{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/byod/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Copilot"],"_cs_severities":["medium"],"_cs_tags":["microsoft365","copilot","devicecompliance","byod"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies instances of users accessing Microsoft 365 Copilot from devices that do not meet the organization\u0026rsquo;s compliance standards or are not managed by the IT department. This activity, if unsanctioned, introduces risks like data leakage, malware infections, and policy violations. The detection focuses on identifying access events where the \u003ccode\u003edeviceDetail.isCompliant\u003c/code\u003e or \u003ccode\u003edeviceDetail.isManaged\u003c/code\u003e fields are false within the M365 Copilot Graph API logs. The goal is to proactively flag users accessing corporate resources through unsecured endpoints, enabling security teams to promptly investigate and remediate potential threats or policy breaches linked to shadow IT, unauthorized BYOD practices, or compromised devices lacking adequate security controls. The detection logic is designed to minimize false positives by considering factors like user roles, device types, and network locations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser attempts to access M365 Copilot through a web browser or application on a device.\u003c/li\u003e\n\u003cli\u003eAzure AD authenticates the user based on provided credentials.\u003c/li\u003e\n\u003cli\u003eThe device\u0026rsquo;s compliance status and management status are evaluated during the sign-in process.\u003c/li\u003e\n\u003cli\u003eIf the device is flagged as non-compliant (\u003ccode\u003edeviceDetail.isCompliant=false\u003c/code\u003e) or unmanaged (\u003ccode\u003edeviceDetail.isManaged=false\u003c/code\u003e), the sign-in attempt is logged in the M365 Copilot Graph API (AuditLogs.SignIns).\u003c/li\u003e\n\u003cli\u003eThe activity is aggregated and analyzed, noting the user, operating system, browser, IP address, and geographic location.\u003c/li\u003e\n\u003cli\u003eSecurity analysts review flagged events for suspicious patterns.\u003c/li\u003e\n\u003cli\u003eIf unauthorized access is confirmed, the user and/or device are blocked from accessing M365 Copilot.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eUnauthorized access to M365 Copilot from non-compliant devices could expose sensitive corporate data to unmanaged or unsecured environments. This increases the risk of data leakage, malware infections, and regulatory compliance violations. If successful, attackers could potentially gain access to sensitive data processed by M365 Copilot, leading to data breaches, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable the Splunk Add-on for Microsoft Office 365 and configure it to collect Azure AD Sign-in logs (AuditLogs.SignIns) via the Graph API data input as outlined in the \u0026ldquo;how_to_implement\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;M365 Copilot Access from Non-Compliant Device\u0026rdquo; to your SIEM and tune for your environment to detect access from non-compliant devices.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on users with a high number of events or access from multiple geographic locations.\u003c/li\u003e\n\u003cli\u003eImplement and enforce Mobile Device Management (MDM) policies to ensure all devices accessing corporate resources are managed and compliant.\u003c/li\u003e\n\u003cli\u003eEducate employees about the risks of using non-compliant devices and the importance of adhering to corporate security policies.\u003c/li\u003e\n\u003cli\u003eReview and refine device compliance policies based on the observed access patterns and potential false positives as described in \u0026ldquo;known_false_positives.\u0026rdquo;\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-m365-copilot-non-compliant-access/","summary":"Detection of M365 Copilot access from non-compliant or unmanaged devices that violate corporate security policies, potentially indicating shadow IT, BYOD policy violations, or compromised endpoint access.","title":"M365 Copilot Access from Non-Compliant Devices","url":"https://feed.craftedsignal.io/briefs/2024-01-03-m365-copilot-non-compliant-access/"}],"language":"en","title":"CraftedSignal Threat Feed — Byod","version":"https://jsonfeed.org/version/1.1"}