Office365 is a popular application productivity suite that enables organizations to accelerate communication and business processes. With Office365’s popularity, it has become a common attack vector for malicious actors and insider threats. As a result, Devo provides out-of-the-box detections to help organizations to understand possible attack vectors and ways to protect their office365 data.
Phish Attempt
Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems.
This detection is triggered when a user reports an email as malware or phishing in Office 365.
Source table ➝ cloud.office365.management.securitycompliancecenter
365 Sus Mailbox Delegation
Adversaries may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules.
Source table → cloud.office365.management.exchange
New Federated Domain
The addition of a new Federated domain may be a normal activity. However, these events need to be followed closely, as they may indicate federated credential abuse or a backdoor via federated identities.
Source table → cloud.office365.management.exchange
Excessive SSO Login Failures
Adversaries may use brute-force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
Source table → cloud.office365.management.azureactivedirectory
Excessive Auth Failure Attempts
This detection is triggered when a user account attempts an excessive number of authentication attempts with a failed status result in a short time window.
Source table → cloud.office365.management.azureactivedirectory
Disable MFA
Adversaries may modify authentication mechanisms and processes to access user credentials, bypass authentication mechanisms or enable otherwise unwarranted access to accounts.
Source table → cloud.office365.management.azureactivedirectory
Bypass MFA via IP
This activity is not necessarily malicious. However, these events need to be followed closely. Attackers are often known to use this technique so that they can bypass the MFA system.
Source table → cloud.office365.management
Added Service Principal
This detection is triggered when new Service Principal credentials have been added in Azure.
Source table → cloud.office365.management.azureactivedirectory
Mailbox Audit Bypass
The mailbox audit is responsible for logging specified mailbox events. Attackers may attempt to bypass this mechanism to conceal actions taken.
Source table → cloud.office365.management.exchange
SecOpsO365PSTExportAlert
This detection is triggered when a user has performed an Ediscovery or exported a pst file with sensitive information.
Source table → cloud.office365.management
SecOpsO365SuspiciousAdminEmailForwarding
This detection is triggered when a user has configured several forwarding rules to the same email address.
Source table → cloud.office365.management
SecOpsActivityAnonymousIPAddressesO365
This policy profiles your environment and triggers alerts when it identifies activity from an IP address that has been identified as an anonymous proxy IP address. These proxies are used by people who want to hide their device’s IP address and may be used for malicious intent.
Source table → cloud.office365.siem_agent_alert
SecOpsActivityAnonymousIPAddressesO365
This policy profiles your environment and triggers alerts when it identifies activity from an IP address that has been identified as an anonymous proxy IP address. These proxies are used by people who want to hide their device’s IP address and may be used for malicious intent.
Source table → cloud.office365.siem_agent_alert
SecOpsGroupMembershipModifiedO365
Group Membership Modified.
Source table → cloud.office365.siem_agent_event
SecOpsDataExfiltrationToUnsanctionedAppsO365
Detects attempts to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).
Source table → cloud.office365.siem_agent_event
SecOpsCloudDiscoveryAnomalyDetectionO365
This policy is automatically enabled to alert you when anomalous behavior is detected in discovered users, IP addresses, and services, such as large amounts of uploaded data compared to other users, and large service transactions compared to the service's history.
Source table → cloud.office365.siem_agent_event