{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/o365/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Office 365","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["cloud","o365","audit","defense-evasion","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis analytic detects instances where the O365 advanced audit is disabled for a specific user within an Office 365 tenant. It leverages O365 audit logs, specifically focusing on events related to audit license changes within Azure Active Directory workloads. Disabling the O365 advanced audit is a significant security concern, as it removes critical logging and visibility into user and administrator activities. Attackers could exploit this gap to operate with a reduced risk of detection. The activity is identified via the \u0026ldquo;Change user license.\u0026rdquo; operation and the presence of \u0026ldquo;\u003cem\u003eM365_ADVANCED_AUDITING\u003c/em\u003e\u0026rdquo; in the DisabledPlans field of the audit logs. The source is the Splunk ES Content Update (ESCU) with the ID 49862dd4-9cb2-4c48-a542-8c8a588d9361.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a privileged account with sufficient permissions to modify user licenses within the Office 365 tenant.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the privileged account to navigate to the Azure Active Directory or Microsoft 365 admin center.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the license configuration for a target user account.\u003c/li\u003e\n\u003cli\u003eSpecifically, the attacker disables the \u0026ldquo;M365_ADVANCED_AUDITING\u0026rdquo; plan for the target user, which stops the collection of advanced audit logs.\u003c/li\u003e\n\u003cli\u003eThe system records an O365 management activity event with Operation=\u0026ldquo;Change user license.\u0026rdquo; and the DisabledPlans containing \u0026ldquo;M365_ADVANCED_AUDITING\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eWith advanced auditing disabled, the attacker performs malicious activities within the target user\u0026rsquo;s account (e.g., data access, data exfiltration, sending phishing emails).\u003c/li\u003e\n\u003cli\u003eThese malicious actions are not fully logged or audited due to the disabled advanced auditing, thus reducing the chances of detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling advanced auditing can blind security teams to malicious actions. Attackers could operate within the user\u0026rsquo;s mailbox or account with reduced risk of detection, potentially leading to unauthorized data access, data exfiltration, or account compromise. This can lead to significant data breaches, financial losses, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect instances of disabled O365 advanced auditing based on \u003ccode\u003eo365_management_activity\u003c/code\u003e events.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of disabled advanced auditing to determine if the change was authorized and legitimate.\u003c/li\u003e\n\u003cli\u003eMonitor the O365 management activity logs for \u0026ldquo;Change user license\u0026rdquo; operations, focusing on changes to audit-related plans.\u003c/li\u003e\n\u003cli\u003eImplement alerting for changes to user license, especially those that disable audit features using the Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:15:00Z","date_published":"2024-01-03T18:15:00Z","id":"/briefs/2024-01-o365-advanced-audit-disabled/","summary":"Detection of O365 advanced audit being disabled for a specific user, potentially allowing attackers to operate with reduced risk of detection, leading to unauthorized data access, data exfiltration, or account compromise.","title":"O365 Advanced Audit Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-o365-advanced-audit-disabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Office 365","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["o365","email_security","defense_evasion","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eAttackers may target Office 365 security settings to weaken defenses and operate with impunity inside the tenant. By disabling or modifying features like AntiPhish, SafeLink, SafeAttachment, and Malware policies, attackers reduce the chances of their malicious activities being detected. This allows them to conduct unauthorized data access, data exfiltration, account compromise, and other malicious actions without triggering alerts or leaving a clear audit trail. These modifications can persist over time, enabling long-term access and control within the compromised environment. The modifications leave evidence in the Office 365 Management Activity logs, which defenders can monitor for suspicious changes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to an account with sufficient privileges to modify O365 security settings, potentially through credential theft or phishing (not detailed in source).\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation (if needed): If the compromised account lacks the necessary permissions, the attacker attempts to escalate privileges within the O365 tenant.\u003c/li\u003e\n\u003cli\u003eDiscovery: The attacker uses the compromised account to explore the O365 environment and identify available security settings that can be modified or disabled.\u003c/li\u003e\n\u003cli\u003eDisable Security Features: The attacker disables or modifies key security features, such as AntiPhish, SafeLink, SafeAttachment, and Malware policies, using O365 management tools or PowerShell cmdlets (e.g., Set-AntiPhishPolicy).\u003c/li\u003e\n\u003cli\u003ePersistence: By weakening security controls, the attacker establishes a persistent presence within the O365 tenant, reducing the likelihood of detection.\u003c/li\u003e\n\u003cli\u003eData Exfiltration/Lateral Movement: With security features disabled, the attacker can move laterally within the environment, access sensitive data, and exfiltrate it without triggering security alerts.\u003c/li\u003e\n\u003cli\u003eCover Tracks: The attacker may attempt to delete or modify audit logs to further conceal their activities, though this is not directly described in the source.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of O365 security features can lead to significant damage, including unauthorized access to sensitive data, data exfiltration, account compromise, and further malicious activities within the tenant. The reduction in security monitoring creates a window of opportunity for attackers to conduct a wide range of attacks without being detected, leading to potential financial losses, reputational damage, and compliance violations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to your SIEM and tune them for your environment to detect changes to O365 email security features based on the \u003ccode\u003eo365_management_activity\u003c/code\u003e logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rules to determine the legitimacy of the changes and the potential impact on the security posture of the O365 tenant.\u003c/li\u003e\n\u003cli\u003eMonitor the Office 365 Universal Audit Log for suspicious activities related to the modification of security settings as outlined in the \u003ccode\u003esearch\u003c/code\u003e query in the brief.\u003c/li\u003e\n\u003cli\u003eReview and harden O365 role-based access controls (RBAC) to limit the accounts that can modify security settings, following Microsoft\u0026rsquo;s security recommendations at \u003ca href=\"https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults\"\u003ehttps://learn.microsoft.com/en-us/entra/fundamentals/security-defaults\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-o365-security-feature-changed/","summary":"Attackers modify or disable Office 365 advanced security settings, such as AntiPhish, SafeLink, SafeAttachment, or Malware policies, to evade detection and operate with reduced risk within the target tenant.","title":"O365 Security Feature Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-o365-security-feature-changed/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Office 365","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["mfa_bypass","o365","defense_evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eAttackers can weaken an organization\u0026rsquo;s security by adding new IP addresses to the trusted IPs list in Office 365. By manipulating the trusted IP configuration, attackers can bypass Multi-Factor Authentication (MFA), gaining unauthorized access to sensitive resources and systems. This technique circumvents a critical security control designed to protect against credential compromise. The activity is often performed after initial access has been gained through other means, such as phishing or credential stuffing. Defenders should monitor changes to trusted IP configurations and investigate any unauthorized modifications promptly. The references suggest this technique is used to maintain persistence in compromised cloud environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to an account with sufficient privileges, possibly via credential compromise or phishing.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Office 365 portal using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Azure Active Directory admin center.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the Conditional Access policies to add a new trusted IP range. This is achieved by setting the \u003ccode\u003eStrongAuthenticationPolicy\u003c/code\u003e property.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eModifiedProperties{}.Name\u003c/code\u003e to \u003ccode\u003eStrongAuthenticationPolicy\u003c/code\u003e within the O365 management activity logs.\u003c/li\u003e\n\u003cli\u003eThe attacker ensures the \u003ccode\u003eModifiedProperties{}.NewValue\u003c/code\u003e contains a new IP address range that allows bypass of MFA.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a device within the newly trusted IP range to authenticate to Office 365 services.\u003c/li\u003e\n\u003cli\u003eMFA is bypassed, granting the attacker access to sensitive data and systems within the organization.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique can lead to significant damage. Attackers can gain unauthorized access to sensitive information, potentially leading to data breaches, financial losses, and reputational damage. By bypassing MFA, attackers can move laterally within the organization\u0026rsquo;s cloud environment, compromising additional accounts and resources. The number of affected users and the severity of the impact depend on the scope of access granted to the compromised account. Organizations in all sectors that rely on Office 365 are potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInstall the Splunk Microsoft Office 365 add-on to ingest the required logs, as mentioned in the \u0026ldquo;how_to_implement\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious modifications to trusted IP addresses in O365.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the user (\u003ccode\u003euser\u003c/code\u003e) and IP address (\u003ccode\u003eip_addresses_new_added\u003c/code\u003e) involved.\u003c/li\u003e\n\u003cli\u003eReview existing Conditional Access policies and trusted IP configurations to ensure they align with security best practices.\u003c/li\u003e\n\u003cli\u003eImplement stricter monitoring and alerting for administrative accounts to detect unauthorized changes to security configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-o365-mfa-bypass/","summary":"An attacker modifies trusted IP settings in Office 365 to bypass multi-factor authentication (MFA), potentially leading to unauthorized access and data compromise.","title":"O365 MFA Bypassed via Trusted IP Addition","url":"https://feed.craftedsignal.io/briefs/2024-01-o365-mfa-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Microsoft 365","Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["azuread","o365","oauth","risk-based consent","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThe disabling of the \u0026ldquo;risk-based step-up consent\u0026rdquo; feature in Microsoft 365 is a significant security concern. This feature, when enabled, adds an extra layer of security by requiring administrator approval or additional authentication steps when users attempt to grant permissions to applications deemed risky by Microsoft. When disabled, users can grant consent to potentially malicious OAuth applications without any additional checks, increasing the risk of OAuth phishing attacks. An attacker might disable this feature to facilitate easier access to sensitive user data through malicious applications, bypassing security controls implemented to protect the organization. This could be part of a broader attack to compromise user accounts and exfiltrate data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an account with sufficient privileges to modify Azure Active Directory authorization policies.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Azure Active Directory settings.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the \u0026ldquo;risk-based step-up consent\u0026rdquo; setting.\u003c/li\u003e\n\u003cli\u003eThe attacker disables the \u0026ldquo;AllowUserConsentForRiskyApps\u0026rdquo; setting by modifying the authorization policy.\u003c/li\u003e\n\u003cli\u003eUsers are now able to grant consent to risky OAuth applications without triggering additional security checks.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys or promotes a malicious OAuth application, tricking users into granting it permissions.\u003c/li\u003e\n\u003cli\u003eThe malicious application gains access to user data and other resources based on the granted permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or performs other malicious actions using the compromised application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling the risk-based step-up consent feature can significantly increase the attack surface of a Microsoft 365 environment. If successful, attackers can compromise user accounts and exfiltrate sensitive data. This can lead to financial loss, reputational damage, and legal liabilities. Organizations that fail to monitor and protect this setting are at higher risk of OAuth phishing attacks and subsequent data breaches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable the \u0026ldquo;risk-based step-up consent\u0026rdquo; security setting in Microsoft 365 to prevent users from granting consent to risky applications without proper authorization.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eO365 Block User Consent For Risky Apps Disabled\u003c/code\u003e to your SIEM to detect when this setting is modified.\u003c/li\u003e\n\u003cli\u003eReview Azure Active Directory audit logs for unexpected changes to authorization policies related to application consent.\u003c/li\u003e\n\u003cli\u003eMonitor user activity for OAuth application consent grants, especially to applications from untrusted or unknown publishers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-o365-risky-app-consent-disabled/","summary":"The Microsoft 365 'risk-based step-up consent' security setting is disabled by an adversary to allow users to grant consent to malicious applications, potentially leading to unauthorized access and data breaches.","title":"Microsoft 365 Risk-Based Step-Up Consent Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-03-o365-risky-app-consent-disabled/"}],"language":"en","title":"CraftedSignal Threat Feed — O365","version":"https://jsonfeed.org/version/1.1"}