{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/microsoft_365/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft 365","Entra ID"],"_cs_severities":["high"],"_cs_tags":["cloud","saas","azure","entra_id","microsoft_365","initial_access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies instances where successful sign-in events in Microsoft 365 (M365) or Entra ID are associated with suspicious network activity. The rule correlates sign-in logs with network security alerts based on the source IP address. Attackers might trigger network security alerts, such as those related to IP reputation or anomalous behavior, before attempting to access cloud resources. This approach allows defenders to detect potentially compromised accounts based on anomalous network behavior preceding cloud access. The rule is designed to detect initial access attempts and requires Azure Fleet, Office 365 Logs Fleet integration, Filebeat module, or similarly structured data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises a user\u0026rsquo;s credentials through methods like phishing or credential stuffing.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to access network resources from a suspicious IP address.\u003c/li\u003e\n\u003cli\u003eThis activity triggers a network security alert based on reputation or other anomalies.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully authenticates to Entra ID or Microsoft 365 from the same suspicious IP address.\u003c/li\u003e\n\u003cli\u003eThe rule correlates the successful sign-in event with the network security alert, flagging the activity.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses mail items within Microsoft 365.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the cloud environment, accessing other resources.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could lead to unauthorized access to sensitive data, compromised accounts, and lateral movement within the cloud environment. The scope of the impact depends on the permissions and roles associated with the compromised account. This can lead to data breaches, financial loss, and reputational damage. Identifying these incidents early can significantly reduce the potential damage and contain the breach.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eEntra ID or Microsoft 365 Sign-in with Network Alert\u003c/code\u003e to your SIEM to detect correlated sign-in and network alert events.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the \u003ccode\u003eEntra ID or Microsoft 365 Sign-in with Network Alert\u003c/code\u003e rule by reviewing associated network alerts and sign-in logs.\u003c/li\u003e\n\u003cli\u003eEnable and review Azure and Microsoft 365 audit logs to provide the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eEnsure network security alerts are configured to detect suspicious activity such as unusual source IPs as referenced by the logic in the provided ESQL query.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication to mitigate credential compromise, as referenced in the Microsoft best practices link.\u003c/li\u003e\n\u003cli\u003eUse the Microsoft recommended best practices for user account monitoring and protection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T20:25:41Z","date_published":"2026-05-21T20:25:41Z","id":"https://feed.craftedsignal.io/briefs/2026-05-m365-entra-suspicious-signin/","summary":"This rule correlates Entra-ID or Microsoft 365 mail successful sign-in events with network security alerts by source address, indicating potential initial access by adversaries triggering network security alerts before accessing cloud resources.","title":"M365 or Entra ID Identity Sign-in from a Suspicious Source","url":"https://feed.craftedsignal.io/briefs/2026-05-m365-entra-suspicious-signin/"}],"language":"en","title":"CraftedSignal Threat Feed — Microsoft_365","version":"https://jsonfeed.org/version/1.1"}