Office 365

Office365 is a popular application productivity suite that enables organizations to accelerate communication and business processes. With Office365’s popularity, it has become a common attack vector for malicious actors and insider threats. As a result, Devo provides out-of-the-box detections to help organizations to understand possible attack vectors and ways to protect their office365 data.

Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems.

This detection is triggered when a user reports an email as malware or phishing in Office 365.

Source table ➝ cloud.office365.management.securitycompliancecenter

Adversaries may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules.

Source table → cloud.office365.management.exchange

The addition of a new Federated domain may be a normal activity. However, these events need to be followed closely, as they may indicate federated credential abuse or a backdoor via federated identities.

Source table → cloud.office365.management.exchange

Adversaries may use brute-force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.

Source table → cloud.office365.management.azureactivedirectory

This detection is triggered when a user account attempts an excessive number of authentication attempts with a failed status result in a short time window.

Source table → cloud.office365.management.azureactivedirectory