{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/email_security/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Office 365","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["o365","email_security","defense_evasion","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eAttackers may target Office 365 security settings to weaken defenses and operate with impunity inside the tenant. By disabling or modifying features like AntiPhish, SafeLink, SafeAttachment, and Malware policies, attackers reduce the chances of their malicious activities being detected. This allows them to conduct unauthorized data access, data exfiltration, account compromise, and other malicious actions without triggering alerts or leaving a clear audit trail. These modifications can persist over time, enabling long-term access and control within the compromised environment. The modifications leave evidence in the Office 365 Management Activity logs, which defenders can monitor for suspicious changes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to an account with sufficient privileges to modify O365 security settings, potentially through credential theft or phishing (not detailed in source).\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation (if needed): If the compromised account lacks the necessary permissions, the attacker attempts to escalate privileges within the O365 tenant.\u003c/li\u003e\n\u003cli\u003eDiscovery: The attacker uses the compromised account to explore the O365 environment and identify available security settings that can be modified or disabled.\u003c/li\u003e\n\u003cli\u003eDisable Security Features: The attacker disables or modifies key security features, such as AntiPhish, SafeLink, SafeAttachment, and Malware policies, using O365 management tools or PowerShell cmdlets (e.g., Set-AntiPhishPolicy).\u003c/li\u003e\n\u003cli\u003ePersistence: By weakening security controls, the attacker establishes a persistent presence within the O365 tenant, reducing the likelihood of detection.\u003c/li\u003e\n\u003cli\u003eData Exfiltration/Lateral Movement: With security features disabled, the attacker can move laterally within the environment, access sensitive data, and exfiltrate it without triggering security alerts.\u003c/li\u003e\n\u003cli\u003eCover Tracks: The attacker may attempt to delete or modify audit logs to further conceal their activities, though this is not directly described in the source.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of O365 security features can lead to significant damage, including unauthorized access to sensitive data, data exfiltration, account compromise, and further malicious activities within the tenant. The reduction in security monitoring creates a window of opportunity for attackers to conduct a wide range of attacks without being detected, leading to potential financial losses, reputational damage, and compliance violations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to your SIEM and tune them for your environment to detect changes to O365 email security features based on the \u003ccode\u003eo365_management_activity\u003c/code\u003e logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rules to determine the legitimacy of the changes and the potential impact on the security posture of the O365 tenant.\u003c/li\u003e\n\u003cli\u003eMonitor the Office 365 Universal Audit Log for suspicious activities related to the modification of security settings as outlined in the \u003ccode\u003esearch\u003c/code\u003e query in the brief.\u003c/li\u003e\n\u003cli\u003eReview and harden O365 role-based access controls (RBAC) to limit the accounts that can modify security settings, following Microsoft\u0026rsquo;s security recommendations at \u003ca href=\"https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults\"\u003ehttps://learn.microsoft.com/en-us/entra/fundamentals/security-defaults\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-o365-security-feature-changed/","summary":"Attackers modify or disable Office 365 advanced security settings, such as AntiPhish, SafeLink, SafeAttachment, or Malware policies, to evade detection and operate with reduced risk within the target tenant.","title":"O365 Security Feature Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-o365-security-feature-changed/"}],"language":"en","title":"CraftedSignal Threat Feed — Email_security","version":"https://jsonfeed.org/version/1.1"}