Try in Splunk Security Cloud


This story is focused around detecting Office 365 Attacks.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-12-16
  • Author: Patrick Bareiss, Splunk
  • ID: 1a51dd71-effc-48b2-abc4-3e9cdb61e5b9


More and more companies are using Microsofts Office 365 cloud offering. Therefore, we see more and more attacks against Office 365. This story provides various detections for Office 365 attacks.


Name Technique Type
High Number of Login Failures from a single source Password Guessing Anomaly
O365 Add App Role Assignment Grant User Cloud Account TTP
O365 Added Service Principal Cloud Account TTP
O365 Bypass MFA via Trusted IP Disable or Modify Cloud Firewall TTP
O365 Disable MFA Modify Authentication Process TTP
O365 Excessive Authentication Failures Alert Brute Force Anomaly
O365 Excessive SSO logon errors Modify Authentication Process Anomaly
O365 New Federated Domain Added Cloud Account TTP
O365 PST export alert Email Collection TTP
O365 Suspicious Admin Email Forwarding Email Forwarding Rule Anomaly
O365 Suspicious Rights Delegation Remote Email Collection TTP
O365 Suspicious User Email Forwarding Email Forwarding Rule Anomaly


source | version: 1