Analytics Story: Office 365 Account Takeover
Description
Monitor for activities and anomalies indicative of initial access techniques within Office 365 environments.
Why it matters
Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The "Office 365 Account Takeover" analytic story focuses on the initial techniques attackers employ to breach or compromise these identities. Initial access, in this context, consists of techniques that use various entry vectors to gain their initial foothold . Identifying these early indicators is crucial for establishing the first line of defense against unauthorized access and potential security incidents within O365 environments.
Detections
Data Sources
Name | Platform | Sourcetype | Source |
---|---|---|---|
O365 | N/A | o365:management:activity |
o365 |
O365 Consent to application. | N/A | o365:management:activity |
o365 |
O365 Update authorization policy. | N/A | o365:management:activity |
o365 |
O365 UserLoggedIn | N/A | o365:management:activity |
o365 |
O365 UserLoginFailed | N/A | o365:management:activity |
o365 |
References
- https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray
- https://www.cisa.gov/uscert/ncas/alerts/aa21-008a
- https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes
- https://attack.mitre.org/tactics/TA0001/
- https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/
- https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/
- https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth
- https://www.alteredsecurity.com/post/introduction-to-365-stealer
- https://github.com/AlteredSecurity/365-Stealer
Source: GitHub | Version: 1