Analytics Story: Office 365 Account Takeover

Date: 2023-10-17 ID: 7dcea963-af44-4db7-a5b9-fd2b543d9bc9 Author: Mauricio Velazco, Patrick Bareiss, Splunk Product: Splunk Enterprise Security

Description

Monitor for activities and anomalies indicative of initial access techniques within Office 365 environments.

Why it matters

Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The "Office 365 Account Takeover" analytic story focuses on the initial techniques attackers employ to breach or compromise these identities. Initial access, in this context, consists of techniques that use various entry vectors to gain their initial foothold . Identifying these early indicators is crucial for establishing the first line of defense against unauthorized access and potential security incidents within O365 environments.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
High Number of Login Failures from a single source	Password Guessing, Brute Force	Anomaly
O365 Block User Consent For Risky Apps Disabled	Impair Defenses	TTP
O365 Concurrent Sessions From Different Ips	Browser Session Hijacking	TTP
O365 Email Access By Security Administrator	Exfiltration Over Web Service, Email Collection, Remote Email Collection	TTP
O365 Email Security Feature Changed	Impair Defenses, Disable or Modify Cloud Logs, Disable or Modify Tools	TTP
O365 Email Suspicious Behavior Alert	Email Collection, Email Forwarding Rule	TTP
O365 Excessive Authentication Failures Alert	Brute Force	Anomaly
O365 Excessive SSO logon errors	Modify Authentication Process	Anomaly
O365 File Permissioned Application Consent Granted by User	Steal Application Access Token	TTP
O365 High Number Of Failed Authentications for User	Brute Force, Password Guessing	TTP
O365 Mail Permissioned Application Consent Granted by User	Steal Application Access Token	TTP
O365 Multi-Source Failed Authentications Spike	Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing	Hunting
O365 Multiple AppIDs and UserAgents Authentication Spike	Valid Accounts	Anomaly
O365 Multiple Failed MFA Requests For User	Multi-Factor Authentication Request Generation	TTP
O365 Multiple Users Failing To Authenticate From Ip	Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing	TTP
O365 Safe Links Detection	Phishing, Spearphishing Attachment	TTP
O365 Security And Compliance Alert Triggered	Valid Accounts, Cloud Accounts	TTP
O365 SharePoint Malware Detection	Malicious File, User Execution	TTP
O365 Threat Intelligence Suspicious File Detected	Malicious File, User Execution	TTP
O365 User Consent Blocked for Risky Application	Steal Application Access Token	TTP
O365 User Consent Denied for OAuth Application	Steal Application Access Token	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
O365	N/A	`o365:management:activity`	`o365`
O365 Consent to application.	N/A	`o365:management:activity`	`o365`
O365 Update authorization policy.	N/A	`o365:management:activity`	`o365`
O365 UserLoggedIn	N/A	`o365:management:activity`	`o365`
O365 UserLoginFailed	N/A	`o365:management:activity`	`o365`

References

Source: GitHub | Version: 1