According to our most recent cloud security report, most cloud security incidents are the result of compromised credentials for either human or non-human identities. Once an attacker successfully controls an identity, such as a highly privileged user account, they can quickly move to other areas of an environment, including prevalent targets like sensitive data stores. This pattern of behavior is similar across all cloud platforms and services.
Microsoft 365 is a common target for attackers simply because it is one of the most popular cloud-based productivity platforms globally. With its numerous integrations with other platforms and services, such as Azure, OneDrive, Outlook, Exchange, and SharePoint, Microsoft 365 can become a central point of access for sensitive, valuable data. In this post, we’ll look at a few ways attackers target and take advantage of Microsoft 365 services. Getting visibility into malicious activity like this enables you to find vulnerabilities in your Microsoft 365 ecosystem, understand how attackers exploit these weaknesses, and proactively stop threats before they become more serious.
Detect the various stages of an attack on Microsoft 365 and its services
Since compromised identities are primary access points into an environment for attackers, it’s helpful to understand the various ways an identity can become vulnerable. Scenarios like account takeovers, for example, involve an attacker compromising and gaining control of a legitimate account through various initial access techniques, such as phishing, credential stuffing, and password spraying. In some phishing campaigns, attackers attempt to trick a user into granting access to a malicious OAuth application so they can make API calls on the user’s behalf or access other sensitive data, such as the compromised user’s emails. Once they have initial access to an environment, attackers may continue their phishing campaigns internally or branch out to external clients. They may also use their new access to either manipulate settings for other Microsoft 365 services, such as Outlook or SharePoint, or download data from them, which often leads to costly data breaches.
With a better understanding of the common ways an attacker targets Microsoft 365 services, you can track their activity from end to end efficiently. Baseline activity to monitor includes:
- An increase in the number of login attempts (including failed logins) for a particular account, which are signs of an attacker using techniques like brute force to gain access
- Sign-ins and other activity from atypical IP addresses and geographic locations
- Changes to account passwords or MFA configurations, which indicate that an attacker is attempting to maintain their foothold in an environment (i.e., persistence)
There are also scenarios specific to Microsoft 365 that can help you track an attacker’s path through your environment, which we’ll describe next.
Initial access
Impossible travel, for example, typically indicates that an attacker is attempting to get initial access to an account. This particular activity can look like a successful login to sources like Microsoft 365 Exchange from a geographic location that is too far from the user’s last login location to be realistic. You can also monitor accounts, including those associated with impossible travel, for other signs of abnormal behavior, such as sending a malicious file via Microsoft Teams. This event could be an additional step in an attacker’s phishing campaign to access more accounts.
Persistence
In addition to manipulating account settings, attackers may also modify various Microsoft 365 services in order to strengthen their foothold. For example, they may deploy a new Microsoft 365 application and use it to continue their internal phishing campaigns. They may also enable a mail forwarding rule in Exchange Online or add anonymous user permissions to a mailbox folder so they can maintain access to a compromised user’s inbox and email.
Privilege escalation
As an attacker establishes persistence to an environment, they often attempt to gain additional levels of access to other services or its resources. This activity can involve modifying permissions from their existing account or finding a new account with existing, elevated privileges. For example, you can watch for unusual authentication from a Microsoft Entra ID (formerly known as Azure AD) service principal. Activity like this could indicate that an attacker is taking advantage of the security identity to move to other areas of your environment via elevated privileges.
Defense evasion
While moving through your environment, attackers will often take steps to hide their activity in order to evade detection. One area they target to do this is audit log configurations, such as attempting to bypass audit logging for services like Microsoft 365 mailbox or disabling audit logging altogether. If you see this kind of activity, you should investigate further to determine if the associated user was compromised. You should also keep an eye on new and suspicious inbox rules—such as rules to forward, delete, or hide messages—from potentially compromised users.
Collection
Earlier, we talked about attackers getting initial access into an environment by tricking users into granting access to malicious OAuth applications. This activity can also be used as a way to gather more information about other users or resources once an attacker successfully compromises an account. In addition to baseline activity like a sudden increase in failed logins for a user, you can monitor signs of other users connecting to the following malicious applications: eM Client, PerfectData Software, Newsletter Software Supermailer, and SigParser. You should also look out for attackers taking advantage of their access to SharePoint in order to share malicious files with other users, which is another method used with phishing campaigns.
Exfiltration and impact
A common end goal for attackers is data collection and exfiltration. Data breaches are costly incidents, so in addition to being aware of an attacker’s activity within your environment, it’s also important to know when they attempt to steal important information, such as corporate emails. For Microsoft 365, you should look out for users suddenly downloading an unusual number of files or sharing them with external sources. For example, you should investigate when a user creates an anonymous link in OneDrive. On their own, these activities may not be malicious. But if you compare them with other baseline trends, such as the volume or geolocation of the user’s sync activity, it could surface anomalous behavior and potential compromise.
Beyond data exfiltration, attackers may also attempt to disrupt availability for your applications by destroying resources or holding data for ransom as a way to impact your overall operations. For Microsoft 365 services, you can look out for an unusually large number of deleted emails or multiple deleted Microsoft Teams.
Secure your Microsoft 365 services with Datadog
We looked at a few ways attackers target Microsoft 365 and how you can detect their activity. Datadog Cloud SIEM provides a Microsoft 365 content pack to simplify the process of monitoring the data described in this post and beyond. Content packs are built on top of Cloud SIEM detections to automatically identify suspicious behavior captured in logs, such as your Microsoft 365 security and audit logs. With the content pack, you have comprehensive visibility into your Microsoft 365 services, user activity, and their interactions with important resources and data. Content packs also include a built-in dashboard for keeping track of all log activity, so you can easily surface key trends in your services and users.
Check out our documentation to learn more about Datadog Cloud SIEM and how it provides visibility into your Microsoft 365 environment. If you don’t already have a Datadog account, you can sign up for a free 14-day trial.
