Microsoft365

A remote, anonymous attacker can exploit multiple vulnerabilities in Microsoft 365 Copilot to execute arbitrary program code and disclose confidential information.

This rule detects Microsoft 365 audit events indicative of Tycoon 2FA phishing-as-a-service (PhaaS) adversary-in-the-middle (AiTM) activity, identifying UserLoggedIn events where the Microsoft Authentication Broker requests access to Microsoft Graph or Exchange Online, or the Office web client application authenticates to itself, combined with Node.js-style user agents, bypassing MFA by relaying authentication and capturing session material.

Multiple vulnerabilities in Microsoft 365 Copilot Business Chat allow an anonymous remote attacker to disclose sensitive information.

Detects successful Microsoft 365 portal logins from a country and region the user has not previously authenticated from in a specific time window, potentially indicating unauthorized access attempts by analyzing login events and user location patterns.

This brief outlines a threat where Microsoft Defender for Office 365 identifies an email as malicious or suspicious but still delivers it to a user's inbox or junk folder, potentially bypassing initial security measures.

Detection of M365 Copilot access from non-compliant or unmanaged devices that violate corporate security policies, potentially indicating shadow IT, BYOD policy violations, or compromised endpoint access.