https://feed.craftedsignal.io/products/office-365/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 18:15:00 +0000https://feed.craftedsignal.io/briefs/2024-01-o365-advanced-audit-disabled/Wed, 03 Jan 2024 18:15:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-o365-advanced-audit-disabled/Detection of O365 advanced audit being disabled for a specific user, potentially allowing attackers to operate with reduced risk of detection, leading to unauthorized data access, data exfiltration, or account compromise.This analytic detects instances where the O365 advanced audit is disabled for a specific user within an Office 365 tenant. It leverages O365 audit logs, specifically focusing on events related to audit license changes within Azure Active Directory workloads. Disabling the O365 advanced audit is a significant security concern, as it removes critical logging and visibility into user and administrator activities. Attackers could exploit this gap to operate with a reduced risk of detection. The activity is identified via the “Change user license.” operation and the presence of “M365_ADVANCED_AUDITING” in the DisabledPlans field of the audit logs. The source is the Splunk ES Content Update (ESCU) with the ID 49862dd4-9cb2-4c48-a542-8c8a588d9361.

Attack Chain

1. The attacker gains initial access to a privileged account with sufficient permissions to modify user licenses within the Office 365 tenant.
2. The attacker uses the privileged account to navigate to the Azure Active Directory or Microsoft 365 admin center.
3. The attacker modifies the license configuration for a target user account.
4. Specifically, the attacker disables the “M365_ADVANCED_AUDITING” plan for the target user, which stops the collection of advanced audit logs.
5. The system records an O365 management activity event with Operation=“Change user license.” and the DisabledPlans containing “M365_ADVANCED_AUDITING”.
6. With advanced auditing disabled, the attacker performs malicious activities within the target user’s account (e.g., data access, data exfiltration, sending phishing emails).
7. These malicious actions are not fully logged or audited due to the disabled advanced auditing, thus reducing the chances of detection.

Impact

Disabling advanced auditing can blind security teams to malicious actions. Attackers could operate within the user’s mailbox or account with reduced risk of detection, potentially leading to unauthorized data access, data exfiltration, or account compromise. This can lead to significant data breaches, financial losses, and reputational damage.

Recommendation

• Deploy the provided Sigma rule to your SIEM to detect instances of disabled O365 advanced auditing based on o365_management_activity events.
• Investigate any detected instances of disabled advanced auditing to determine if the change was authorized and legitimate.
• Monitor the O365 management activity logs for “Change user license” operations, focusing on changes to audit-related plans.
• Implement alerting for changes to user license, especially those that disable audit features using the Sigma rule.

]]>highadvisorycloudo365auditdefense-evasionpersistencehttps://feed.craftedsignal.io/briefs/2024-01-o365-security-feature-changed/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-o365-security-feature-changed/Attackers modify or disable Office 365 advanced security settings, such as AntiPhish, SafeLink, SafeAttachment, or Malware policies, to evade detection and operate with reduced risk within the target tenant.Attackers may target Office 365 security settings to weaken defenses and operate with impunity inside the tenant. By disabling or modifying features like AntiPhish, SafeLink, SafeAttachment, and Malware policies, attackers reduce the chances of their malicious activities being detected. This allows them to conduct unauthorized data access, data exfiltration, account compromise, and other malicious actions without triggering alerts or leaving a clear audit trail. These modifications can persist over time, enabling long-term access and control within the compromised environment. The modifications leave evidence in the Office 365 Management Activity logs, which defenders can monitor for suspicious changes.

Attack Chain

1. Initial Access: The attacker gains initial access to an account with sufficient privileges to modify O365 security settings, potentially through credential theft or phishing (not detailed in source).
2. Privilege Escalation (if needed): If the compromised account lacks the necessary permissions, the attacker attempts to escalate privileges within the O365 tenant.
3. Discovery: The attacker uses the compromised account to explore the O365 environment and identify available security settings that can be modified or disabled.
4. Disable Security Features: The attacker disables or modifies key security features, such as AntiPhish, SafeLink, SafeAttachment, and Malware policies, using O365 management tools or PowerShell cmdlets (e.g., Set-AntiPhishPolicy).
5. Persistence: By weakening security controls, the attacker establishes a persistent presence within the O365 tenant, reducing the likelihood of detection.
6. Data Exfiltration/Lateral Movement: With security features disabled, the attacker can move laterally within the environment, access sensitive data, and exfiltrate it without triggering security alerts.
7. Cover Tracks: The attacker may attempt to delete or modify audit logs to further conceal their activities, though this is not directly described in the source.

Impact

Successful modification of O365 security features can lead to significant damage, including unauthorized access to sensitive data, data exfiltration, account compromise, and further malicious activities within the tenant. The reduction in security monitoring creates a window of opportunity for attackers to conduct a wide range of attacks without being detected, leading to potential financial losses, reputational damage, and compliance violations.

Recommendation

• Deploy the Sigma rules provided below to your SIEM and tune them for your environment to detect changes to O365 email security features based on the o365_management_activity logs.
• Investigate any alerts triggered by the Sigma rules to determine the legitimacy of the changes and the potential impact on the security posture of the O365 tenant.
• Monitor the Office 365 Universal Audit Log for suspicious activities related to the modification of security settings as outlined in the search query in the brief.
• Review and harden O365 role-based access controls (RBAC) to limit the accounts that can modify security settings, following Microsoft’s security recommendations at https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults.

]]>highadvisoryo365email_securitydefense_evasionpersistencehttps://feed.craftedsignal.io/briefs/2024-01-o365-mfa-bypass/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-o365-mfa-bypass/An attacker modifies trusted IP settings in Office 365 to bypass multi-factor authentication (MFA), potentially leading to unauthorized access and data compromise.Attackers can weaken an organization’s security by adding new IP addresses to the trusted IPs list in Office 365. By manipulating the trusted IP configuration, attackers can bypass Multi-Factor Authentication (MFA), gaining unauthorized access to sensitive resources and systems. This technique circumvents a critical security control designed to protect against credential compromise. The activity is often performed after initial access has been gained through other means, such as phishing or credential stuffing. Defenders should monitor changes to trusted IP configurations and investigate any unauthorized modifications promptly. The references suggest this technique is used to maintain persistence in compromised cloud environments.

Attack Chain

1. The attacker gains initial access to an account with sufficient privileges, possibly via credential compromise or phishing.
2. The attacker authenticates to the Office 365 portal using the compromised credentials.
3. The attacker navigates to the Azure Active Directory admin center.
4. The attacker modifies the Conditional Access policies to add a new trusted IP range. This is achieved by setting the StrongAuthenticationPolicy property.
5. The attacker sets the ModifiedProperties{}.Name to StrongAuthenticationPolicy within the O365 management activity logs.
6. The attacker ensures the ModifiedProperties{}.NewValue contains a new IP address range that allows bypass of MFA.
7. The attacker uses a device within the newly trusted IP range to authenticate to Office 365 services.
8. MFA is bypassed, granting the attacker access to sensitive data and systems within the organization.

Impact

Successful exploitation of this technique can lead to significant damage. Attackers can gain unauthorized access to sensitive information, potentially leading to data breaches, financial losses, and reputational damage. By bypassing MFA, attackers can move laterally within the organization’s cloud environment, compromising additional accounts and resources. The number of affected users and the severity of the impact depend on the scope of access granted to the compromised account. Organizations in all sectors that rely on Office 365 are potentially vulnerable.

Recommendation

• Install the Splunk Microsoft Office 365 add-on to ingest the required logs, as mentioned in the “how_to_implement” section.
• Deploy the provided Sigma rule to detect suspicious modifications to trusted IP addresses in O365.
• Investigate any alerts generated by the Sigma rule, focusing on the user (user) and IP address (ip_addresses_new_added) involved.
• Review existing Conditional Access policies and trusted IP configurations to ensure they align with security best practices.
• Implement stricter monitoring and alerting for administrative accounts to detect unauthorized changes to security configurations.

]]>highadvisorymfa_bypasso365defense_evasion