Microsoft Says Its Systems Were Also Breached in Massive SolarWinds Hack

The massive state-sponsored espionage campaign that compromised software maker SolarWinds also targeted Microsoft, as the unfolding investigation into the hacking spree reveals the incident may have been far more wider in scope, sophistication, and impact than previously thought.

News of Microsoft’s compromise was first reported by Reuters, which also said the company’s own products were then used to strike other victims by leveraging its cloud offerings, citing people familiar with the matter.

The Windows maker, however, denied the threat actor had infiltrated its production systems to stage further attacks against its customers.

In a statement to The Hacker News via email, the company said —

“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.”

Characterizing the hack as “a moment of reckoning,” Microsoft president Brad Smith said it has notified over 40 customers located in Belgium, Canada, Israel, Mexico, Spain, the UAE, the UK, and the US that were singled out by the attackers. 44% of the victims are in the information technology sector, including software firms, IT services, and equipment providers.

CISA Issues New Advisory

The development comes as the US Cybersecurity and Infrastructure Security Agency (CISA) published a fresh advisory, stating the “APT actor [behind the compromises] has demonstrated patience, operational security, and complex tradecraft in these intrusions.”

“This threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations,” it added.

But in a twist, the agency also said it identified additional initial infection vectors, other than the SolarWinds Orion platform, that have been leveraged by the adversary to mount the attacks, including a previously stolen key to circumvent Duo’s multi-factor authentication (MFA) to access the mailbox of a user via Outlook Web App (OWA) service.

Digital forensics firm Volexity, which tracks the actor under the moniker Dark Halo, said the MFA bypass was one of the three incidents between late 2019 and 2020 aimed at a US-based think tank.

The entire intrusion campaign came to light earlier this week when FireEye disclosed it had detected a breach that also pilfered its Red Team penetration testing tools.

Since then, a number of agencies have been found to be attacked, including the US departments of Treasury, Commerce, Homeland Security, and Energy, the National Nuclear Security Administration (NNSA), and several state department networks.

While many details continue to remain unclear, the revelation about new modes of attack raises more questions about the level of access the attackers were able to gain across government and corporate systems worldwide.

Microsoft, FireEye, and GoDaddy Create a Killswitch

Over the last few days, Microsoft, FireEye, and GoDaddy seized control over one of the main GoDaddy domains — avsvmcloud[.]com — that was used by the hackers to communicate with the compromised systems, reconfiguring it to create a killswitch that would prevent the SUNBURST malware from continuing to operate on victims’ networks.

For its part, SolarWinds has not yet disclosed how exactly the attacker managed to gain extensive access to its systems to be able to insert malware into the company’s legitimate software updates.

Recent evidence, however, points to a compromise of its build and software release system. An estimated 18,000 Orion customers are said to have downloaded the updates containing the back door.

Symantec, which earlier uncovered more than 2,000 systems belonging to 100 customers that received the trojanized SolarWinds Orion updates, has now confirmed the deployment of a separate second-stage payload called Teardrop that’s used to install the Cobalt Strike Beacon against select targets of interest.

The hacks are believed to be the work of APT29, a Russian threat group also known as Cozy Bear, which has been linked to a series of breaches of critical US infrastructure over the past year.

The latest slew of intrusions has also led CISA, the US Federal Bureau of Investigation (FBI), and the Office of the Director of National Intelligence (ODNI) to issue a joint statement, stating the agencies are gathering intelligence in order to attribute, pursue, and disrupt the responsible threat actors.

Calling for stronger steps to hold nation-states accountable for cyberattacks, Smith said the attacks represent “an act of recklessness that created a serious technological vulnerability for the United States and the world.”

“In effect, this is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency,” he added.

Microsoft Office 365 adds protection against downgrade and MITM attacks

Microsoft is working on adding SMTP MTA Strict Transport Security (MTA-STS) support to Exchange Online to ensure Office 365 customers’ email communication security and integrity.

Once MTA-STS is available in Office 365 Exchange Online, emails sent by users via Exchange Online will only one delivered using connections with both authentication and encryption, protecting against both email interception and attacks.

Protection against MITM and downgrade attacks

MTA-STS strengthens Exchange Online email security and solves multiple SMTP security problems including the lack of support for secure protocols, expired TLS certificates, and certs not issued by trusted third parties or matching server domain names.

Given that mail servers will still deliver emails even though a properly secured TLS connection can’t be created, SMTP connections are exposed to various attacks including downgrade and man-in-the-middle attacks.

“[D]owngrade attacks are possible where the STARTTLS response can be deleted, thus rendering the message in clear text,” Microsoft says. “Man-in-the-middle (MITM) attacks are also possible, whereby the message can be rerouted to an attacker’s server.”

“MTA-STS (RFC8461) helps thwart such attacks by providing a mechanism for setting domain policies that specify whether the receiving domain supports TLS and what to do when TLS can’t be negotiated, for example stop the transmission,” the company explains in a Microsoft 365 roadmap entry.

“Exchange Online (EXO) outbound mail flow now supports MTA-STS,” Microsoft also adds.https://www.youtube.com/embed/VY3YvrrHXJk?t=775

Exchange Online SMTP MTA Strict Transport Security (MTA-STS) support is currently in development and the company is planning to make it generally available during December in all environments, for all Exchange Online users.

DNSSEC and DANE for SMTP also coming

Microsoft is also working on including support for the DNSSEC (Domain Name System Security Extensions) and DANE for SMTP (DNS-based Authentication of Named Entities) to Office 365 Exchange Online.

Support for the two SMTP standards will be added to both inbound and outbound mail, “specific to SMTP traffic between SMTP gateways” according to the Microsoft 365 roadmap [12] and this blog post.

According to Microsoft, after including support for the two SMTP security standards in Exchange Online:

  1. DANE for SMTP will provide a more secure method for email transport. DANE uses the presence of DNS TLSA resource records to securely signal TLS support to ensure sending servers can successfully authenticate legitimate receiving email servers. This makes the secure connection resistant to downgrade and MITM attacks.
  2. DNSSEC works by digitally signing records for DNS lookup using public key cryptography. This ensures that the received DNS records have not been tampered with and are authentic. 

Microsoft is planning to release DANE and DNSSEC for SMTP in two phases, with the first one to include only outbound support during December 2020 and with the second to add inbound support by the end of next year.

Source :
https://www.bleepingcomputer.com/news/security/office-365-adds-protection-against-downgrade-and-mitm-attacks/

Microsoft Office 365 Security Recommendations

Summary

As organizations adapt or change their enterprise collaboration capabilities to meet “telework” requirements, many organizations are migrating to Microsoft Office 365 (O365) and other cloud collaboration services. Due to the speed of these deployments, organizations may not be fully considering the security configurations of these platforms.

This Alert is an update to the Cybersecurity and Infrastructure Security Agency’s May 2019 Analysis Report, AR19-133A: Microsoft Office 365 Security Observations, and reiterates the recommendations related to O365 for organizations to review and ensure their newly adopted environment is configured to protect, detect, and respond against would be attackers of O365.

Technical Details

Since October 2018, the Cybersecurity and Infrastructure Security Agency (CISA) has conducted several engagements with customers who have migrated to cloud-based collaboration solutions like O365. In recent weeks, organizations have been forced to change their collaboration methods to support a full “work from home” workforce.

O365 provides cloud-based email capabilities, as well as chat and video capabilities using Microsoft Teams. While the abrupt shift to work-from-home may necessitate rapid deployment of cloud collaboration services, such as O365, hasty deployment can lead to oversights in security configurations and undermine a sound O365-specific security strategy.

CISA continues to see instances where entities are not implementing best security practices in regard to their O365 implementation, resulting in increased vulnerability to adversary attacks.

Mitigations

The following list contains recommended configurations when deploying O365:

Enable multi-factor authentication for administrator accounts: Azure Active Directory (AD) Global Administrators in an O365 environment have the highest level of administrator privileges at the tenant level. This is equivalent to the Domain Administrator in an on-premises AD environment. The Azure AD Global Administrators are the first accounts created so that administrators can begin configuring their tenant and eventually migrate their users. Multi-factor authentication (MFA) is not enabled by default for these accounts. Microsoft has moved towards a “Secure by default” model, but even this must be enabled by the customer. The new feature, called “Security Defaults,”[1] assists with enforcing administrators’ usage of MFA. These accounts are internet accessible because they are hosted in the cloud. If not immediately secured, an attacker can compromise these cloud-based accounts and maintain persistence as a customer migrates users to O365.

Assign Administrator roles using Role-based Access Control (RBAC): Given its high level of default privilege, you should only use the Global Administrator account when absolutely necessary. Instead, using Azure AD’s numerous other built-in administrator roles instead of the Global Administrator account can limit assigning of overly permissive privileges to legitimate administrators.[2] Practicing the principle of “Least Privilege” can greatly reduce the impact if an administrator account is compromised.[3] Always assign administrators only the minimum permissions they need to do conduct their tasks.  

Enable Unified Audit Log (UAL): O365 has a logging capability called the Unified Audit Log that contains events from Exchange Online, SharePoint Online, OneDrive, Azure AD, Microsoft Teams, PowerBI, and other O365 services.[4] An administrator must enable the Unified Audit Log in the Security and Compliance Center before queries can be run. Enabling UAL allows administrators the ability to investigate and search for actions within O365 that could be potentially malicious or not within organizational policy.

Enable multi-factor authentication for all users: Though normal users in an O365 environment do not have elevated permissions, they still have access to data that could be harmful to an organization if accessed by an unauthorized entity. Also, threat actors compromise normal user accounts in order to send phishing emails and attack other organizations using the apps and services the compromised user has access to.

Disable legacy protocol authentication when appropriate: Azure AD is the authentication method that O365 uses to authenticate with Exchange Online, which provides email services. There are a number of legacy protocols associated with Exchange Online that do not support MFA features. These protocols include Post Office Protocol (POP3), Internet Message Access Protocol (IMAP), and Simple Mail Transport Protocol (SMTP). Legacy protocols are often used with older email clients, which do not support modern authentication. Legacy protocols can be disabled at the tenant level or at the user level. However, should an organization require older email clients as a business necessity, these protocols will presumably not be disabled. This leaves email accounts accessible through the internet with only the username and password as the primary authentication method. One approach to mitigate this issue is to inventory users who still require the use of a legacy email client and legacy email protocols and only grant access to those protocols for those select users. Using Azure AD Conditional Access policies can help limit the number of users who have the ability to use legacy protocol authentication methods. Taking this step will greatly reduce an organization’s attack surface.[5]

Enable alerts for suspicious activity: Enabling logging of activity within an Azure/0365 environment can greatly increase the owner’s effectiveness of identifying malicious activity occurring within their environment and enabling alerts will serve to enhance that. Creating and enabling alerts within the Security and Compliance Center to notify administrators of abnormal events will reduce the time needed to effectively identify and mitigate malicious activity.[6] At a minimum, CISA recommends enabling alerts for logins from suspicious locations and for accounts exceeding sent email thresholds.

Incorporate Microsoft Secure Score: Microsoft provides a built-in tool to measure an organization’s security posture with respect to its O365 services and offer enhancement recommendations.[7] These recommendations provided by Microsoft Secure Score do NOT encompass all possible security configurations, but organizations should still consider using Microsoft Secure Score because O365 service offerings frequently change. Using Microsoft Secure Score will help provide organizations a centralized dashboard for tracking and prioritizing security and compliance changes within O365.

Integrate Logs with your existing SIEM tool: Even with robust logging enabled via the UAL, it is critical to integrate and correlate your O365 logs with your other log management and monitoring solutions. This will ensure that you can detect anomalous activity in your environment and correlate it with any potential anomalous activity in O365.[8]

Solution Summary

CISA encourages organizations to implement an organizational cloud strategy to protect their infrastructure assets by defending against attacks related to their O365 transition and better securing O365 services.[9] Specifically, CISA recommends that administrators implement the following mitigations and best practices:

  1. Use multi-factor authentication. This is the best mitigation technique to protect against credential theft for O365 administrators and users.
  2. Protect Global Admins from compromise and use the principle of “Least Privilege.”
  3. Enable unified audit logging in the Security and Compliance Center.
  4. Enable Alerting capabilities.
  5. Integrate with organizational SIEM solutions.
  6. Disable legacy email protocols, if not required, or limit their use to specific users.

References

[1] Azure AD Security Defaults[2] Azure AD Administrator roles[3] Protect Global Admins[4] Unified audit log[5] Block Office 365 Legacy Email Authentication Protocols[6] Alert policies in the security and compliance center[7] Microsoft Secure Score[8] SIEM integration with Office 365 Advanced Threat Protection[9] Microsoft 365 security best practices

Alert (AA20-120A)

Source :
https://us-cert.cisa.gov/ncas/alerts/aa20-120a

Prepare your organization’s network for Microsoft Teams

Network requirements

If you’ve already optimized your network for Microsoft 365 or Office 365, you’re probably ready for Microsoft Teams. In any case – and especially if you’re rolling out Teams quickly as your first Microsoft 365 or Office 365 workload to support remote workers – check the following before you begin your Teams rollout:

  1. Do all your locations have internet access (so they can connect to Microsoft 365 or Office 365)? At a minimum, in addition to normal web traffic, make sure you’ve opened the following, for all locations, for media in Teams:TABLE 1PortsUDP ports 3478 through 3481IP addresses13.107.64.0/1852.112.0.0/14, and 52.120.0.0/14

 Important

If you need to federate with Skype for Business, either on-premises or online, you will need to configure some additional DNS records.

CNAME Records / Host nameTTLPoints to address or value
sip3600sipdir.online.lync.com
lyncdiscover3600webdir.online.lync.com
  1. Do you have a verified domain for Microsoft 365 or Office 365 (for example, contoso.com)?
    • If your organization hasn’t rolled out Microsoft 365 or Office 365, see Get started.
    • If your organization hasn’t added or configured a verified domain for Microsoft 365 or Office 365, see the Domains FAQ.
  2. Has your organization deployed Exchange Online and SharePoint Online?

Once you’ve verified that you meet these network requirements, you may be ready to Roll out Teams. If you’re a large multinational enterprise, or if you know you’ve got some network limitations, read on to learn how to assess and optimize your network for Teams.

 Important

For educational institutions: If your organization is an educational institution and you use a Student Information System (SIS), deploy School Data Sync before you roll out Teams.

Running on-premises Skype for Business Server: If your organization is running on-premises Skype for Business Server (or Lync Server), you must configure Azure AD Connect to synchronize your on-premises directory with Microsoft 365 or Office 365.

Best practice: Monitor your network using CQD and call analytics

Use the Call Quality Dashboard (CQD) to gain insight into the quality of calls and meetings in Teams. CQD can help you optimize your network by keeping a close eye on quality, reliability, and the user experience. CQD looks at aggregate telemetry for an entire organization where overall patterns can become apparent, which lets you identify problems and plan remediation. Additionally, CQD provides rich metrics reports that provide insight into overall quality, reliability, and user experience.

You’ll use call analytics to investigate call and meeting problems for an individual user.

Network optimization

The following tasks are optional and aren’t required for rolling out Teams, especially if you’re a small business and you’ve already rolled out Microsoft 365 or Office 365. Use this guidance to optimize your network and Teams performance or if you know you’ve got some network limitations.

You might want to do additional network optimization if:

  1. Teams runs slowly (maybe you have insufficient bandwidth)
  2. Calls keep dropping (might be due to firewall or proxy blockers)
  3. Calls have static and cut out, or voices sound like robots (could be jitter or packet loss)

For an in-depth discussion of network optimization, including guidance for identifying and fixing network impairments, read Microsoft 365 and Office 365 Network Connectivity Principles.

Network optimization taskDetails
Network plannerFor help assessing your network, including bandwidth calculations and network requirements across your org’s physical locations, check out the Network Planner tool, in the Teams admin center. When you provide your network details and Teams usage, the Network Planner calculates your network requirements for deploying Teams and cloud voice across your organization’s physical locations.For an example scenario, see Using Network Planner – example scenario.
Advisor for TeamsAdvisor for Teams is part of the Teams admin center. It assesses your Microsoft 365 or Office 365 environment and identifies the most common configurations that you may need to update or modify before you can successfully roll out Teams.
External Name ResolutionBe sure that all computers running the Teams client can resolve external DNS queries to discover the services provided by Microsoft 365 or Office 365 and that your firewalls are not preventing access. For information about configuring firewall ports, go to Microsoft 365 and Office 365 URLs and IP ranges.
Maintain session persistenceMake sure your firewall doesn’t change the mapped Network Address Translation (NAT) addresses or ports for UDP.
Validate NAT pool sizeValidate the network address translation (NAT) pool size required for user connectivity. When multiple users and devices access Microsoft 365 or Office 365 using Network Address Translation (NAT) or Port Address Translation (PAT), you need to ensure that the devices hidden behind each publicly routable IP address do not exceed the supported number. Ensure that adequate public IP addresses are assigned to the NAT pools to prevent port exhaustion. Port exhaustion will contribute to internal users and devices being unable to connect to the Microsoft 365 or Office 365 service.
Routing to Microsoft data centersImplement the most efficient routing to Microsoft data centers. Identify locations that can use local or regional egress points to connect to the Microsoft network as efficiently as possible.
Intrusion Detection and Prevention GuidanceIf your environment has an Intrusion Detection or Prevention System (IDS/IPS) deployed for an extra layer of security for outbound connections, be sure to allow all Microsoft 365 or Office 365 URLs.
Configure split-tunnel VPNWe recommend that you provide an alternate path for Teams traffic that bypasses the virtual private network (VPN), commonly known as [split-tunnel VPN](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-routing). Split tunneling means that traffic for Microsoft 365 or Office 365 doesn’t go through the VPN but instead goes directly to Microsoft 365 or Office 365. Bypassing your VPN will have a positive impact on Teams quality, and it reduces load from the VPN devices and the organization’s network. To implement a split-tunnel VPN, work with your VPN vendor.Other reasons why we recommend bypassing the VPN:VPNs are typically not designed or configured to support real-time media.Some VPNs might also not support UDP (which is required for Teams).VPNs also introduce an extra layer of encryption on top of media traffic that’s already encrypted.Connectivity to Teams might not be efficient due to hair-pinning traffic through a VPN device.
Implement QoSUse Quality of Service (QoS) to configure packet prioritization. This will improve call quality in Teams and help you monitor and troubleshoot call quality. QoS should be implemented on all segments of a managed network. Even when a network has been adequately provisioned for bandwidth, QoS provides risk mitigation in the event of unanticipated network events. With QoS, voice traffic is prioritized so that these unanticipated events don’t negatively affect quality.
Optimize WiFiSimilar to VPN, WiFi networks aren’t necessarily designed or configured to support real-time media. Planning for, or optimizing, a WiFi network to support Teams is an important consideration for a high-quality deployment. Consider these factors:Implement QoS or WiFi Multimedia (WMM) to ensure that media traffic is getting prioritized appropriately over your WiFi networks.Plan and optimize the WiFi bands and access point placement. The 2.4 GHz range might provide an adequate experience depending on access point placement, but access points are often affected by other consumer devices that operate in that range. The 5 GHz range is better suited to real-time media due to its dense range, but it requires more access points to get sufficient coverage. Endpoints also need to support that range and be configured to leverage those bands accordingly.If you’re using dual-band WiFi networks, consider implementing band steering. Band steering is a technique implemented by WiFi vendors to influence dual-band clients to use the 5 GHz range.When access points of the same channel are too close together, they can cause signal overlap and unintentionally compete, resulting in a bad experience for the user. Ensure that access points that are next to each other are on channels that don’t overlap.Each wireless vendor has its own recommendations for deploying its wireless solution. Consult your WiFi vendor for specific guidance.

Bandwidth requirements

Teams is designed to give the best audio, video, and content sharing experience regardless of your network conditions. That said, when bandwidth is insufficient, Teams prioritizes audio quality over video quality.

Where bandwidth isn’t limited, Teams optimizes media quality, including up to 1080p video resolution, up to 30fps for video and 15fps for content, and high-fidelity audio.

This table describes how Teams uses bandwidth. Teams is always conservative on bandwidth utilization and can deliver HD video quality in under 1.2Mbps. The actual bandwidth consumption in each audio/video call or meeting will vary based on several factors, such as video layout, video resolution, and video frames per second. When more bandwidth is available, quality and usage will increase to deliver the best experience.

Bandwidth(up/down)Scenarios
30 kbpsPeer-to-peer audio calling
130 kbpsPeer-to-peer audio calling and screen sharing
500 kbpsPeer-to-peer quality video calling 360p at 30fps
1.2 MbpsPeer-to-peer HD quality video calling with resolution of HD 720p at 30fps
1.5 MbpsPeer-to-peer HD quality video calling with resolution of HD 1080p at 30fps
500kbps/1MbpsGroup Video calling
1Mbps/2MbpsHD Group video calling (540p videos on 1080p screen)

Microsoft 365 and Office 365 Network Connectivity Principles

Worldwide endpoints: Skype for Business Online and Teams

Proxy servers for Teams

Media in Teams: Why meetings are simple

Media in Teams: Deep dive into media flows

Identity models and authentication in Teams

How to roll out Teams

Teams Troubleshooting

Source :
https://docs.microsoft.com/en-us/microsoftteams/prepare-network

Microsoft Office 365 URLs and IP address ranges

Network rules and firewall exceptions – if needed

Start with Managing Office 365 endpoints to understand our recommendations for managing network connectivity using this data. Endpoints data is updated at the beginning of each month with new IP Addresses and URLs published 30 days in advance of being active. This allows for customers who do not yet have automated updates to complete their processes before new connectivity is required. Endpoints may also be updated during the month if needed to address support escalations, security incidents, or other immediate operational requirements. The data shown on this page below is all generated from the REST-based web services. If you are using a script or a network device to access this data, you should go to the Web service directly.

Endpoint data below lists requirements for connectivity from a user’s machine to Office 365. It does not include network connections from Microsoft into a customer network, sometimes called hybrid or inbound network connections. See Additional endpoints for more information.

The endpoints are grouped into four service areas. The first three service areas can be independently selected for connectivity. The fourth service area is a common dependency (called Microsoft 365 Common and Office) and must always have network connectivity.

Data columns shown are:

  1. ID: The ID number of the row, also known as an endpoint set. This ID is the same as is returned by the web service for the endpoint set.
  2. Category: Shows whether the endpoint set is categorized as “Optimize”, “Allow”, or “Default”. You can read about these categories and guidance for management of them at New Office 365 endpoint categories. This column also lists which endpoint sets are required to have network connectivity. For endpoint sets which are not required to have network connectivity, we provide notes in this field to indicate what functionality would be missing if the endpoint set is blocked. If you are excluding an entire service area, the endpoint sets listed as required do not require connectivity.
  3. ER: This is Yes if the endpoint set is supported over Azure ExpressRoute with Office 365 route prefixes. The BGP community that includes the route prefixes shown aligns with the service area listed. When ER is No, this means that ExpressRoute is not supported for this endpoint set. However, it should not be assumed that no routes are advertised for an endpoint set where ER is No.
  4. Addresses: Lists the FQDNs or wildcard domain names and IP Address ranges for the endpoint set. Note that an IP Address range is in CIDR format and may include many individual IP Addresses in the specified network.
  5. Ports: Lists the TCP or UDP ports that are combined with the Addresses to form the network endpoint. You may notice some duplication in IP Address ranges where there are different ports listed.

Exchange Online

IDCategoryERAddressesPorts
1Optimize
Required
Yesoutlook.office.com, outlook.office365.com
13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2603:1096::/38, 2603:1096:400::/40, 2603:1096:600::/40, 2603:1096:a00::/39, 2603:1096:c00::/40, 2603:10a6:200::/40, 2603:10a6:400::/40, 2603:10a6:600::/40, 2603:10a6:800::/40, 2603:10d6:200::/40, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128, 2a01:111:f400::/48
TCP: 443, 80
2Allow
Required
Yessmtp.office365.com
13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2603:1096::/38, 2603:1096:400::/40, 2603:1096:600::/40, 2603:1096:a00::/39, 2603:1096:c00::/40, 2603:10a6:200::/40, 2603:10a6:400::/40, 2603:10a6:600::/40, 2603:10a6:800::/40, 2603:10d6:200::/40, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128, 2a01:111:f400::/48
TCP: 587
3Default
Required
Nor1.res.office365.com, r3.res.office365.com, r4.res.office365.comTCP: 443, 80
5Allow
Optional
Notes: Exchange Online IMAP4 migration
Yes*.outlook.office.com, outlook.office365.com
13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2603:1096::/38, 2603:1096:400::/40, 2603:1096:600::/40, 2603:1096:a00::/39, 2603:1096:c00::/40, 2603:10a6:200::/40, 2603:10a6:400::/40, 2603:10a6:600::/40, 2603:10a6:800::/40, 2603:10d6:200::/40, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128, 2a01:111:f400::/48
TCP: 143, 993
6Allow
Optional
Notes: Exchange Online POP3 migration
Yes*.outlook.office.com, outlook.office365.com
13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2603:1096::/38, 2603:1096:400::/40, 2603:1096:600::/40, 2603:1096:a00::/39, 2603:1096:c00::/40, 2603:10a6:200::/40, 2603:10a6:400::/40, 2603:10a6:600::/40, 2603:10a6:800::/40, 2603:10d6:200::/40, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128, 2a01:111:f400::/48
TCP: 995
8Default
Required
No*.outlook.com, *.outlook.office.com, attachments.office.netTCP: 443, 80
9Allow
Required
Yes*.protection.outlook.com
40.92.0.0/15, 40.107.0.0/16, 52.100.0.0/14, 52.238.78.88/32, 104.47.0.0/17, 2a01:111:f403::/48
TCP: 443
10Allow
Required
Yes*.mail.protection.outlook.com
40.92.0.0/15, 40.107.0.0/16, 52.100.0.0/14, 104.47.0.0/17, 2a01:111:f400::/48, 2a01:111:f403::/48
TCP: 25
154Default
Required
Noautodiscover.<tenant>.onmicrosoft.comTCP: 443, 80

SharePoint Online and OneDrive for Business

IDCategoryERAddressesPorts
31Optimize
Required
Yes<tenant>.sharepoint.com, <tenant>-my.sharepoint.com
13.107.136.0/22, 40.108.128.0/17, 52.104.0.0/14, 104.146.128.0/17, 150.171.40.0/22, 2620:1ec:8f8::/46, 2620:1ec:908::/46, 2a01:111:f402::/48
TCP: 443, 80
32Default
Optional
Notes: OneDrive for Business: supportability, telemetry, APIs, and embedded email links
No*.log.optimizely.com, ssw.live.com, storage.live.comTCP: 443
33Default
Optional
Notes: SharePoint Hybrid Search – Endpoint to SearchContentService where the hybrid crawler feeds documents
No*.search.production.apac.trafficmanager.net, *.search.production.emea.trafficmanager.net, *.search.production.us.trafficmanager.netTCP: 443
35Default
Required
No*.wns.windows.com, admin.onedrive.com, officeclient.microsoft.comTCP: 443, 80
36Default
Required
Nog.live.com, oneclient.sfx.msTCP: 443, 80
37Default
Required
No*.sharepointonline.com, cdn.sharepointonline.com, privatecdn.sharepointonline.com, publiccdn.sharepointonline.com, spoprod-a.akamaihd.net, static.sharepointonline.comTCP: 443, 80
38Default
Optional
Notes: SharePoint Online: auxiliary URLs
Noprod.msocdn.com, watson.telemetry.microsoft.comTCP: 443, 80
39Default
Required
No*.svc.ms, <tenant>-files.sharepoint.com, <tenant>-myfiles.sharepoint.comTCP: 443, 80

Skype for Business Online and Microsoft Teams

IDCategoryERAddressesPorts
11Optimize
Required
Yes13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14UDP: 3478, 3479, 3480, 3481
12Allow
Required
Yes*.lync.com, *.teams.microsoft.com, teams.microsoft.com
13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14, 52.238.119.141/32, 52.244.160.207/32, 2603:1027::/48, 2603:1037::/48, 2603:1047::/48, 2603:1057::/48, 2620:1ec:6::/48, 2620:1ec:40::/42
TCP: 443, 80
13Allow
Required
Yes*.broadcast.skype.com, broadcast.skype.com
13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14, 52.238.119.141/32, 52.244.160.207/32, 2603:1027::/48, 2603:1037::/48, 2603:1047::/48, 2603:1057::/48, 2620:1ec:6::/48, 2620:1ec:40::/42
TCP: 443
14Default
Required
Noquicktips.skypeforbusiness.comTCP: 443
15Default
Required
No*.sfbassets.com, *.urlp.sfbassets.com, skypemaprdsitus.trafficmanager.netTCP: 443, 80
16Default
Required
No*.keydelivery.mediaservices.windows.net, *.msecnd.net, *.streaming.mediaservices.windows.net, ajax.aspnetcdn.com, mlccdn.blob.core.windows.netTCP: 443
17Default
Required
Noaka.ms, amp.azure.netTCP: 443
18Default
Optional
Notes: Federation with Skype and public IM connectivity: Contact picture retrieval
No*.users.storage.live.comTCP: 443
19Default
Optional
Notes: Applies only to those who deploy the Conference Room Systems
No*.adl.windows.comTCP: 443, 80
22Allow
Optional
Notes: Teams: Messaging interop with Skype for Business
Yes*.skypeforbusiness.com
13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14, 52.238.119.141/32, 52.244.160.207/32, 2603:1027::/48, 2603:1037::/48, 2603:1047::/48, 2603:1057::/48, 2620:1ec:6::/48, 2620:1ec:40::/42
TCP: 443
26Default
Required
No*.msedge.net, compass-ssl.microsoft.comTCP: 443
27Default
Required
No*.mstea.ms, *.secure.skypeassets.com, mlccdnprod.azureedge.net, videoplayercdn.osi.office.netTCP: 443
29Default
Optional
Notes: Yammer third-party integration
No*.tenor.comTCP: 443, 80
127Default
Required
No*.skype.comTCP: 443, 80
146Default
Required
Nostatics.teams.microsoft.comTCP: 443

Microsoft 365 Common and Office Online

IDCategoryERAddressesPorts
40Default
Optional
Notes: Office 365 Video CDNs
Noajax.aspnetcdn.com, r3.res.outlook.com, spoprod-a.akamaihd.netTCP: 443
41Default
Optional
Notes: Microsoft Stream
No*.api.microsoftstream.com, *.notification.api.microsoftstream.com, amp.azure.net, api.microsoftstream.com, s0.assets-yammer.com, vortex.data.microsoft.com, web.microsoftstream.comTCP: 443
42Default
Optional
Notes: Microsoft Stream CDN
Noamsglob0cdnstream11.azureedge.net, amsglob0cdnstream12.azureedge.netTCP: 443
43Default
Optional
Notes: Microsoft Stream 3rd party integration (including CDNs)
Nonps.onyx.azure.netTCP: 443
44Default
Optional
Notes: Microsoft Stream – unauthenticated
No*.azureedge.net, *.media.azure.net, *.streaming.mediaservices.windows.netTCP: 443
45Default
Optional
Notes: Office 365 Video
No*.keydelivery.mediaservices.windows.net, *.streaming.mediaservices.windows.netTCP: 443
46Allow
Required
Yes*.online.office.com, *broadcast.officeapps.live.com, *excel.officeapps.live.com, *onenote.officeapps.live.com, *powerpoint.officeapps.live.com, *rtc.officeapps.live.com, *shared.officeapps.live.com, *view.officeapps.live.com, *visio.officeapps.live.com, *word-edit.officeapps.live.com, office.live.com
13.107.6.171/32, 13.107.140.6/32, 52.108.0.0/14, 52.238.106.116/32, 52.244.37.168/32, 52.244.203.72/32, 52.244.207.172/32, 52.244.223.198/32, 52.247.150.191/32, 2603:1010:2::cb/128, 2603:1010:200::c7/128, 2603:1020:200::682f:a0fd/128, 2603:1020:201:9::c6/128, 2603:1020:600::a1/128, 2603:1020:700::a2/128, 2603:1020:800:2::6/128, 2603:1020:900::8/128, 2603:1030:7::749/128, 2603:1030:800:5::bfee:ad3c/128, 2603:1030:f00::17/128, 2603:1030:1000::21a/128, 2603:1040:200::4f3/128, 2603:1040:401::762/128, 2603:1040:601::60f/128, 2603:1040:a01::1e/128, 2603:1040:c01::28/128, 2603:1040:e00:1::2f/128, 2603:1040:f00::1f/128, 2603:1050:1::cd/128, 2620:1ec:8fc::6/128, 2620:1ec:a92::171/128, 2a01:111:f100:2000::a83e:3019/128, 2a01:111:f100:2002::8975:2d79/128, 2a01:111:f100:2002::8975:2da8/128, 2a01:111:f100:7000::6fdd:6cd5/128, 2a01:111:f100:a004::bfeb:88cf/128
TCP: 443
47Default
Required
No*.cdn.office.net, contentstorage.osi.office.netTCP: 443
49Default
Required
No*.onenote.comTCP: 443
50Default
Optional
Notes: OneNote notebooks (wildcards)
No*.microsoft.com, *.msecnd.net, *.office.netTCP: 443
51Default
Required
No*cdn.onenote.netTCP: 443
52Default
Optional
Notes: OneNote 3rd party supporting services and CDNs
Noad.atdmt.com, s.ytimg.com, www.youtube.comTCP: 443
53Default
Required
Noajax.aspnetcdn.com, apis.live.net, cdn.optimizely.com, officeapps.live.com, www.onedrive.comTCP: 443
56Allow
Required
Yes*.msappproxy.net, *.msftidentity.com, *.msidentity.com, account.activedirectory.windowsazure.com, accounts.accesscontrol.windows.net, adminwebservice.microsoftonline.com, api.passwordreset.microsoftonline.com, autologon.microsoftazuread-sso.com, becws.microsoftonline.com, clientconfig.microsoftonline-p.net, companymanager.microsoftonline.com, device.login.microsoftonline.com, graph.microsoft.com, graph.windows.net, login.microsoft.com, login.microsoftonline.com, login.microsoftonline-p.com, login.windows.net, logincert.microsoftonline.com, loginex.microsoftonline.com, login-us.microsoftonline.com, nexus.microsoftonline-p.com, passwordreset.microsoftonline.com, provisioningapi.microsoftonline.com
20.190.128.0/18, 40.126.0.0/18, 2603:1006:2000::/48, 2603:1007:200::/48, 2603:1016:1400::/48, 2603:1017::/48, 2603:1026:3000::/48, 2603:1027:1::/48, 2603:1036:3000::/48, 2603:1037:1::/48, 2603:1046:2000::/48, 2603:1047:1::/48, 2603:1056:2000::/48, 2603:1057:2::/48
TCP: 443, 80
59Default
Required
No*.microsoftonline.com, *.microsoftonline-p.com, *.msauth.net, *.msauthimages.net, *.msecnd.net, *.msftauth.net, *.msftauthimages.net, *.phonefactor.net, enterpriseregistration.windows.net, management.azure.com, policykeyservice.dc.ad.msft.net, secure.aadcdn.microsoftonline-p.comTCP: 443, 80
64Allow
Required
Yes*.manage.office.com, *.protection.office.com, manage.office.com, protection.office.com
13.80.125.22/32, 13.91.91.243/32, 13.107.6.156/31, 13.107.7.190/31, 13.107.9.156/31, 40.81.156.154/32, 40.90.218.198/32, 52.108.0.0/14, 52.174.56.180/32, 52.183.75.62/32, 52.184.165.82/32, 104.42.230.91/32, 157.55.145.0/25, 157.55.155.0/25, 157.55.227.192/26, 2603:1006:1400::/40, 2603:1010:2:2::a/128, 2603:1016:2400::/40, 2603:1020:400::26/128, 2603:1020:600::12f/128, 2603:1020:600::1f0/128, 2603:1020:800:2::45/128, 2603:1026:2400::/40, 2603:1030:7:5::25/128, 2603:1036:2400::/40, 2603:1040:400::5e/128, 2603:1040:601::2/128, 2603:1046:1400::/40, 2603:1056:1400::/40, 2a01:111:200a:a::/64, 2a01:111:2035:8::/64, 2a01:111:f100:1002::4134:c440/128, 2a01:111:f100:2000::a83e:33a8/128, 2a01:111:f100:2002::8975:2d98/128, 2a01:111:f100:3000::a83e:1884/128, 2a01:111:f100:3002::8987:3552/128, 2a01:111:f100:4002::9d37:c021/128, 2a01:111:f100:4002::9d37:c3de/128, 2a01:111:f100:6000::4134:a6c7/128, 2a01:111:f100:6000::4134:b84b/128, 2a01:111:f100:7000::6fdd:5245/128, 2a01:111:f100:7000::6fdd:6fc4/128, 2a01:111:f100:8000::4134:941b/128, 2a01:111:f100:9001::1761:914f/128, 2a01:111:f406:1::/64, 2a01:111:f406:c00::/64, 2a01:111:f406:1004::/64, 2a01:111:f406:1805::/64, 2a01:111:f406:3404::/64, 2a01:111:f406:8000::/64, 2a01:111:f406:8801::/64, 2a01:111:f406:a003::/64
TCP: 443
65Allow
Required
Yes*.portal.cloudappsecurity.com, account.office.net, admin.microsoft.com, home.office.com, portal.office.com, www.office.com
13.80.125.22/32, 13.91.91.243/32, 13.107.6.156/31, 13.107.7.190/31, 13.107.9.156/31, 40.81.156.154/32, 40.90.218.198/32, 52.108.0.0/14, 52.174.56.180/32, 52.183.75.62/32, 52.184.165.82/32, 104.42.230.91/32, 157.55.145.0/25, 157.55.155.0/25, 157.55.227.192/26, 2603:1006:1400::/40, 2603:1010:2:2::a/128, 2603:1016:2400::/40, 2603:1020:400::26/128, 2603:1020:600::12f/128, 2603:1020:600::1f0/128, 2603:1020:800:2::45/128, 2603:1026:2400::/40, 2603:1030:7:5::25/128, 2603:1036:2400::/40, 2603:1040:400::5e/128, 2603:1040:601::2/128, 2603:1046:1400::/40, 2603:1056:1400::/40, 2a01:111:200a:a::/64, 2a01:111:2035:8::/64, 2a01:111:f100:1002::4134:c440/128, 2a01:111:f100:2000::a83e:33a8/128, 2a01:111:f100:2002::8975:2d98/128, 2a01:111:f100:3000::a83e:1884/128, 2a01:111:f100:3002::8987:3552/128, 2a01:111:f100:4002::9d37:c021/128, 2a01:111:f100:4002::9d37:c3de/128, 2a01:111:f100:6000::4134:a6c7/128, 2a01:111:f100:6000::4134:b84b/128, 2a01:111:f100:7000::6fdd:5245/128, 2a01:111:f100:7000::6fdd:6fc4/128, 2a01:111:f100:8000::4134:941b/128, 2a01:111:f100:9001::1761:914f/128, 2a01:111:f406:1::/64, 2a01:111:f406:c00::/64, 2a01:111:f406:1004::/64, 2a01:111:f406:1805::/64, 2a01:111:f406:3404::/64, 2a01:111:f406:8000::/64, 2a01:111:f406:8801::/64, 2a01:111:f406:a003::/64
TCP: 443, 80
66Default
Required
Nosuite.office.netTCP: 443
67Default
Optional
Notes: Security and Compliance Center eDiscovery export
No*.blob.core.windows.netTCP: 443
68Default
Optional
Notes: Portal and shared: 3rd party office integration. (including CDNs)
No*.helpshift.com, *.localytics.com, analytics.localytics.com, api.localytics.com, connect.facebook.net, firstpartyapps.oaspapps.com, outlook.uservoice.com, prod.firstpartyapps.oaspapps.com.akadns.net, rink.hockeyapp.net, sdk.hockeyapp.net, telemetryservice.firstpartyapps.oaspapps.com, web.localytics.com, webanalytics.localytics.com, wus-firstpartyapps.oaspapps.comTCP: 443
69Default
Required
No*.aria.microsoft.com, *.events.data.microsoft.comTCP: 443
70Default
Required
No*.o365weve.com, amp.azure.net, appsforoffice.microsoft.com, assets.onestore.ms, auth.gfx.ms, c1.microsoft.com, client.hip.live.com, contentstorage.osi.office.net, dgps.support.microsoft.com, docs.microsoft.com, msdn.microsoft.com, platform.linkedin.com, prod.msocdn.com, shellprod.msocdn.com, support.content.office.net, support.microsoft.com, technet.microsoft.com, videocontent.osi.office.net, videoplayercdn.osi.office.netTCP: 443
71Default
Required
No*.office365.comTCP: 443
72Default
Optional
Notes: Azure Rights Management (RMS) with Office 2010 clients
No*.cloudapp.netTCP: 443
73Default
Required
No*.aadrm.com, *.azurerms.com, *.informationprotection.azure.com, ecn.dev.virtualearth.net, informationprotection.hosting.portal.azure.netTCP: 443
74Default
Optional
Notes: Remote Connectivity Analyzer – Initiate connectivity tests.
Notestconnectivity.microsoft.comTCP: 443, 80
75Default
Optional
Notes: Graph.windows.net, Office 365 Management Pack for Operations Manager, SecureScore, Azure AD Device Registration, Forms, StaffHub, Application Insights, captcha services
No*.hockeyapp.net, *.sharepointonline.com, cdn.forms.office.net, dc.applicationinsights.microsoft.com, dc.services.visualstudio.com, forms.microsoft.com, mem.gfx.ms, office365servicehealthcommunications.cloudapp.net, signup.microsoft.com, staffhub.ms, staffhub.uservoice.com, staffhubweb.azureedge.net, watson.telemetry.microsoft.comTCP: 443
76Default
Optional
Notes: Microsoft Azure RemoteApp
Novortex.data.microsoft.comTCP: 443
77Allow
Required
Yesnexus.officeapps.live.com, nexusrules.officeapps.live.com, portal.microsoftonline.com
13.107.6.171/32, 13.107.140.6/32, 52.108.0.0/14, 52.238.106.116/32, 52.244.37.168/32, 52.244.203.72/32, 52.244.207.172/32, 52.244.223.198/32, 52.247.150.191/32, 2603:1010:2::cb/128, 2603:1010:200::c7/128, 2603:1020:200::682f:a0fd/128, 2603:1020:201:9::c6/128, 2603:1020:600::a1/128, 2603:1020:700::a2/128, 2603:1020:800:2::6/128, 2603:1020:900::8/128, 2603:1030:7::749/128, 2603:1030:800:5::bfee:ad3c/128, 2603:1030:f00::17/128, 2603:1030:1000::21a/128, 2603:1040:200::4f3/128, 2603:1040:401::762/128, 2603:1040:601::60f/128, 2603:1040:a01::1e/128, 2603:1040:c01::28/128, 2603:1040:e00:1::2f/128, 2603:1040:f00::1f/128, 2603:1050:1::cd/128, 2620:1ec:8fc::6/128, 2620:1ec:a92::171/128, 2a01:111:f100:2000::a83e:3019/128, 2a01:111:f100:2002::8975:2d79/128, 2a01:111:f100:2002::8975:2da8/128, 2a01:111:f100:7000::6fdd:6cd5/128, 2a01:111:f100:a004::bfeb:88cf/128
TCP: 443
78Default
Optional
Notes: Some Office 365 features require endpoints within these domains (including CDNs). Many specific FQDNs within these wildcards have been published recently as we work to either remove or better explain our guidance relating to these wildcards.
No*.microsoft.com, *.msocdn.com, *.office.net, *.onmicrosoft.comTCP: 443, 80
79Default
Required
Noo15.officeredir.microsoft.com, ocsredir.officeapps.live.com, officepreviewredir.microsoft.com, officeredir.microsoft.com, r.office.microsoft.comTCP: 443, 80
80Default
Required
Noocws.officeapps.live.comTCP: 443
81Default
Required
Noodc.officeapps.live.comTCP: 443, 80
82Default
Required
Noroaming.officeapps.live.comTCP: 443, 80
83Default
Required
Noactivation.sls.microsoft.comTCP: 443
84Default
Required
Nocrl.microsoft.comTCP: 443, 80
85Default
Required
Nools.officeapps.live.comTCP: 443
86Default
Required
Nooffice15client.microsoft.com, officeclient.microsoft.comTCP: 443
87Default
Required
Noocsa.officeapps.live.comTCP: 443, 80
88Default
Required
Noinsertmedia.bing.office.netTCP: 443, 80
89Default
Required
Nogo.microsoft.com, support.office.comTCP: 443, 80
90Default
Required
Nomrodevicemgr.officeapps.live.comTCP: 443
91Default
Required
Noajax.aspnetcdn.com, cdn.odc.officeapps.live.comTCP: 443, 80
92Default
Required
Noofficecdn.microsoft.com, officecdn.microsoft.com.edgesuite.netTCP: 443, 80
93Default
Optional
Notes: ProPlus: auxiliary URLs
Noajax.microsoft.com, c.bing.net, excelbingmap.firstpartyapps.oaspapps.com, excelcs.officeapps.live.com, ocos-office365-s2s.msedge.net, omextemplates.content.office.net, peoplegraph.firstpartyapps.oaspapps.com, pptcs.officeapps.live.com, tse1.mm.bing.net, uci.officeapps.live.com, watson.microsoft.com, wikipedia.firstpartyapps.oaspapps.com, wordcs.officeapps.live.com, www.bing.comTCP: 443, 80
95Default
Optional
Notes: Outlook for Android and iOS
No*.acompli.net, *.outlookmobile.comTCP: 443
96Default
Optional
Notes: Outlook for Android and iOS: Authentication
No*.manage.microsoft.com, api.office.com, go.microsoft.com, login.windows-ppe.net, secure.aadcdn.microsoftonline-p.com, vortex.data.microsoft.comTCP: 443
97Default
Optional
Notes: Outlook for Android and iOS: Consumer Outlook.com and OneDrive integration
Noaccount.live.com, apis.live.net, auth.gfx.ms, login.live.comTCP: 443
98Default
Optional
Notes: Outlook for Android and iOS: Google integration
Noaccounts.google.com, mail.google.com, www.googleapis.comTCP: 443
99Default
Optional
Notes: Outlook for Android and iOS: Yahoo integration
Noapi.login.yahoo.com, social.yahooapis.comTCP: 443
100Default
Optional
Notes: Outlook for Android and iOS: DropBox integration
Noapi.dropboxapi.com, www.dropbox.comTCP: 443
101Default
Optional
Notes: Outlook for Android and iOS: Box integration
Noapp.box.comTCP: 443
102Default
Optional
Notes: Outlook for Android and iOS: Facebook integration
Nograph.facebook.com, m.facebook.comTCP: 443
103Default
Optional
Notes: Outlook for Android and iOS: Evernote integration
Nowww.evernote.comTCP: 443
104Default
Optional
Notes: Outlook for Android and iOS: WunderList integration
Noa.wunderlist.com, www.wunderlist.comTCP: 443
105Default
Optional
Notes: Outlook for Android and iOS: Outlook Privacy
Nobit.ly, www.acompli.comTCP: 443
106Default
Optional
Notes: Outlook for Android and iOS: User voice integration
Noby.uservoice.com, outlook.uservoice.comTCP: 443
109Default
Optional
Notes: Outlook for Android and iOS: Flurry log integration
Nodata.flurry.comTCP: 443
110Default
Optional
Notes: Outlook for Android and iOS: Adjust integration
Noapp.adjust.comTCP: 443
111Default
Optional
Notes: Outlook for Android and iOS: Hockey log integration
Norink.hockeyapp.net, sdk.hockeyapp.netTCP: 443
112Default
Optional
Notes: Outlook for Android and iOS: Helpshift integration
Noacompli.helpshift.comTCP: 443
113Default
Optional
Notes: Outlook for Android and iOS: Play Store integration (Android only)
Noplay.google.comTCP: 443
114Default
Optional
Notes: Office Mobile URLs
No*.appex.bing.com, *.appex-rf.msn.com, *.itunes.apple.com, c.bing.com, c.live.com, cl2.apple.com, client.hip.live.com, d.docs.live.net, directory.services.live.com, docs.live.net, en-us.appex-rf.msn.com, foodanddrink.services.appex.bing.com, odcsm.officeapps.live.com, office.microsoft.com, officeimg.vo.msecnd.net, partnerservices.getmicrosoftkey.com, roaming.officeapps.live.com, sas.office.microsoft.com, signup.live.com, view.atdmt.com, watson.telemetry.microsoft.com, weather.tile.appex.bing.comTCP: 443, 80
115Default
Optional
Notes: Outlook for Android and iOS: Meetup integration
Noapi.meetup.com, secure.meetup.comTCP: 443
116Default
Optional
Notes: Office for iPad URLs
Noaccount.live.com, auth.gfx.ms, c.bing.com, c.live.com, cl2.apple.com, client.hip.live.com, directory.services.live.com, docs.live.net, en-us.appex-rf.msn.com, foodanddrink.services.appex.bing.com, go.microsoft.com, login.live.com, office.microsoft.com, p100-sandbox.itunes.apple.com, partnerservices.getmicrosoftkey.com, roaming.officeapps.live.com, sas.office.microsoft.com, signup.live.com, view.atdmt.com, watson.telemetry.microsoft.com, weather.tile.appex.bing.comTCP: 443, 80
117Default
Optional
Notes: Yammer
No*.yammer.com, *.yammerusercontent.comTCP: 443
118Default
Optional
Notes: Yammer CDN
No*.assets-yammer.comTCP: 443
120Default
Optional
Notes: Planner CDNs
Noajax.aspnetcdn.comTCP: 443
121Default
Optional
Notes: Planner: auxiliary URLs
Nowww.outlook.comTCP: 443, 80
122Default
Optional
Notes: Sway CDNs
Noeus-www.sway-cdn.com, eus-www.sway-extensions.com, wus-www.sway-cdn.com, wus-www.sway-extensions.comTCP: 443
123Default
Optional
Notes: Sway website analytics
Nowww.google-analytics.comTCP: 443
124Default
Optional
Notes: Sway
Nosway.com, www.sway.comTCP: 443
125Default
Required
No*.entrust.net, *.geotrust.com, *.omniroot.com, *.public-trust.com, *.symcb.com, *.symcd.com, *.verisign.com, *.verisign.net, apps.identrust.com, cacerts.digicert.com, cert.int-x3.letsencrypt.org, crl.globalsign.com, crl.globalsign.net, crl.identrust.com, crl.microsoft.com, crl3.digicert.com, crl4.digicert.com, isrg.trustid.ocsp.identrust.com, mscrl.microsoft.com, ocsp.digicert.com, ocsp.globalsign.com, ocsp.int-x3.letsencrypt.org, ocsp.msocsp.com, ocsp2.globalsign.com, ocspx.digicert.com, secure.globalsign.com, www.digicert.com, www.microsoft.comTCP: 443, 80
126Default
Optional
Notes: Connection to the speech service is required for Office Dictation features. If connectivity is not allowed, Dictation will be disabled.
Noofficespeech.platform.bing.comTCP: 443
128Default
Required
No*.config.office.net, *.manage.microsoft.comTCP: 443
130Default
Required
Nolpcres.delve.office.comTCP: 443
147Default
Required
No*.office.comTCP: 443, 80
148Default
Required
Nocdnprod.myanalytics.microsoft.com, myanalytics.microsoft.com, myanalytics-gcc.microsoft.comTCP: 443, 80
149Default
Required
Noworkplaceanalytics.cdn.office.net, workplaceanalytics.office.comTCP: 443, 80
150Default
Optional
Notes: Blocking these endpoints will affect the ability to access the Office 365 ProPlus deployment and management features via the portal.
No*.officeconfig.msocdn.comTCP: 443
152Default
Optional
Notes: These endpoints enables the Office Scripts functionality in Office clients available through the Automate tab. This feature can also be disabled through the Office 365 Admin portal.
No*.microsoftusercontent.comTCP: 443
153Default
Required
No*.azure-apim.net, *.flow.microsoft.com, *.powerapps.comTCP: 443

Source :
https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges

Change your Microsoft Office product key

This article applies to Office Home & Business, Office Professional, and individually purchased Office apps.If you bought multiple copies of Office and used the same Install button to install Office on multiple PCs, activation fails on the other PCs. This happens because each Install button is associated with a unique product key that can only be installed on one PC. To fix this, you can change the product key for the other PCs where you installed Office.

Note: After you change your product key, we recommend that you create a list to manage the product keys that you've installed. To learn how, see Manage multiple one-time-purchase Office installs that use the same Microsoft account.

Select your Office version below.

Office 2019, 2016 Office 2013 Office 365 Command line
  1. Sign in to your Services & subscriptions page with the email and password associated with the Microsoft account that was used to install Office.After you sign in, you should see a list of Office products that are associated with your Microsoft account.
  2. For the first product that's listed on the page, select View product key. Copy or write down the product key. This is likely the product key that was used multiple times to install Office.
  3. Select View product key for the remaining Office products and copy or write them down. These are likely the keys that you'll use to replace the key that was used multiple times.
  4. On a PC where Office activation is failing, open the Command Prompt as described below:
    Windows 10 and Windows 8.1Windows 7
    1. Select the Start button  (lower-left corner).
    2. Type Command Prompt.
    3. Right-click the Command Prompt icon, and select Run as administrator.
    1. Select the Start button  (lower-left corner).
    2. Right-click Command Prompt and select Run as administrator.
  5. From the drop-down list below, select your Office version and Windows version (32-bit or 64-bit) and run the commands as described.

    Tip: If you get an Input Error: Can not find script file... message, it means that you used the wrong command. Don’t worry, running the wrong command won’t hurt anything. Double-check your Office and Windows versions and try a different command.

    1. Copy the following command, paste the command into the Command Prompt window, and then press Enter. cscript "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" /dstatusThe command prompt displays the last five characters of the product key that was used to install Office on the PC. Our example below uses XXXXX to represent these characters.

    2. Copy the following command, paste the command into the Command Prompt window, and replace XXXXX with the last 5 digits of the product key that was shown in the previous step. Press Enter to remove the product key.cscript "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" /unpkey:XXXXX
    3. Copy the following command, paste the command into the Command Prompt window, and replace XXXXX-XXXXX-XXXXX-XXXXX-XXXXX with an unused product key from your list. Press Enter to change the key.cscript "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" /inpkey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

    Tips:

  6. Now start an Office app, such as Word, and select Next to activate Office over the Internet.
  7. Repeat this process for each PC where activation is failing.

Source :
https://support.office.com/en-us/article/change-your-office-product-key-d78cf8f7-239e-4649-b726-3a8d2ceb8c81?omkt=en-001&ui=en-US&rs=en-001&ad=US#ID0EABAAA=Command_line

How to convert OST to PST in Outlook 2019/2016/2013/2010

To convert OST to PST in Outlook 2019/2016/2013/2010 a lot of users search for a perfect way. Numerous reasons are here that initiate users to convert OST to PST; the main is, PST files are easy to port and accessible. Here, by this blog, we will understand know-how to convert OST to PST in Outlook 2019/2016/2013/2010.

OST stands for Offline Storage Tables. The OST is a format that records Exchange Server mailbox organizers and folders in the disconnected zone or when web accessibility isn’t available. The OST format offers to execute the Outlook mailbox usefulness in the disconnected mode i.e., without interfacing with the Server. Despite the fact that Offline Storage Table records can’t be efficacy through external aggravations or some other disturbance, that makes it more best and impressive for standard business tasks.

Notwithstanding the Outlook version, regardless of whether it is Microsoft Outlook 2019, 2016, 2013, 2010, 2007 or any more seasoned ANSI release, inaccessible OST format file requires troubleshooting so as to recapture access to the information put away inside in the system. The most effortless approach to fix a wide range of OST issues, irrespective of harm or misfortune is to change over the OST record to Outlook PST document.

There are numerous strategies to execute the conversion process of OST data to PST file format; however, some strategies are harder while some are the most secure approaches to convert OST to PST in Outlook 2019/2016/2013/2010.

Know before Convert OST to PST in Outlook 2019/2010/2013/2010

You can’t extract information from the OST document to a PST legitimately. That implies you should sign in with the first profile so as to export the OST document information to PST. So, you’ll get a strategy given beneath.

OST file format is a duplicate copy of your Exchange mailbox; you can reproduce it by re-syncing with the mailbox.

There is no real way to change over an OST file format to a PST file format by utilizing Microsoft devices. If your unique email account isn’t accessible or if your OST file format deprives. For this situation, there’s just a single way you can change over the OST record to PST—by utilizing a professional third-party tool.

No. 1 Strategy: Utilize Outlook Archive feature

The first strategy to duplicate or move mailbox things into PST is based on the utilization of the Archive option given in Outlook. The option of Outlook offers to copy entire data of OST file into PST file format; however, it will not copy contact of OST file.

To get the copy of the OST file format, go with beneath commands.

  • Open Outlook profile that has that particular OST file.
  • Then, Click on the File tab, then, click on Info, and after that Click on the Clean-up Tools button.
  • Next, choose Archive from the choices
  • In the Archive comment box that shows up, guarantee that Archive this organizer and all subfolders alternative is chosen (it is chosen by default)
  • Next, choose the organizer that you have to export to PST (e.g.: Outbox)
  • In the Archive things more established than a box, give a date. Entire things that sent before till the predefined date will archive
  • Under Archive file: choice, provide the path destination to save the new PST
  • Finally, Click on the OK button to complete the execution of exportation.

No.2 Strategy: Drag and Drop Mailbox Items

Surely, drag and drop of Mailbox items are one of the best ways to relocate the OST file format into PST file format. To do the relocation through Drag and Drop mailbox items process, you need to Open a blank PST file in the Microsoft Outlook interface and then choose and drag the required mailbox from OST data into the PST blank page.

Although, with the drag and drop items technique, there are a few constraints too. This is time taking process. It will need to repeat the procedure for every OST file item that required to be relocated in the PST file format. This expects tender loving care as the procedure is tedious; thusly, a solitary slip-up will prompt a superfluous redundancy of the procedure.

Also, the organizer hierarchy, just as the default organizers, for example, Calendars, Contacts, Inbox, and so forth., can’t be legitimately moved and you have to make another PST document to deal with the whole information in an organized way.

No. 3 Strategy: Outlook Import & Export Wizard

Microsoft Outlook Import and Export wizard is a compelling method to change over OST information to PST file format in Outlook 2010 and different variants. With the procedure, you can move OST information to Excel and CSV documents. Although, you would need to be cautious while executing the means as this is a manual technique.

Additionally, you should be in fact capable to execute the built-in import/export technique. Any misstep may result in loss of access to your important information So, it is prescribed to back up the OST document before beginning the exporting procedure with the goal that you can reestablish the information if the need is while execution.

No.4 Strategy: Use Shoviv OST to PST Converter

As, there are many reasons as well strategies to save your OST data into PST file format; however, I’ve told you three strategies to convert OST file format to PST format. Although, those manual strategies have few risks of failure and take a lot of time of the client with tediousness. So, this tactic is for professionals, who just want to do their OST conversion with no time and misfortune.

Use Shoviv OST to PST Converter to do conversion hassle-free and efficient. The prominent OST to PST Converter tool gives a programmed utility to export numerous OST documents to Outlook PSTs, also extract entire mailbox items unblemished. The software additionally split and compact the PST documents to enable you to oversee them in a progressively organized way. Furthermore, it additionally straightforwardly export the OST file information to Office 365, which enormously assists on the off chance that you’re relocating your mailboxes to the cloud environment. Consequently, Microsoft MVPs suggest the product based OST transformation technique.

Professionally Convert OST to PST in Outlook 2019/2016/2013/2010:

Step 1: Download Shoviv OST to PST to Converter and Install and launch it on your system.

Step 2: Click on the Add OST Files button of Ribbon bar.

Step3: Using Add, Remove, Remove All and Search button, add required OST files and check them. Also, browse the temp path.

Note: If your OST file is highly corrupted or you want to recover the deleted items from your OST file go for the ‘Advance Scan’ option. Commonly it takes time to examine a document relies on the volume of information it incorporates. You can likewise abort the scan process by using the given Stop button in the interface.

Step 4: Now users can view the selected files in the folder list; the user can also expand the folder by making a right-click and can see the content of it.

 

Step 5: Make a right-click on selected files or click the OST to PST button of the ribbon bar and go with the “Save all Files in Outlook PST” option.

Step6: Check/Uncheck Subfolders option will appear, check the subfolder and proceed by clicking the Next.

Step 7: Now, you will be prompted to Filter page. apply the filter using Process Message Class and Process Item Date Range. Click the Next Button.

Step 8: In this page, users have the option to choose if a user wants to migrate in an existing PST or wants to create new PST and want to migrate in it. Here, user can also set size for the PST file, after given size resultant PST file will split. Provide the priority and click on the Next button.

Step 9: The conversion of OST to PST proceeds now, after successful conversion, a message “Process Completed Successfully” will appear, click Ok. Option to save the report is also given. Click on the Save Report button for this. Click Finish when all is done.

At variance with sparing Exchange OST mailboxes to Outlook PST file format, Convert OST to PST tool from Shoviv permits changing over the Offline records to numerous document arrangements including MSG, HTML, EML, and RTF.

 

Source :
https://www.shoviv.com/blog/convert-ost-to-pst-in-outlook-2007-2010-2013-2016/

Spear-Phishing Attacks Targeting Office 365 Users, SaaS Applications

Over the course of the last 15 years, cyber threats have gone from urban myths and corporate ghost stories to as mainstream as carjackings and burglaries. There isn’t a business owner of a small restaurant chain or a CEO of a Fortune 500 company who doesn’t think about the fallout of being breached.

I’m not here to tell you how the threats are getting more sophisticated, or how state-sponsored hacker groups are getting more and more funding; you already know that. But what I do want to share with you is something that I’m seeing daily. Targeted threats that you may have already witnessed and, unfortunately, been personally a victim of or know someone who has: Spear-phishing.

Are you an Office 365 user? Do you have customers who are Office 365 users? Are you a managed security service provider (MSSP) that administrators Office 365 for your clients? You probably need a solution that applies effective Office 365 security capabilities and controls.

With close to 200 million global users, Office 365 is a target — a big target. And spear-phishing attempts are good. Really good. Recently, Forbes ran a summary of the threat. Alarmingly, today’s most advanced spear-phishing attempts look like they come from your CFO, boss or trusted vendor. They provide credibility to the target and, many times, users take the bait. Money gets wired. Access to accounts are provided. Confidential information is exposed.

Traditional email security isn’t enough protection. Out-of-the-box, cloud-native security services aren’t enough protection. A lean, effective and modern Office 365 security or SaaS security solution is required.

How to stop spear-phishing attacks, advanced cyber threats

SonicWall Cloud App Security (CAS) combines advanced security for Office 365, G Suite and other top SaaS applications to protect users and data within cloud applications, including email, messaging, file sharing and file storage. This approach delivers advanced threat protection against targeted email threats like phishing attacks, business email compromise, zero-day threats, data loss and account takeovers.

CAS also seamlessly integrates with sanctioned SaaS applications using native APIs. This helps organizations deploy email security and CASB functionalities that are critical to protecting the SaaS landscape and ensure consistent policies across cloud applications being used.

Explore the five key reasons CAS may be able to protect your organization from spear-phishing and other advanced attacks.

  • CAS delivers next-gen security for Office 365, protecting email, data and user credentials from advanced threats (including advanced phishing) while ensuring compliance in the cloud
  • Monitor SaaS accounts for IOCs, such data leakage, account takeover, business email compromise (BEC) and fraud attempts
  • Block malware propagation in malicious email attachments and files, whether they are at-rest or traversing a SaaS environment, internally or cloud-to-cloud
  • Prevent data breaches using machine learning and/or AI-based user profiling and behavior analytics for incident detections and automated responses
  • Leverage Shadow IT to monitor cloud usage in real time, and set policies to block unsanctioned applications

In my over 10 years of observing various attacks and sitting in rooms with customers (not mine, fortunately) who have been breached, I can tell you that you don’t want it ever to be you or your customers. This threat is having more success than any I’ve seen — and they are very recent.

For more information, contact a SonicWall cybersecurity expert or explore the CAS solution in detail.

 

Source :
https://blog.sonicwall.com/en-us/2020/01/spear-phishing-attacks-targeting-office-365-users-saas-applications/