From coit-security at lists.onenet.net  Thu Sep  6 15:05:27 2018
From: coit-security at lists.onenet.net (CoIT Security)
Date: Thu, 6 Sep 2018 20:05:27 +0000
Subject: [CoIT-Security] Cyber Advisory: Fraudulent Direct Deposit
 Modifications Attempted on Employees of Higher Education Entities (TLP:
 GREEN)
Message-ID: <mailman.1589.1536264406.1625.coit-security@lists.onenet.net>

Cyber Advisory from the FBI:  TLP GREEN

The Human Resources department of universities are being sent, via email, fraudulent direct deposit requests. In doing so, fraudsters impersonate a university employee via email, and attempt to change the employee's direct deposit bank account information to a bank account controlled by the fraudster. Please notify your HR departments so they may be on the alert for potentially fraudulent direct deposit modification requests via email.

Please see the attached FBI Private Industry Notification, Number 180803-001, "Cybercriminals Utilize Social Engineering Techniques to Obtain Employee Credentials to Conduct Payroll Diversion.”

If your institution has been targeted in this manner, please go to www.ic3.gov<http://www.ic3.gov> to report the incident.

CK

Chris Kosciuk
Information Security
Oklahoma State Regents for Higher Education / OneNet
655 Research Parkway
Suite 150
Oklahoma City, OK  73104
o:405 225.9440
c:405.204.8642
ckosciuk at osrhe.edu<mailto:ckosciuk at osrhe.edu>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: PIN-20180803-001[1].pdf
Type: application/pdf
Size: 595325 bytes
Desc: PIN-20180803-001[1].pdf
URL: <http://lists.onenet.net/pipermail/coit-security/attachments/20180906/c87c7ad9/attachment-0001.pdf>

From coit-security at lists.onenet.net  Thu Sep 13 12:02:31 2018
From: coit-security at lists.onenet.net (CoIT Security)
Date: Thu, 13 Sep 2018 17:02:31 +0000
Subject: [CoIT-Security] FW: Adding Custom Banned Words for Office 365 Group
	Creation
In-Reply-To: <c729046a1ac5447f84b842219bb2b170@occc.edu>
References: <c729046a1ac5447f84b842219bb2b170@occc.edu>
Message-ID: <mailman.287.1536858225.1699.coit-security@lists.onenet.net>

I thought this was an interesting addition to our repertoire of defense tools against misuse of the O365 groups. Banned words lists for O365 group creation. We are banning "bad words" as well as terms related to business operations like bursar, admissions, financial services, etc. etc.

Jesse is a systems administrator on our team and assembled this documentation from a couple of blogs as the info from Microsoft is not very complete at this time.

Rob

Rob Greggs
Acting Vice President for IITS
Oklahoma City Community College
7777 S. May Ave.
Oklahoma City, OK 73159
O: 405.682.7877
F: 405.688.3900
rgreggs at occc.edu<mailto:rgreggs at occc.edu>
Die dulci freure



From: Uffen, Jesse P.
Sent: Thursday, September 13, 2018 11:34 AM
To: Greggs, Rob <rgreggs at occc.edu>
Subject: Adding Custom Banned Words for Office 365 Group Creation


Adding custom banned words to  O365 Groups names was talked about in the Community Hours call a few months back. I wanted to get this setup asap after we enabled Teams for students and after seeing an increase of compromised student accounts. Global admins and a few other administrative roles can bypass the filter if needed.

The cmdlets needed are available in the AzureADPreview powershell module:
https://www.powershellgallery.com/packages/AzureADPreview/2.0.1.18

I used these two blog posts for guidance:
https://drewmadelung.com/managing-office-365-group-using-azure-ad-powershell-v2/ - Used to configure group settings in our tenant.
https://drewmadelung.com/office-365-groups-naming-policy/ - Configuring custom blocked words.


A quick basic guide using powershell cmdlets from the blogposts I linked and my own experiences:

Connect-AzureAD - Connect to your tenant

Get-AzureADDirectorySetting | ForEach Values - View your current settings

$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq "Group.Unified"} - Put your settings policy into a variable
$settings["CustomBlockedWordsList"] = "HR,Contoso,Payroll,CEO,CFO,CIO" - Configure the values for the custom blocked words list in the variable we created above
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings - Apply the settings

Get-AzureADDirectorySetting | ForEach Values - You should now see the updated values when you view your settings


To make it easier, I created a text document with all of my banned words (separated by commas) and put that content into a variable so I did not have to type out my list every time I made a change. When I set the custom blocked words list setting I pointed to the variable.
$badwords = get-content <filepath of txt file>
$settings["CustomBlockedWordsList"] = $badwords



Jesse


Jesse Uffen
Systems Administrator
405.686.6214
Juffen at occc.edu


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.onenet.net/pipermail/coit-security/attachments/20180913/ea83dac6/attachment.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: O365 group creation policy info.txt
URL: <http://lists.onenet.net/pipermail/coit-security/attachments/20180913/ea83dac6/attachment.txt>