Analytics Story: Office 365 Collection Techniques

Description

Monitor for activities and anomalies indicative of potential collection techniques within Office 365 environments.

Why it matters

Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The 'Office 365 Collection Techniques' analytic story focuses on the strategies and methodologies that attackers might use to gather critical information within the O365 ecosystem. 'Collection' in this context refers to the various techniques adversaries deploy to accumulate data that are essential for advancing their malicious objectives. This could include tactics such as intercepting communications, accessing sensitive documents, or extracting data from collaboration tools and email platforms. By identifying and monitoring these collection activities, organizations can more effectively spot and counteract attempts to illicitly gather information

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
O365 ApplicationImpersonation Role Assigned Account Manipulation, Additional Email Delegate Permissions TTP
O365 Compliance Content Search Exported Email Collection, Remote Email Collection TTP
O365 Compliance Content Search Started Email Collection, Remote Email Collection TTP
O365 Elevated Mailbox Permission Assigned Account Manipulation, Additional Email Delegate Permissions TTP
O365 Email Suspicious Behavior Alert Email Collection, Email Forwarding Rule TTP
O365 Mailbox Email Forwarding Enabled Email Collection, Email Forwarding Rule TTP
O365 Mailbox Folder Read Permission Assigned Account Manipulation, Additional Email Delegate Permissions TTP
O365 Mailbox Folder Read Permission Granted Account Manipulation, Additional Email Delegate Permissions TTP
O365 Multiple Mailboxes Accessed via API Remote Email Collection TTP
O365 New Email Forwarding Rule Created Email Collection, Email Forwarding Rule TTP
O365 New Email Forwarding Rule Enabled Email Collection, Email Forwarding Rule TTP
O365 New Forwarding Mailflow Rule Created Email Collection TTP
O365 OAuth App Mailbox Access via EWS Remote Email Collection TTP
O365 OAuth App Mailbox Access via Graph API Remote Email Collection TTP
O365 PST export alert Email Collection TTP
O365 Suspicious Admin Email Forwarding Email Forwarding Rule, Email Collection Anomaly
O365 Suspicious Rights Delegation Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation TTP
O365 Suspicious User Email Forwarding Email Forwarding Rule, Email Collection Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
O365 N/A o365:management:activity o365
O365 MailItemsAccessed N/A o365:management:activity o365

References


Source: GitHub | Version: 1