Skip to content
Threat Feed

Tag

Office365

9 briefs RSS
high advisory

O365 Admin Consent Bypassed by Service Principal

A service principal in Office 365 Azure Active Directory assigns app roles without standard admin consent, potentially bypassing critical administrative controls and leading to unauthorized access or privilege escalation.

Office 365 +1 azuread office365 serviceprincipal adminconsent persistence
2r 2t
high threat

Azure AD FullAccessAsApp Permission Assignment

Detection of 'full_access_as_app' permission assignment to an application in Office 365 Exchange Online, potentially leading to unauthorized access and data exfiltration.

Office 365 Exchange Online +1 NOBELIUM Group azure azuread office365 persistence nobelium
2r 2t
medium advisory

Detection of User-Reported Phishing or Malware in Office 365

This detection identifies potentially malicious emails reported by users within an Office 365 environment through Security & Compliance policies, indicating possible phishing or malware attacks targeting the organization.

Office 365 +2 office365 phishing user-reporting
2r 1t
high advisory

O365 Email Receive and Hard Delete Takeover Behavior

Compromised Office 365 accounts may receive and then hard delete emails related to password resets or banking/payroll changes, potentially indicating an attempt to redirect victim payroll to an attacker-controlled bank account.

Office 365 office365 account-takeover email data-destruction
2r 3t
high advisory

O365 BEC Email Hiding Rule Creation

This analytic detects suspicious Office 365 mailbox rule creation, a common technique used in Business Email Compromise (BEC), by scoring rule attributes like short names, marking emails as read, and moving emails to specific folders.

Office 365 +1 bec office365 email
2r 2t
high advisory

O365 Add App Role Assignment Grant User

This analytic detects the addition of an application role assignment grant to a user in Office 365, which can indicate unauthorized privilege escalation or the assignment of sensitive roles, leading to unauthorized access within the Office 365 environment.

Office 365 +1 office365 azuread privilege-escalation
2r 1t
high advisory

High Number of Failed Office 365 Logins from Single Source

The analytic detects multiple failed login attempts in Office365 Azure Active Directory from a single source IP address, potentially indicating brute-force or password spraying attacks.

Office 365 +1 cloud office365 credential-access password-spraying
1r 1t
high advisory

O365 Email Password and Payroll Compromise

Attackers compromise O365 accounts and delete emails related to password resets and payroll changes, potentially redirecting payroll to attacker-controlled accounts.

Office 365 account-compromise office365 payroll-fraud data-destruction
2r 3t
high advisory

O365 Cross-Tenant Access Policy Changes

Adversaries modify Azure Active Directory cross-tenant access policies for lateral movement or persistence within compromised Microsoft 365 environments.

Azure Active Directory +1 azuread office365 cross-tenant persistence
2r 2t