Analytics Story: Office 365 Account Takeover

Date: 2023-10-17 ID: 7dcea963-af44-4db7-a5b9-fd2b543d9bc9 Author: Mauricio Velazco, Patrick Bareiss, Splunk Product: Splunk Enterprise Security

Description

Monitor for activities and anomalies indicative of initial access techniques within Office 365 environments.

Why it matters

Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The "Office 365 Account Takeover" analytic story focuses on the initial techniques attackers employ to breach or compromise these identities. Initial access, in this context, consists of techniques that use various entry vectors to gain their initial foothold . Identifying these early indicators is crucial for establishing the first line of defense against unauthorized access and potential security incidents within O365 environments.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
High Number of Login Failures from a single source Password Guessing Anomaly
O365 Block User Consent For Risky Apps Disabled Impair Defenses TTP
O365 Concurrent Sessions From Different Ips Browser Session Hijacking TTP
O365 Email Access By Security Administrator Remote Email Collection, Exfiltration Over Web Service TTP
O365 Email Security Feature Changed Disable or Modify Tools, Disable or Modify Cloud Logs TTP
O365 Email Suspicious Behavior Alert Email Forwarding Rule TTP
O365 Email Transport Rule Changed Email Forwarding Rule, Email Hiding Rules Anomaly
O365 Excessive Authentication Failures Alert Brute Force Anomaly
O365 Excessive SSO logon errors Modify Authentication Process Anomaly
O365 Exfiltration via File Access Exfiltration Over Web Service, Data from Cloud Storage Anomaly
O365 Exfiltration via File Download Exfiltration Over Web Service, Data from Cloud Storage Anomaly
O365 Exfiltration via File Sync Download Exfiltration Over Web Service, Data from Cloud Storage Anomaly
O365 File Permissioned Application Consent Granted by User Steal Application Access Token TTP
O365 High Number Of Failed Authentications for User Password Guessing TTP
O365 Mail Permissioned Application Consent Granted by User Steal Application Access Token TTP
O365 Multi-Source Failed Authentications Spike Password Spraying, Credential Stuffing, Cloud Accounts Hunting
O365 Multiple AppIDs and UserAgents Authentication Spike Valid Accounts Anomaly
O365 Multiple Failed MFA Requests For User Multi-Factor Authentication Request Generation TTP
O365 Multiple OS Vendors Authenticating From User Brute Force TTP
O365 Multiple Users Failing To Authenticate From Ip Password Spraying, Credential Stuffing, Cloud Accounts TTP
O365 Safe Links Detection Spearphishing Attachment TTP
O365 Security And Compliance Alert Triggered Cloud Accounts TTP
O365 Service Principal Privilege Escalation Additional Cloud Roles TTP
O365 SharePoint Malware Detection Malicious File TTP
O365 SharePoint Suspicious Search Behavior Sharepoint, Unsecured Credentials Anomaly
O365 Threat Intelligence Suspicious File Detected Malicious File TTP
O365 User Consent Blocked for Risky Application Steal Application Access Token TTP
O365 User Consent Denied for OAuth Application Steal Application Access Token TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
O365 N/A o365:management:activity o365
O365 Add app role assignment grant to user. N/A o365:management:activity o365
O365 Consent to application. N/A o365:management:activity o365
O365 Update authorization policy. N/A o365:management:activity o365
O365 UserLoggedIn N/A o365:management:activity o365
O365 UserLoginFailed N/A o365:management:activity o365

References

Source: GitHub | Version: 1