management, and actual exploitation measures – not just simulations – it provides what you need to rest easy while you’re away. And when you get back? Risk-based remediation plans help you create your roadmap for keeping your organization protected.
When you’re back, we’ve got your back. To learn more about protecting your security posture with Automated Security Validation, request a demo of the Pentera platform.
Securing a Microsoft 365 tenant must start with identity.
Protecting identities is a fundamental part of Zero Trust and it’s the first “target” that most attackers look for. We used to say that attackers hack their way in, now we say they log in, using bought, found or stolen/phished credentials. This article will show you why MFA is so important and how to implement advanced security features in Azure AD such as PIM, Password protection, Conditional Access policies (also a strong part of Zero Trust), auditing and more.
Below is the first chapter from our free Microsoft 365 Security Checklist eBook. The Microsoft 365 Security Checklist shows you all the security settings and configurations you need to know for each M365 license to properly secure your environment. Download the full eBook and checklist spreadsheet.
Multi-Factor Authentication
It should be no surprise that we start with identity, it’s the new security perimeter or the new firewall and having a strong identity equals strong security. The first step to take here is implementing Multi Factor Authentication (MFA). It’s free for all Office / Microsoft tenants. If you want to use Conditional Access (CA) to enforce it (rather than just enabling users “in bulk”), you need Azure AD Premium P1+ licensing. A username and a simple password are no longer adequate (it never was, we just never had a simple, affordable, easy to use alternative) to protect your business.
Hand-in-hand with MFA you need user training. If your business is relying on users doing the right thing when they get the prompt on their phone – they MUST also know that if they get a prompt when they’re NOT logging in anywhere, they must click Block / No / Reject.
To enable MFA on a per-user basis, go to aad.portal.azure.com, login as an administrator, click Azure Active Directory – Security – MFA and click on the blue link “Additional cloud-based MFA settings”.
Additional MFA settings
There are two parts (tabs) on this page, “service settings” where you should disable app passwords (a workaround for legacy clients that don’t support MFA, shouldn’t be necessary in 2022), add trusted public IP addresses (so that users aren’t prompted when they’re in the corporate office – we and Microsoft recommend not using this setting), disabling Call and Text message to phone and remember MFA on trusted devices setting (1-365 days), Microsoft recommends either using CA policies to manage Sign-In frequency or setting this to 90 days. Phone call / text message MFA are not strong authentication methods and should not be used unless there’s no other choice.
On the user’s tab you can enable MFA for individual users or click bulk update and upload a CSV file with user accounts.
If you have AAD Premium P1, it’s better to use a CA policy to enforce MFA, it’s more flexible and the MFA settings page will eventually be retired.
Enforcing MFA with a Conditional Access Policy
A few words of caution, enabling MFA for all your administrators is a given today. Seriously, if you aren’t requiring every privileged account to use MFA (or 2FA / passwordless, see below), stop reading and go and do that right now. Yes, it’s an extra step and yes, you’ll get push back but there’s just no excuse – it’s simply unprofessional and you don’t belong in IT if you’re not using it. For what it is worth, I’ve been using Azure MFA for over seven years and require it for administrators at my clients – no exceptions.
Enabling MFA for all users is also incredibly important but takes some planning. You may have some users who refuse to run the Microsoft Authenticator app on their personal phone – ask for it to be put in their hiring contract. You need to train them as to why MFA is being deployed, what to do, both for authentic logins and malicious ones. Furthermore, you need to have a smooth process for enrolling new users and offboarding people who are leaving.
You should also strongly consider creating separate (cloud only) accounts for administrators. They don’t require a license and it separates the day-to-day work of a person who only performs administrative actions in your tenant occasionally (or use PIM, Chapter 10).
MFA protects you against 99.9% of identity-based attacks but it’s not un-phishable. Stronger alternatives include biometrics such as Windows Hello for Business (WHFB) and 2FA hardware keys which bring you closer to the ultimate in identity security: passwordless.
Legacy Authentication
However, it’s not enough to enable MFA for all administrators and users, the bad guys can still get in with no MFA prompt in sight. The reason is that Office 365 still supports legacy protocols that don’t support modern authentication / MFA. You need to disable these; you can’t just turn them off, you need to check if there are legitimate applications / workflows / scripts that use any of them. Go to aad.portal.azure.com, login as a Global Administrator, click Azure Active Directory – Monitoring – Sign-in logs. Change the time to last one month, and click Add filters, then click Client app and then None Selected, in the drop-down pick all 13 checkboxes under Legacy Authentication Clients and click Apply.
Filtering Azure AD Sign-in logs for legacy authentication
This will show you all the logins over the last month that used any of the legacy protocols. If you get a lot of results, add a filter for Status and add Success to filter out password stuffing attacks that failed. Make sure you check the four different tabs for interactive / non-interactive, service principals and managed identity sign-ins.
You’ll now need to investigate the logins. In my experience there will be some users who are using Android / Apple mail on smartphones; point them to the free Outlook app instead (Apple mail can be configured to use modern authentication). There’s also likely to be line-of-business (LOB) applications and printers / scanners that send emails via Office 365, so you’ll need updates for these. Alternatively, you can use another email service for these such as smtp2go.
Once you have eliminated all legitimate legacy authentication protocol usage you can disable it in two ways, it’s best to use both. Start by creating a Conditional Access policy based on the new template to block it, also go to admin.microsoft.com, Settings – Org settings – Services – Modern authentication and turn off basic authentication protocols.
Disable legacy authentication protocols in the M365 Admin Center
Break Glass accounts
Create at least one, preferably two break glass accounts, also known as emergency access accounts. These accounts are exempted from MFA, all CA policies and PIM (see below) and have very long (40 characters+), complex passwords. They’re only used if AAD MFA is down, for example, to gain access to your tenant to temporarily disable MFA or a similar setting, depending on the outage.
A second part to this is that you want to be notified if these accounts are ever used. One way to do this is to send your Azure AD sign-in logs to Azure Monitor (also known as Log Analytics), with instructions here. Another option is to use Microsoft Sentinel (which is built on top of Log Analytics) and create an Analytics rule.
Microsoft Sentinel alert rule when a Break Glass account is used
Security Defaults
If yours is a very small business, with few requirements for flexibility, the easiest way to set up Azure AD with MFA for everyone, plus several other security features enabled, is to turn on Security Defaults. Note that you can’t have break-glass accounts or other service accounts with Security Defaults as there’s no way to configure exceptions. Go to Properties for your Azure AD tenant and scroll to the bottom, and click on Manage Security defaults, here you can enable and disable it.
Privileged Identity Management
It’s worth investing in Azure Active Directory (AAD) Premium P2 for your administrator’s accounts and enabling Privileged Identity Management (PIM). This means their accounts are ordinary user accounts who are eligible to elevate their privileges to whatever administrator type they are assigned (see Chapter 10).
If you’re not using PIM, create dedicated admin accounts in AAD only. Don’t sync these accounts from on-premises but enforce MFA and strong passwords. Since they won’t be used for day-to-day work, they won’t require an M365 license.
Password Protection
After MFA, your second most important step is banning bad passwords. You’re probably aware that we’ve trained users to come up with bad passwords over the last few decades with “standard” policies (at least 8 characters, uppercase, lowercase, special character and numbers) which results in P@ssw0rd1 and when they’re forced to change it every 30 days, P@ssw0rd2. Both NIST in the US and GHCQ in the UK now recommends allowing (but not enforcing) the use of upper / lowercase etc., but not mandating frequent password changes and instead of checking the password at the time of creation against a list of known, common bad passwords and blocking those. In Microsoft’s world that’s called Password protection which is enabled for cloud accounts by default. There’s a global list of about 2000 passwords (and their variants) that Microsoft maintains, based on passwords they find in dumps, and you should add (up to 1000) company-specific words (brands, locations, C-suite people’s names, local sports teams, etc.) for your organization.
You find Password protection in the AAD portal – Security – Authentication Methods.
Password protection settings
Remember, you don’t have to add common passwords to the list, they’re already managed by Microsoft, just add company / region specific words that your staff are likely to use.
If you’re syncing accounts from Active Directory on-premises to AAD, you should also extend Password protection to your DCs. It involves the installation of an agent on each DC, a proxy agent, and a reboot of each DC.
Continuous Access Evaluation
This feature has been in preview for quite some time but is now in general availability. Before Continuous Access Evaluation (CAE), when you disabled a user’s account, or they changed location (from the office to a public Wi-Fi for example) it could be up to one hour before their state was re-evaluated and new policies applied, or they were blocked from accessing services. With CAE, this time is much shorter, in most cases in the order of a few minutes. It’s turned on by default for all tenants (unless you were part of the preview and intentionally disabled it). Another benefit of CAE is that tokens are now valid for 28 hours, letting people keep working during a shorter Azure AD outage. You can disable CAE in a CA policy, but it’s not recommended.
Conditional Access policies
We’ve mentioned Conditional Access (CA) policies several times already as it’s a crucial component of strong identity security and Zero Trust. Unlike other recommendations, there isn’t a one size fit all set of CA policies we can give you, however (at a minimum) you should have policies for:
Require MFA for admins (see MFA above)
Require MFA for users (see MFA above)
Require MFA for Azure management
Block legacy authentication (see MFA above)
Require compliant or Hybrid AAD joined device for admins
Require compliant or Hybrid AAD joined device for users
Block access to M365 from outside your country
Require MFA for risky sign-ins (if you have AAD Premium P2)
Require password change for high-risk users (if you have AAD Premium P2)
This is all going to be a lot easier going forward with the new policy templates for identity and devices. Go to Azure AD – Security – Conditional Access – New policy – Create a new policy from templates. Another step to take is to create a system for managing the lifecycle of policies and there’s an API for backing up and updating policies, that you can access in several ways, including PowerShell. There’s even a tutorial to set up a backup system using a Logic App.
Conditional Access policy templates for identity
A common question is if there’s a priority when policies are evaluated and there isn’t, they’re all processed together for a particular sign-in, from a specific device and location to an individual application. If there are multiple policies with different controls (MFA + compliant device), all controls must be fulfilled for access. And if there are conflicting policies with different access (block vs grant), block access will win.
To get you started, here are the step-by-step instructions for a policy blocking access to M365 from outside your country, appropriate for most small and medium businesses that only operate in one or a few countries. Keep in mind that travelling staff may be caught out by this so make sure you align with business objectives and be aware that this won’t stop every attack as a VPN or TOR exit node can make it appear as if the attacker is in your country, but it’s one extra step they must take. Remember, you don’t have to run faster than the Fancy Bear, just faster than other companies around you.
Start by going to Azure AD – Security – Conditional Access – Named locations and click +Countries location and call the location Blocked countries. Leave Determine location by IP address, a new feature is using GPS location from the Microsoft Authenticator app which will be more accurate once all your users are using Azure AD MFA (and therefore can be located via GPS). Click the box next to Name to select all countries, then find the one(s) that you need to allow login from and click Create.
Creating a Named Location for a Conditional Access Policy
Go to Azure AD – Security – Conditional Access – New policy – Create new policy and name your policy with a name that clearly defines what the policy does and adheres to your naming standard. Click on All Users… and Include All users and Exclude your Break Glass accounts.
Click on No cloud apps… and select All cloud apps. Select 0 conditions… and click Not configured under Locations. Pick Selected locations under Include and select your newly created location. Finally, under Access controls – Grant, click 0 controls selected and then Block access.
CA policies can be either in Report-only mode where you can look at reports of what they would have blocked and control they would have enforced, or they can be turned on / off. Report-only can be handy to make sure you don’t get fired for accidentally locking everyone out but turn this policy on as soon as possible.
Conditional Access policy to block logins from outside Australia
A common question is, how can I control how often users are prompted for MFA or signing in again? While it might be counterintuitive, the default in Azure AD is a rolling windows of 90 days. Remember, if you change a user’s password, block non-compliant devices, or disable an account (plus any number of other CA policies you have in place that might affect the security posture of the session), it’ll automatically require new authentications. Don’t prompt the users for authentication when nothing has changed because if you do it too frequently, they’re more likely to approve a malicious login.
Branding Log-on Pages
While in the Azure AD portal, click on Company branding and add a company-specific Sign-in page background image (1920x1080px) and a Banner logo (280x60px). Note that these files have to be small (300 KB and 10 KB respectively) so you may have to do some fancy compression. This isn’t just a way to make users feel at home when they see a login page, in most cases when attackers send phishing emails to harvest credentials, they’ll send users to a fake login page that looks like the generic Office 365 one, not your custom one which is another clue that should alert your users to the danger. Also – Windows Autopilot doesn’t work unless you have customized AAD branding.
Edit Azure AD Company Branding images
Self Service Password Reset
The benefit of Self Service Password Reset (SSPR) is to lower the load on your help desk to manage password resets for users. Once enabled, users must register various ways of being identified when they’re resetting their password, mobile app notification/code, email (non-Office 365), mobile/office phone call, security questions (not available to administrators, plus you can create custom questions). If you are synchronizing user accounts from AD to Azure AD, take care in setting up SSPR as the passwords must be written back to AD from the cloud once changed.
Configuring Self Service Password Reset in Azure AD
Unified Auditing
Not restricted to security but nevertheless, a fundamental building block is auditing across Microsoft 365. Go to the Microsoft 365 Defender portal and find Audit in the left-hand menu (it’s almost at the end). If for some reason unified auditing isn’t enabled in your tenant a yellow banner will give you a button to turn it on (it’s on by default for new tenants). Once enabled, click the Audit retention policies tab, and create a policy for your tenant. You want to ensure that you have logs to investigate if there’s a breach and you want them kept for as long as possible.
With Business Premium you get a maximum of 90 days of retention and Microsoft 365 E5 gives you one year, but you want to make sure to create a policy to set this, rather than rely on the default policy (which you can’t see). Give the policy a name, a description and add all the record types, one by one. This policy will now apply to all users (including new ones that are created) for all activities. Only use the Users option when you want to have a specific policy for a particular user. Give the policy a priority, 1 is the highest and 10,000 is the lowest.
Create an audit retention policy for maximum retention
Integrating applications into Azure AD
One of the most powerful but often overlooked features (at least in SMBs) is the ability to use Azure AD to publish applications to your users. Users can go to myapps.microsoft.com (or office.com) and see tiles for all applications they have access to. But there’s more to that story. Say, for example, you have a shared, corporate Twitter account that a few executives and marketing staff should have access to. Instead of sharing a password amongst them all and having to remember to reset it if someone leaves the organization, you can create a security group in AAD, add the relevant users, link Twitter to the group and they’ll automatically have access – without knowing the password to the account. There are a lot more actions you can take here to simplify access and secure management of applications, here’s more information.
Azure AD Connect
If you’re synchronizing accounts from Active Directory to Azure Active Directory (AAD), check the configuration of AAD Connect and make sure you’re not replicating an entire domain or forest to AAD. There’s no reason that service accounts etc. should be exposed in both directories, start the AAD Connect wizard on the server where it’s installed and double-check that only relevant OUs are synchronized. One other thing to note here is the fact that any machine running Azure AD Connect should be treated with the same care (in terms of security) as a domain controller. This is because AAD Connect requires the same level of access as AD itself and has the ability to read password hashes. Making sure security best practices for access, patching, etc. are followed to the letter for the system running AAD connect is critically important.
The M365 Identity Checklist
Work through the Identity checklist.
Enable MFA for administrators
Enable MFA for users
Create cloud-only administrator accounts for privileged users / occasional administrators
Disable app passwords
(Configure trusted IPs)
Disable text message MFA
Disable phone call MFA
Remember MFA trusted devices 90 days
Train staff in using MFA correctly
Use Windows Hello where possible
Use FIDO2 / 2FA keys where possible
Investigate legacy authentication protocol usage in AAD Sign-in logs
Block legacy authentication with CA Policy
Block legacy authentication in M365 Admin Center
Create two Break glass accounts and exempt from MFA, CA Policies etc.
Configure alerting if a Break glass account is used
Enable Security Defaults in AAD (consider the limitations)
Enable PIM (AAD Premium P2) for all admin users
Add organization-specific words to Password protection
Deploy Password protection in AD on-premises
CA Policy Require MFA for admins
CA Policy Require MFA for users
CA Policy Require MFA for Azure management
CA Policy Block legacy authentication
CA Policy Require compliant or Hybrid AAD joined device for admins
CA Policy Require compliant or Hybrid AAD joined device for users
CA Policy Block access to M365 from outside your country
Require MFA for risky sign-ins [Only for E5)
Require password change for high-risk users [Only for E5)
Create custom branding logos and text in Azure AD
Enable and configure Self Service Password Reset, including password writeback
Go Further than Identity to Protect your M365 Tenant
There you have it, all the most important steps to take to make sure your users’ identities are kept secure, and therefore your tenant and its data also safeguarded. Keen to learn and do more?
The Microsoft 365 Security Checklist has another nine chapters of security recommendations each with its own checklist for:
QR codes link the offline to the online. What started as a way to streamline manufacturing in the automotive industry is now a widespread technology helping connect the physical world to digital content. And as the world embraced remote, no-touch solutions during the Covid pandemic, QR codes became especially popular. QR codes offer convenience and immediacy for businesses and consumers, but cybercriminals also take advantage of them. Here’s what you need to know about QR codes and how to stay safe when using them.
Why QR codes?
Due to their size and structure, the two-dimensional black and white barcodes we call QR codes are very versatile. And since most people carry a smartphone everywhere, they can quickly scan QR codes with their phone’s camera. Moreover, since QR codes are relatively easy to program and accessible for most smartphone users, they can be an effective communication tool.
They also have many uses. For example, QR codes may link to a webpage, start an app or file download, share contact information, initiate a payment, and more. Covid forced businesses to be creative with touchless experiences, and QR codes provide a convenient way to transform a physical touchpoint into a digital interaction. During Covid, QR codes became a popular way to look at restaurant menus, communicate Covid policies, check in for an appointment, and view marketing promotions, among other scenarios.
As a communication tool, QR codes can transmit a lot of information from one person to another, making it easy for someone to take action online and interact further with digital content.
What hackers do with QR codes
QR codes are inherently secure, and no personally identifiable information (PII) is transmitted while you’re scanning them. However, the tricky part about QR codes is that you don’t know what information they contain until you scan them. So just looking at the QR code won’t tell you if it’s entirely trustworthy or not.
For example, cybercriminals may try to replace or sticker over a QR code in a high-traffic, public place. Doing so can trick people into scanning a malicious QR code. Or, hackers might send malicious QR codes digitally by email, text, or social media. The QR code scam might target a specific individual, or cybercriminals may design it to attract as many scans as possible from a large number of people.
Once scanned, a malicious QR code may take you to a phishing website, lead you to install malware on your device, redirect a payment to the wrong account, or otherwise compromise the security of your private information.
In the same way that cybercriminals try to get victims to click phishing links in email or social media, they lure people into scanning a QR code. These bad actors may be after account credentials, financial information, PII, or even company information. With that information, they can steal your identity or money or even break into your employer’s network for more valuable information (in other words, causing a data breach).
Pay attention to context. Where is the code available? What does the code claim to do (e.g., will it send you to a landing page)? Is there someone you can ask to confirm the purpose of the QR code? Did someone send it unprompted? Is it from a business or individual you’ve never heard of? Just like with phishing links, throw it out when in doubt.
Look closely at the code. Some codes may have specific colors or branding to indicate the code’s purpose and destination. Many codes are generic black and white designs, but sometimes there are clues about who made the code.
Check the link before you click. If you scan the QR code and a link appears, double-check it before clicking. Is it a website URL you were expecting? Is it a shortened link that masks the full URL? Is the webpage secure (HTTPS)? Do you see signs of a phishing attack (branding is slightly off, strange URL, misspelled words, etc.)? If it autogenerates an email or text message, who is the recipient and what information is it sending them? If it’s a payment form, who is receiving the payment? Read carefully before taking action.
Practice password security. Passwords and account logins remain one of the top targets of cyber attacks. Stolen credentials give cybercriminals access to valuable personal and financial information. Generate every password for every account with a random password generator, ideally built into a password manager for secure storage and autofill. Following password best practices ensures one stolen password results in minimal damage.
Layer with MFA. Adding multi-factor authentication to logins further protects against phishing attacks that steal passwords. With MFA in place, a hacker still can’t access an account after using a stolen password. By requiring additional login data, MFA can prevent cybercriminals from gaining access to personal or business accounts.
QR codes remain a popular marketing and communication tool. They’re convenient and accessible, so you can expect to encounter them occasionally. Though cyber attacks via QR codes are less common, you should still stay vigilant for signs of phishing and social engineering via QR codes. To prevent and mitigate attacks via QR codes, start by building a solid foundation of digital security with a trusted password manager.
