Devicecompliance — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/devicecompliance/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 10:00:00 +0000M365 Copilot Access from Non-Compliant Deviceshttps://feed.craftedsignal.io/briefs/2024-01-03-m365-copilot-non-compliant-access/Wed, 03 Jan 2024 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-m365-copilot-non-compliant-access/Detection of M365 Copilot access from non-compliant or unmanaged devices that violate corporate security policies, potentially indicating shadow IT, BYOD policy violations, or compromised endpoint access.This detection identifies instances of users accessing Microsoft 365 Copilot from devices that do not meet the organization’s compliance standards or are not managed by the IT department. This activity, if unsanctioned, introduces risks like data leakage, malware infections, and policy violations. The detection focuses on identifying access events where the deviceDetail.isCompliant or deviceDetail.isManaged fields are false within the M365 Copilot Graph API logs. The goal is to proactively flag users accessing corporate resources through unsecured endpoints, enabling security teams to promptly investigate and remediate potential threats or policy breaches linked to shadow IT, unauthorized BYOD practices, or compromised devices lacking adequate security controls. The detection logic is designed to minimize false positives by considering factors like user roles, device types, and network locations.

Attack Chain

  1. User attempts to access M365 Copilot through a web browser or application on a device.
  2. Azure AD authenticates the user based on provided credentials.
  3. The device’s compliance status and management status are evaluated during the sign-in process.
  4. If the device is flagged as non-compliant (deviceDetail.isCompliant=false) or unmanaged (deviceDetail.isManaged=false), the sign-in attempt is logged in the M365 Copilot Graph API (AuditLogs.SignIns).
  5. The activity is aggregated and analyzed, noting the user, operating system, browser, IP address, and geographic location.
  6. Security analysts review flagged events for suspicious patterns.
  7. If unauthorized access is confirmed, the user and/or device are blocked from accessing M365 Copilot.

Impact

Unauthorized access to M365 Copilot from non-compliant devices could expose sensitive corporate data to unmanaged or unsecured environments. This increases the risk of data leakage, malware infections, and regulatory compliance violations. If successful, attackers could potentially gain access to sensitive data processed by M365 Copilot, leading to data breaches, financial loss, and reputational damage.

Recommendation

  • Enable the Splunk Add-on for Microsoft Office 365 and configure it to collect Azure AD Sign-in logs (AuditLogs.SignIns) via the Graph API data input as outlined in the “how_to_implement” section.
  • Deploy the Sigma rule “M365 Copilot Access from Non-Compliant Device” to your SIEM and tune for your environment to detect access from non-compliant devices.
  • Investigate any alerts generated by the Sigma rule, focusing on users with a high number of events or access from multiple geographic locations.
  • Implement and enforce Mobile Device Management (MDM) policies to ensure all devices accessing corporate resources are managed and compliant.
  • Educate employees about the risks of using non-compliant devices and the importance of adhering to corporate security policies.
  • Review and refine device compliance policies based on the observed access patterns and potential false positives as described in “known_false_positives.”
]]>mediumadvisorymicrosoft365copilotdevicecompliancebyod