M365 Copilot Application Usage Pattern Anomalies
This detection identifies anomalous M365 Copilot usage patterns indicative of potential account compromise or automated abuse by flagging users accessing Copilot from multiple locations, generating excessive daily activity, or utilizing multiple Copilot applications.
This detection focuses on identifying suspicious usage patterns within Microsoft 365 Copilot applications, specifically targeting activities that deviate from normal user behavior. The anomalous activity can include multi-location access, unusually high activity volumes, and access to multiple Copilot applications within a short period. The aim is to detect potential account compromise where an attacker is leveraging a compromised account to access Copilot resources or identify automated abuse, potentially driven by bots or malicious scripts. This is particularly relevant as organizations increase their reliance on AI-powered tools like Copilot, making them attractive targets for malicious actors seeking to exploit access and data. The detection logic is based on events from the M365 Copilot Graph API.
Attack Chain
- Initial Access: The attacker gains unauthorized access to a legitimate user's M365 account, potentially through phishing, credential stuffing, or other common methods.
- Copilot Access: The attacker leverages the compromised account to access Microsoft 365 Copilot applications.
- Geographic Anomaly: The attacker accesses Copilot from a geographic location that is unusual for the legitimate user, triggering the
cities_count > 1condition. - Activity Spike: The attacker generates a high volume of activity within Copilot, potentially searching for sensitive information or automating tasks, exceeding the
events_per_day > 100threshold. - Application Diversification: The attacker accesses multiple Copilot applications, indicating a broad scope of access and potentially different types of data, triggering the
app_count > 2condition. - Data Access/Exfiltration: The attacker uses Copilot to access sensitive data or perform actions that could lead to data exfiltration or other malicious activities.
- Persistence: The attacker maintains access to the compromised account to continue exploiting Copilot resources.
Impact
A successful attack can result in the unauthorized access and exfiltration of sensitive data stored within Microsoft 365 and accessible through Copilot. This may lead to financial losses, reputational damage, and regulatory fines. The number of potential victims scales with the number of users and the sensitivity of the data accessible through Copilot. Successful attacks can lead to significant business disruption, especially if critical business processes rely on the compromised M365 environment.
Recommendation
- Ensure the Splunk Add-on for Microsoft Office 365 is configured to collect Azure AD Sign-in logs (AuditLogs.SignIns) through the Graph API to populate the
m365_copilot_graph_apimacro. - Deploy the provided Sigma rule to your SIEM and tune the thresholds (
cities_count,events_per_day,app_count) based on your organization's baseline Copilot usage. - Investigate any alerts generated by this detection to determine the legitimacy of the user activity and take appropriate remediation steps.
- Review and enforce multi-factor authentication (MFA) policies to mitigate the risk of account compromise.
Detection coverage 2
M365 Copilot Multi-City Access
mediumDetects M365 Copilot access from multiple cities within a short period, indicating potential account compromise.
M365 Copilot Excessive Activity
mediumDetects users generating an abnormally high number of M365 Copilot events, potentially indicating automated activity or abuse.
Detection queries are available on the platform. Get full rules →