Tag
O365 Admin Consent Bypassed by Service Principal
2 rules 2 TTPsA service principal in Office 365 Azure Active Directory assigns app roles without standard admin consent, potentially bypassing critical administrative controls and leading to unauthorized access or privilege escalation.
Azure AD FullAccessAsApp Permission Assignment
2 rules 2 TTPsDetection of 'full_access_as_app' permission assignment to an application in Office 365 Exchange Online, potentially leading to unauthorized access and data exfiltration.
Detection of User-Reported Phishing or Malware in Office 365
2 rules 1 TTPThis detection identifies potentially malicious emails reported by users within an Office 365 environment through Security & Compliance policies, indicating possible phishing or malware attacks targeting the organization.
O365 Email Receive and Hard Delete Takeover Behavior
2 rules 3 TTPsCompromised Office 365 accounts may receive and then hard delete emails related to password resets or banking/payroll changes, potentially indicating an attempt to redirect victim payroll to an attacker-controlled bank account.
O365 BEC Email Hiding Rule Creation
2 rules 2 TTPsThis analytic detects suspicious Office 365 mailbox rule creation, a common technique used in Business Email Compromise (BEC), by scoring rule attributes like short names, marking emails as read, and moving emails to specific folders.
O365 Add App Role Assignment Grant User
2 rules 1 TTPThis analytic detects the addition of an application role assignment grant to a user in Office 365, which can indicate unauthorized privilege escalation or the assignment of sensitive roles, leading to unauthorized access within the Office 365 environment.
High Number of Failed Office 365 Logins from Single Source
1 rule 1 TTPThe analytic detects multiple failed login attempts in Office365 Azure Active Directory from a single source IP address, potentially indicating brute-force or password spraying attacks.
O365 Email Password and Payroll Compromise
2 rules 3 TTPsAttackers compromise O365 accounts and delete emails related to password resets and payroll changes, potentially redirecting payroll to attacker-controlled accounts.
O365 Cross-Tenant Access Policy Changes
2 rules 2 TTPsAdversaries modify Azure Active Directory cross-tenant access policies for lateral movement or persistence within compromised Microsoft 365 environments.