Office 365 Collection Techniques

Description

Monitor for activities and anomalies indicative of potential collection techniques within Office 365 environments.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel: Change, Web
Last Updated: 2024-02-12
Author: Mauricio Velazco, Splunk
ID: d90f2b80-f675-4717-90af-12fc8c438ae8

Narrative

Office 365 (O365) is Microsoft’s cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365’s centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The ‘Office 365 Collection Techniques’ analytic story focuses on the strategies and methodologies that attackers might use to gather critical information within the O365 ecosystem. ‘Collection’ in this context refers to the various techniques adversaries deploy to accumulate data that are essential for advancing their malicious objectives. This could include tactics such as intercepting communications, accessing sensitive documents, or extracting data from collaboration tools and email platforms. By identifying and monitoring these collection activities, organizations can more effectively spot and counteract attempts to illicitly gather information

Detections

Name	Technique	Type
O365 ApplicationImpersonation Role Assigned	Account Manipulation, Additional Email Delegate Permissions	TTP
O365 Compliance Content Search Exported	Email Collection, Remote Email Collection	TTP
O365 Compliance Content Search Started	Email Collection, Remote Email Collection	TTP
O365 Elevated Mailbox Permission Assigned	Account Manipulation, Additional Email Delegate Permissions	TTP
O365 Mailbox Email Forwarding Enabled	Email Collection, Email Forwarding Rule	TTP
O365 Mailbox Folder Read Permission Assigned	Account Manipulation, Additional Email Delegate Permissions	TTP
O365 Mailbox Folder Read Permission Granted	Account Manipulation, Additional Email Delegate Permissions	TTP
O365 Mailbox Inbox Folder Shared with All Users	Email Collection, Remote Email Collection	TTP
O365 Mailbox Read Access Granted to Application	Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles	TTP
O365 Multiple Mailboxes Accessed via API	Remote Email Collection	TTP
O365 New Email Forwarding Rule Created	Email Collection, Email Forwarding Rule	TTP
O365 New Email Forwarding Rule Enabled	Email Collection, Email Forwarding Rule	TTP
O365 New Forwarding Mailflow Rule Created	Email Collection	TTP
O365 OAuth App Mailbox Access via EWS	Remote Email Collection	TTP
O365 OAuth App Mailbox Access via Graph API	Remote Email Collection	TTP
O365 PST export alert	Email Collection	TTP
O365 Suspicious Admin Email Forwarding	Email Forwarding Rule, Email Collection	Anomaly
O365 Suspicious Rights Delegation	Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation	TTP
O365 Suspicious User Email Forwarding	Email Forwarding Rule, Email Collection	Anomaly

Reference

source | version: 1

Twitter Facebook LinkedIn