{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/compliance/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft 365","Microsoft 365 Security and Compliance Center"],"_cs_severities":["high"],"_cs_tags":["o365","data-exfiltration","compliance"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Office 365 Security and Compliance Center provides tools for searching and exporting content across the O365 environment. Attackers can abuse the compliance search functionality to identify and extract sensitive data from mailboxes, SharePoint sites, and other locations. By exporting the results of these searches, adversaries can bypass traditional data loss prevention (DLP) controls and exfiltrate data without triggering typical alerts. This activity is particularly concerning as it can expose sensitive organizational data and violate compliance regulations. The built-in \u0026quot;SearchExported\u0026quot; operation within the SecurityComplianceCenter workload provides defenders with an auditable event to detect this malicious activity within their O365 tenant.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to an Office 365 account with sufficient permissions to access the Security \u0026amp; Compliance Center. This could be achieved through phishing, credential stuffing, or other methods of account compromise.\u003c/li\u003e\n\u003cli\u003eThe attacker logs into the Office 365 Security \u0026amp; Compliance Center.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a content search targeting specific keywords, custodians, or data locations. The search criteria are carefully chosen to identify sensitive information of interest.\u003c/li\u003e\n\u003cli\u003eThe attacker reviews the search results to validate the presence of the targeted sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates an export of the search results. This involves selecting an export format (e.g., PST, individual messages) and specifying an export location.\u003c/li\u003e\n\u003cli\u003eThe system processes the export request and prepares the data for download.\u003c/li\u003e\n\u003cli\u003eThe attacker downloads the exported data to their local system or an external storage location.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the downloaded data from the compromised system to an external location under their control. This may involve using cloud storage, encrypted channels, or other methods to avoid detection. The attacker's goal is to steal sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to exfiltrate sensitive organizational data, including confidential emails, financial records, intellectual property, and customer data. This can lead to significant financial losses, reputational damage, legal liabilities, and regulatory fines. The number of affected individuals and the scope of the data breach will depend on the specific targets and search criteria used by the attacker. Organizations in regulated industries, such as finance and healthcare, are particularly vulnerable due to the strict data protection requirements they must adhere to.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor Office 365 management activity logs for \u0026quot;SearchExported\u0026quot; operations in the SecurityComplianceCenter workload to detect suspicious content search exports. Deploy the \u003ccode\u003eO365 Compliance Content Search Exported\u003c/code\u003e Sigma rule to your SIEM.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges to limit initial access (TA0001).\u003c/li\u003e\n\u003cli\u003eRegularly review and audit user permissions in Office 365 to ensure that users only have access to the data they need to perform their job functions.\u003c/li\u003e\n\u003cli\u003eConfigure alerts for unusual or large-scale data exports from Office 365 to identify potential data exfiltration attempts.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of phishing and other social engineering attacks to prevent account compromise.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected \u0026quot;SearchExported\u0026quot; events promptly to determine the legitimacy of the export and identify any potential data breaches.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-o365-compliance-search-export/","summary":"An adversary exports the results of an Office 365 Security and Compliance Center content search, potentially leading to data exfiltration of sensitive information.","title":"O365 Compliance Content Search Exported","url":"https://feed.craftedsignal.io/briefs/2024-01-o365-compliance-search-export/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft 365","Office 365"],"_cs_severities":["medium"],"_cs_tags":["o365","compliance","content search","data exfiltration"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis analytic identifies the initiation of content searches within the Office 365 Security and Compliance Center, an activity that can indicate attempts to access sensitive data. The detection focuses on the \u0026quot;SearchCreated\u0026quot; operation within the o365_management_activity logs, specifically from the SecurityComplianceCenter workload. Content searches, while sometimes legitimate, can also be used maliciously to identify and access confidential emails, documents, and other sensitive information. Successful exploitation can lead to unauthorized data access, data exfiltration, and significant compliance violations, potentially impacting a broad range of organizations utilizing Microsoft 365 services. Defenders should monitor these events closely to differentiate between legitimate use and potential malicious activity, particularly when combined with other suspicious behaviors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a compromised or rogue user account within the target Office 365 environment, possibly through phishing or credential stuffing.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Office 365 environment using the compromised account.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Office 365 Security and Compliance Center.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a content search using the \u0026quot;SearchCreated\u0026quot; operation, targeting specific mailboxes or SharePoint sites.\u003c/li\u003e\n\u003cli\u003eThe attacker defines search criteria to identify sensitive data, potentially using keywords or specific date ranges.\u003c/li\u003e\n\u003cli\u003eThe system executes the content search and the results are stored.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the search results, reviewing sensitive emails or documents.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the sensitive data from the Office 365 environment, potentially through email, cloud storage, or other means.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access and exfiltration of sensitive organizational data, including emails, documents, and other confidential information. This can result in significant financial losses, reputational damage, legal liabilities, and compliance violations. Depending on the scope and nature of the data compromised, the impact could range from individual privacy breaches to large-scale corporate espionage. Organizations in regulated industries such as finance, healthcare, and government are particularly vulnerable due to the sensitive nature of the data they handle.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure proper installation and configuration of the Splunk Microsoft Office 365 Add-on to ingest relevant Office 365 management activity events.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eO365 Compliance Content Search Started\u003c/code\u003e to your SIEM and tune for your environment, paying close attention to known false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected \u003ccode\u003eSearchCreated\u003c/code\u003e events, focusing on the user initiating the search, the targets of the search, and the search criteria used.\u003c/li\u003e\n\u003cli\u003eMonitor for unusual network activity or data exfiltration following a detected content search.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) to protect against compromised accounts, reducing the risk of unauthorized access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-o365-compliance-search/","summary":"Detection of content search initiation within the Office 365 Security and Compliance Center using the SearchCreated operation, which may signal unauthorized access to sensitive organizational data such as emails and documents, potentially leading to data exfiltration and compliance breaches.","title":"O365 Compliance Content Search Activity Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-o365-compliance-search/"}],"language":"en","title":"CraftedSignal Threat Feed - Compliance","version":"https://jsonfeed.org/version/1.1"}