Office 365 Account Takeover

Try in Splunk Security Cloud

Description

Monitor for activities and anomalies indicative of initial access techniques within Office 365 environments.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Authentication, Risk
• Last Updated: 2023-10-17
• Author: Mauricio Velazco, Patrick Bareiss, Splunk
• ID: 7dcea963-af44-4db7-a5b9-fd2b543d9bc9

Narrative

Office 365 (O365) is Microsoft’s cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365’s centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The “Office 365 Account Takeover” analytic story focuses on the initial techniques attackers employ to breach or compromise these identities. Initial access, in this context, consists of techniques that use various entry vectors to gain their initial foothold . Identifying these early indicators is crucial for establishing the first line of defense against unauthorized access and potential security incidents within O365 environments.

Detections

Name	Technique	Type
High Number of Login Failures from a single source	Password Guessing, Brute Force	Anomaly
O365 Block User Consent For Risky Apps Disabled	Impair Defenses	TTP
O365 Concurrent Sessions From Different Ips	Browser Session Hijacking	TTP
O365 Excessive Authentication Failures Alert	Brute Force	Anomaly
O365 Excessive SSO logon errors	Modify Authentication Process	Anomaly
O365 File Permissioned Application Consent Granted by User	Steal Application Access Token	TTP
O365 High Number Of Failed Authentications for User	Brute Force, Password Guessing	TTP
O365 Mail Permissioned Application Consent Granted by User	Steal Application Access Token	TTP
O365 Multi-Source Failed Authentications Spike	Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing	Hunting
O365 Multiple AppIDs and UserAgents Authentication Spike	Valid Accounts	Anomaly
O365 Multiple Failed MFA Requests For User	Multi-Factor Authentication Request Generation	TTP
O365 Multiple Users Failing To Authenticate From Ip	Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing	TTP
O365 Security And Compliance Alert Triggered	Valid Accounts, Cloud Accounts	TTP
O365 User Consent Blocked for Risky Application	Steal Application Access Token	TTP
O365 User Consent Denied for OAuth Application	Steal Application Access Token	TTP

Reference

• https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray
• https://www.cisa.gov/uscert/ncas/alerts/aa21-008a
• https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes
• https://attack.mitre.org/tactics/TA0001/
• https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/
• https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/
• https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth
• https://www.alteredsecurity.com/post/introduction-to-365-stealer
• https://github.com/AlteredSecurity/365-Stealer

source | version: 1