Product

Office 365

4 briefs RSS

O365 BEC Email Hiding Rule Creation

This analytic detects the creation of suspicious mailbox rules in Office 365, a common technique used in Business Email Compromise (BEC) to hide emails by identifying rules with short or nonsensical names, marking emails as read, or moving them to specific folders.

Office 365 +4 bec o365 email mailboxrule splunk threat-hunting

2r 1t 3w ago

high advisory

O365 Advanced Audit Disabled

2 rules 1 TTP

Detection of O365 advanced audit being disabled for a specific user, potentially allowing attackers to operate with reduced risk of detection, leading to unauthorized data access, data exfiltration, or account compromise.

Office 365 +3 cloud o365 audit defense-evasion persistence

2r 1t Jan 3, 2024

high advisory

O365 Security Feature Modification

2 rules 1 TTP

Attackers modify or disable Office 365 advanced security settings, such as AntiPhish, SafeLink, SafeAttachment, or Malware policies, to evade detection and operate with reduced risk within the target tenant.

Office 365 +3 o365 email_security defense_evasion persistence

2r 1t Jan 3, 2024

high advisory

O365 MFA Bypassed via Trusted IP Addition

2 rules 1 TTP

An attacker modifies trusted IP settings in Office 365 to bypass multi-factor authentication (MFA), potentially leading to unauthorized access and data compromise.

Office 365 +3 mfa_bypass o365 defense_evasion

2r 1t Jan 3, 2024