<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Microsoft 365 Security and Compliance Center - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/microsoft-365-security-and-compliance-center/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/microsoft-365-security-and-compliance-center/feed.xml" rel="self" type="application/rss+xml"/><item><title>O365 Compliance Content Search Exported</title><link>https://feed.craftedsignal.io/briefs/2024-01-o365-compliance-search-export/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-o365-compliance-search-export/</guid><description>An adversary exports the results of an Office 365 Security and Compliance Center content search, potentially leading to data exfiltration of sensitive information.</description><content:encoded><![CDATA[<p>The Office 365 Security and Compliance Center provides tools for searching and exporting content across the O365 environment. Attackers can abuse the compliance search functionality to identify and extract sensitive data from mailboxes, SharePoint sites, and other locations. By exporting the results of these searches, adversaries can bypass traditional data loss prevention (DLP) controls and exfiltrate data without triggering typical alerts. This activity is particularly concerning as it can expose sensitive organizational data and violate compliance regulations. The built-in &quot;SearchExported&quot; operation within the SecurityComplianceCenter workload provides defenders with an auditable event to detect this malicious activity within their O365 tenant.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains unauthorized access to an Office 365 account with sufficient permissions to access the Security &amp; Compliance Center. This could be achieved through phishing, credential stuffing, or other methods of account compromise.</li>
<li>The attacker logs into the Office 365 Security &amp; Compliance Center.</li>
<li>The attacker initiates a content search targeting specific keywords, custodians, or data locations. The search criteria are carefully chosen to identify sensitive information of interest.</li>
<li>The attacker reviews the search results to validate the presence of the targeted sensitive data.</li>
<li>The attacker initiates an export of the search results. This involves selecting an export format (e.g., PST, individual messages) and specifying an export location.</li>
<li>The system processes the export request and prepares the data for download.</li>
<li>The attacker downloads the exported data to their local system or an external storage location.</li>
<li>The attacker exfiltrates the downloaded data from the compromised system to an external location under their control. This may involve using cloud storage, encrypted channels, or other methods to avoid detection. The attacker's goal is to steal sensitive data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows attackers to exfiltrate sensitive organizational data, including confidential emails, financial records, intellectual property, and customer data. This can lead to significant financial losses, reputational damage, legal liabilities, and regulatory fines. The number of affected individuals and the scope of the data breach will depend on the specific targets and search criteria used by the attacker. Organizations in regulated industries, such as finance and healthcare, are particularly vulnerable due to the strict data protection requirements they must adhere to.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Monitor Office 365 management activity logs for &quot;SearchExported&quot; operations in the SecurityComplianceCenter workload to detect suspicious content search exports. Deploy the <code>O365 Compliance Content Search Exported</code> Sigma rule to your SIEM.</li>
<li>Implement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges to limit initial access (TA0001).</li>
<li>Regularly review and audit user permissions in Office 365 to ensure that users only have access to the data they need to perform their job functions.</li>
<li>Configure alerts for unusual or large-scale data exports from Office 365 to identify potential data exfiltration attempts.</li>
<li>Educate users about the risks of phishing and other social engineering attacks to prevent account compromise.</li>
<li>Investigate any detected &quot;SearchExported&quot; events promptly to determine the legitimacy of the export and identify any potential data breaches.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>o365</category><category>data-exfiltration</category><category>compliance</category></item></channel></rss>