Analytics Story: Office 365 Account Takeover

Description

Monitor for activities and anomalies indicative of initial access techniques within Office 365 environments.

Why it matters

Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The "Office 365 Account Takeover" analytic story focuses on the initial techniques attackers employ to breach or compromise these identities. Initial access, in this context, consists of techniques that use various entry vectors to gain their initial foothold . Identifying these early indicators is crucial for establishing the first line of defense against unauthorized access and potential security incidents within O365 environments.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
High Number of Login Failures from a single source Password Guessing, Brute Force Anomaly
O365 Block User Consent For Risky Apps Disabled Impair Defenses TTP
O365 Concurrent Sessions From Different Ips Browser Session Hijacking TTP
O365 Email Access By Security Administrator Exfiltration Over Web Service, Email Collection, Remote Email Collection TTP
O365 Email Security Feature Changed Impair Defenses, Disable or Modify Cloud Logs, Disable or Modify Tools TTP
O365 Email Suspicious Behavior Alert Email Collection, Email Forwarding Rule TTP
O365 Excessive Authentication Failures Alert Brute Force Anomaly
O365 Excessive SSO logon errors Modify Authentication Process Anomaly
O365 File Permissioned Application Consent Granted by User Steal Application Access Token TTP
O365 High Number Of Failed Authentications for User Brute Force, Password Guessing TTP
O365 Mail Permissioned Application Consent Granted by User Steal Application Access Token TTP
O365 Multi-Source Failed Authentications Spike Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing Hunting
O365 Multiple AppIDs and UserAgents Authentication Spike Valid Accounts Anomaly
O365 Multiple Failed MFA Requests For User Multi-Factor Authentication Request Generation TTP
O365 Multiple Users Failing To Authenticate From Ip Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing TTP
O365 Safe Links Detection Phishing, Spearphishing Attachment TTP
O365 Security And Compliance Alert Triggered Valid Accounts, Cloud Accounts TTP
O365 SharePoint Malware Detection Malicious File, User Execution TTP
O365 Threat Intelligence Suspicious File Detected Malicious File, User Execution TTP
O365 User Consent Blocked for Risky Application Steal Application Access Token TTP
O365 User Consent Denied for OAuth Application Steal Application Access Token TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
O365 N/A o365:management:activity o365
O365 Consent to application. N/A o365:management:activity o365
O365 Update authorization policy. N/A o365:management:activity o365
O365 UserLoggedIn N/A o365:management:activity o365
O365 UserLoginFailed N/A o365:management:activity o365

References


Source: GitHub | Version: 1