Product
high
advisory
O365 Advanced Audit Disabled
2 rules 1 TTPDetection of O365 advanced audit being disabled for a specific user, potentially allowing attackers to operate with reduced risk of detection, leading to unauthorized data access, data exfiltration, or account compromise.
Office 365 +3
cloud
o365
audit
defense-evasion
persistence
2r
1t
high
advisory
O365 Security Feature Modification
2 rules 1 TTPAttackers modify or disable Office 365 advanced security settings, such as AntiPhish, SafeLink, SafeAttachment, or Malware policies, to evade detection and operate with reduced risk within the target tenant.
Office 365 +3
o365
email_security
defense_evasion
persistence
2r
1t
high
advisory
O365 MFA Bypassed via Trusted IP Addition
2 rules 1 TTPAn attacker modifies trusted IP settings in Office 365 to bypass multi-factor authentication (MFA), potentially leading to unauthorized access and data compromise.
Office 365 +3
mfa_bypass
o365
defense_evasion
2r
1t