<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Content Search - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/content-search/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/content-search/feed.xml" rel="self" type="application/rss+xml"/><item><title>O365 Compliance Content Search Activity Detected</title><link>https://feed.craftedsignal.io/briefs/2024-01-o365-compliance-search/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-o365-compliance-search/</guid><description>Detection of content search initiation within the Office 365 Security and Compliance Center using the SearchCreated operation, which may signal unauthorized access to sensitive organizational data such as emails and documents, potentially leading to data exfiltration and compliance breaches.</description><content:encoded><![CDATA[<p>This analytic identifies the initiation of content searches within the Office 365 Security and Compliance Center, an activity that can indicate attempts to access sensitive data. The detection focuses on the &quot;SearchCreated&quot; operation within the o365_management_activity logs, specifically from the SecurityComplianceCenter workload. Content searches, while sometimes legitimate, can also be used maliciously to identify and access confidential emails, documents, and other sensitive information. Successful exploitation can lead to unauthorized data access, data exfiltration, and significant compliance violations, potentially impacting a broad range of organizations utilizing Microsoft 365 services. Defenders should monitor these events closely to differentiate between legitimate use and potential malicious activity, particularly when combined with other suspicious behaviors.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access to a compromised or rogue user account within the target Office 365 environment, possibly through phishing or credential stuffing.</li>
<li>The attacker authenticates to the Office 365 environment using the compromised account.</li>
<li>The attacker navigates to the Office 365 Security and Compliance Center.</li>
<li>The attacker initiates a content search using the &quot;SearchCreated&quot; operation, targeting specific mailboxes or SharePoint sites.</li>
<li>The attacker defines search criteria to identify sensitive data, potentially using keywords or specific date ranges.</li>
<li>The system executes the content search and the results are stored.</li>
<li>The attacker accesses the search results, reviewing sensitive emails or documents.</li>
<li>The attacker exfiltrates the sensitive data from the Office 365 environment, potentially through email, cloud storage, or other means.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to unauthorized access and exfiltration of sensitive organizational data, including emails, documents, and other confidential information. This can result in significant financial losses, reputational damage, legal liabilities, and compliance violations. Depending on the scope and nature of the data compromised, the impact could range from individual privacy breaches to large-scale corporate espionage. Organizations in regulated industries such as finance, healthcare, and government are particularly vulnerable due to the sensitive nature of the data they handle.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Ensure proper installation and configuration of the Splunk Microsoft Office 365 Add-on to ingest relevant Office 365 management activity events.</li>
<li>Deploy the Sigma rule <code>O365 Compliance Content Search Started</code> to your SIEM and tune for your environment, paying close attention to known false positives.</li>
<li>Investigate any detected <code>SearchCreated</code> events, focusing on the user initiating the search, the targets of the search, and the search criteria used.</li>
<li>Monitor for unusual network activity or data exfiltration following a detected content search.</li>
<li>Implement multi-factor authentication (MFA) to protect against compromised accounts, reducing the risk of unauthorized access.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>o365</category><category>compliance</category><category>content search</category><category>data exfiltration</category></item></channel></rss>