{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/office365/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Office 365","Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azuread","office365","serviceprincipal","adminconsent","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies instances where a service principal within an Office 365 Azure Active Directory environment assigns application roles without undergoing the standard administrative consent process. This activity is identified through the analysis of \u003ccode\u003eo365_management_activity\u003c/code\u003e logs, specifically focusing on events related to the 'Add app role assignment to service principal' operation. This bypass can lead to significant security breaches as it circumvents critical administrative controls and allows for unauthorized privilege escalation. The activity was observed in January 2024. Successful exploitation could enable attackers to assign sensitive permissions through automated processes, leading to a compromise of the environment's overall security posture.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises a service principal within the Azure Active Directory environment, potentially through credential stuffing or other means of initial access.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised service principal to initiate the \u0026quot;Add app role assignment to service principal\u0026quot; operation, bypassing normal admin consent workflows.\u003c/li\u003e\n\u003cli\u003eThe attacker assigns elevated privileges or roles, such as Global Administrator or Application Administrator, to a target user or service principal.\u003c/li\u003e\n\u003cli\u003eThe target user or service principal, now possessing elevated privileges, can access sensitive data, modify configurations, or create new accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the elevated privileges to establish persistence within the environment, such as creating backdoor accounts or modifying authentication policies.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems or applications within the organization, leveraging the compromised Azure AD environment as a pivot point.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data, disrupts critical services, or deploys ransomware, depending on their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this bypass can lead to unauthorized access to sensitive data, modification of critical configurations, and the creation of persistent backdoors within the Office 365 environment. The Microsoft Security Response Center has published guidance related to this technique in January 2024 in response to activity by the nation-state actor Midnight Blizzard. This type of attack can affect organizations of any size that rely on Office 365 services, potentially leading to significant financial losses, reputational damage, and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eO365 Admin Consent Bypassed by Service Principal\u003c/code\u003e to your SIEM to detect this activity.\u003c/li\u003e\n\u003cli\u003eReview service principal configurations within Azure AD and ensure that appropriate consent policies are in place to prevent unauthorized role assignments.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eo365_management_activity\u003c/code\u003e logs for events related to \u0026quot;Add app role assignment to service principal\u0026quot; and investigate any anomalies.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, including service principals, to reduce the risk of compromise.\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege when assigning roles and permissions to service principals.\u003c/li\u003e\n\u003cli\u003eRegularly audit Azure AD logs for suspicious activity patterns that may indicate a compromised service principal.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-02T12:00:00Z","date_published":"2024-11-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-11-o365-admin-consent-bypass/","summary":"A service principal in Office 365 Azure Active Directory assigns app roles without standard admin consent, potentially bypassing critical administrative controls and leading to unauthorized access or privilege escalation.","title":"O365 Admin Consent Bypassed by Service Principal","url":"https://feed.craftedsignal.io/briefs/2024-11-o365-admin-consent-bypass/"},{"_cs_actors":["NOBELIUM Group"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Office 365 Exchange Online","Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azure","azuread","office365","persistence","nobelium"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of the 'full_access_as_app' permission being assigned to an application within Office 365 Exchange Online. This activity is identified by the GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40' and the ResourceAppId '00000002-0000-0ff1-ce00-000000000000'. This permission grants broad control over Office 365 operations, including full access to all mailboxes and the ability to send emails as any user. The observed activity leverages the \u0026quot;Update application\u0026quot; operation in Azure Active Directory AuditLogs. The threat is significant because successful exploitation grants the attacker the ability to impersonate any user within the targeted organization, leading to potential data breaches, financial fraud, or further compromise of the environment. References to Microsoft's response to the Midnight Blizzard campaign indicate that this type of permission abuse has been seen in nation-state attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises an Azure AD account with sufficient privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised account to access the Azure portal or uses PowerShell/Graph API.\u003c/li\u003e\n\u003cli\u003eThe attacker registers a malicious application within the Azure AD tenant, or modifies an existing one.\u003c/li\u003e\n\u003cli\u003eThe attacker assigns the 'full_access_as_app' permission (dc890d15-9560-4a4c-9b7f-a736ec74ec40) to the application. This is achieved through the \u0026quot;Update application\u0026quot; operation.\u003c/li\u003e\n\u003cli\u003eThe application gains full access to all mailboxes in the Exchange Online environment (ResourceAppId: 00000002-0000-0ff1-ce00-000000000000).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the granted permissions to access sensitive emails, contacts, and calendar data from targeted mailboxes.\u003c/li\u003e\n\u003cli\u003eThe attacker may send emails on behalf of other users, potentially leading to phishing attacks or business email compromise (BEC).\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or maintains persistence within the environment by creating new rogue applications.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful assignment of the 'full_access_as_app' permission allows an attacker to access and control all mailboxes within the targeted Office 365 Exchange Online environment. This can lead to significant data breaches, financial losses through BEC attacks, and reputational damage. Organizations in any sector are vulnerable, but those handling sensitive data or operating in regulated industries face the highest risk. Nation-state actors like NOBELIUM have been known to exploit this type of permission abuse to gain long-term access to victim networks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Azure AD FullAccessAsApp Permission Assigned\u0026quot; to your SIEM and tune for your environment to detect unauthorized assignments of the 'full_access_as_app' permission.\u003c/li\u003e\n\u003cli\u003eReview Azure AD audit logs for \u0026quot;Update application\u0026quot; events where the 'full_access_as_app' permission (dc890d15-9560-4a4c-9b7f-a736ec74ec40) is being assigned.\u003c/li\u003e\n\u003cli\u003eImplement the recommendations from Microsoft's blog post \u0026quot;Midnight Blizzard Guidance for Responders on Nation State Attack\u0026quot; to harden your Azure AD environment and prevent similar attacks.\u003c/li\u003e\n\u003cli\u003eMonitor for applications with excessive permissions, especially those with the 'full_access_as_app' permission, and investigate any anomalies.\u003c/li\u003e\n\u003cli\u003eRegularly audit application permissions in Azure AD to identify and remediate any overly permissive configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-azuread-fullaccess/","summary":"Detection of 'full_access_as_app' permission assignment to an application in Office 365 Exchange Online, potentially leading to unauthorized access and data exfiltration.","title":"Azure AD FullAccessAsApp Permission Assignment","url":"https://feed.craftedsignal.io/briefs/2024-01-azuread-fullaccess/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Office 365","Outlook","Microsoft Defender for Office 365"],"_cs_severities":["medium"],"_cs_tags":["office365","phishing","user-reporting"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule focuses on identifying user-reported phishing or malware incidents within an Office 365 environment. When users report suspicious emails through the built-in reporting mechanisms in Outlook or other Microsoft services, these reports are aggregated and processed by the Security \u0026amp; Compliance center. The rule aims to detect these reports, which can be an early indicator of ongoing phishing campaigns or malware distribution attempts targeting employees. Timely detection of these reports allows security teams to investigate potential threats, assess the scope of the attack, and take appropriate remediation steps, such as quarantining malicious emails, blocking malicious senders, and alerting affected users. The scope of targeting depends on the specific campaign and the users targeted.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003ePhishing Email Delivery:\u003c/strong\u003e An attacker sends a phishing email to multiple users within the organization, attempting to deceive them into clicking a malicious link or opening a malicious attachment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUser Reports Suspicious Email:\u003c/strong\u003e A user identifies the email as suspicious and reports it using the built-in \u0026quot;Report Phishing\u0026quot; or \u0026quot;Report Junk\u0026quot; button within Outlook or another Microsoft email client.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReport Aggregation:\u003c/strong\u003e The reported email is sent to the configured reporting mailbox or processed by the Microsoft Defender for Office 365 Security \u0026amp; Compliance policies.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSecurity \u0026amp; Compliance Alert:\u003c/strong\u003e The Security \u0026amp; Compliance center generates an alert or log entry indicating that a user has reported a potential phishing email.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDetection Triggered:\u003c/strong\u003e This detection rule identifies the Security \u0026amp; Compliance alert related to user-reported phishing or malware.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSecurity Analyst Review:\u003c/strong\u003e A security analyst reviews the reported email, analyzes its contents, and investigates the sender's reputation and the linked URLs or attachments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIncident Response:\u003c/strong\u003e Based on the analysis, the security team takes appropriate incident response actions, such as quarantining the email, blocking the sender, and alerting other potentially affected users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful phishing attacks can lead to credential compromise, malware infection, data exfiltration, and financial loss. By detecting user-reported phishing attempts, organizations can significantly reduce the risk of successful attacks and minimize the potential damage. The impact of a missed user report can range from a single compromised account to a widespread ransomware infection, depending on the sophistication and reach of the phishing campaign. Early detection is crucial to containing the threat and preventing further damage.\u003c/p\u003e\n","date_modified":"2024-01-22T12:00:00Z","date_published":"2024-01-22T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-user-reported-phish/","summary":"This detection identifies potentially malicious emails reported by users within an Office 365 environment through Security \u0026 Compliance policies, indicating possible phishing or malware attacks targeting the organization.","title":"Detection of User-Reported Phishing or Malware in Office 365","url":"https://feed.craftedsignal.io/briefs/2024-01-user-reported-phish/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Office 365"],"_cs_severities":["high"],"_cs_tags":["office365","account-takeover","email","data-destruction"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis analytic detects a specific account takeover behavior within Office 365 environments. It focuses on scenarios where a user receives emails containing sensitive information related to banking, payroll, or account recovery (e.g., password resets, MFA codes) and subsequently hard-deletes those emails within a short timeframe. This activity is indicative of a compromised account, where an attacker intercepts these sensitive communications and removes evidence of their activity. This attack is happening as of 2026-04-15 and is being detected using the Splunk Microsoft Office 365 Add-on by monitoring the Office 365 Universal Audit Log and Office 365 Reporting Message Trace. This is critical for defenders to identify compromised accounts used for financial fraud or data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to an O365 user's account (likely through credential phishing or password reuse – techniques not explicitly detailed in the source).\u003c/li\u003e\n\u003cli\u003eThe compromised account receives emails with subjects containing keywords related to banking, direct deposit, pay-to, password, passcode, OTP, MFA, or account recovery.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the compromised user's inbox.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies and reads emails containing sensitive information related to financial transactions or password resets.\u003c/li\u003e\n\u003cli\u003eThe attacker hard deletes the identified emails from the inbox, removing them from both the inbox and recoverable items.\u003c/li\u003e\n\u003cli\u003eThe deletion events are logged in the O365 management activity logs with \u003ccode\u003eOperation\u003c/code\u003e as \u003ccode\u003eHardDelete\u003c/code\u003e and the \u003ccode\u003eFolder.Path\u003c/code\u003e as either \u003ccode\u003e\\\\Sent Items\u003c/code\u003e or \u003ccode\u003e\\\\Recoverable Items\\\\Deletions\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker may then initiate fraudulent transactions, such as redirecting direct deposit information to a bank account under their control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can result in financial losses for the victim, including unauthorized redirection of payroll funds. Attackers could use this access to conduct further malicious activities, such as sending phishing emails to other users or exfiltrating sensitive data. The impact can extend beyond individual users, potentially affecting the entire organization's financial stability and reputation. This type of attack can lead to significant financial damage and data breaches, with losses ranging from thousands to millions of dollars, depending on the scope of the compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune for your environment to detect suspicious email deletion activity after receiving sensitive emails as defined by subject line keywords (\u003ccode\u003eo365_messagetrace\u003c/code\u003e, \u003ccode\u003eo365_management_activity\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on users who receive and delete emails related to banking, payroll, or password resets.\u003c/li\u003e\n\u003cli\u003eUse the drilldown searches to investigate the user activity in the O365 environment based on the triggered alert (\u003ccode\u003euser\u003c/code\u003e field).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) to reduce the risk of account compromise (reference: \u003ca href=\"https://attack.mitre.org/techniques/T1114/)\"\u003ehttps://attack.mitre.org/techniques/T1114/)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eReview and enforce strong password policies to prevent password reuse and reduce the risk of credential compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-o365-email-delete/","summary":"Compromised Office 365 accounts may receive and then hard delete emails related to password resets or banking/payroll changes, potentially indicating an attempt to redirect victim payroll to an attacker-controlled bank account.","title":"O365 Email Receive and Hard Delete Takeover Behavior","url":"https://feed.craftedsignal.io/briefs/2024-01-o365-email-delete/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Office 365","Exchange"],"_cs_severities":["high"],"_cs_tags":["bec","office365","email"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting malicious mailbox rule creation within Office 365 environments, a tactic frequently employed in Business Email Compromise (BEC) attacks. Attackers, after gaining unauthorized access to a user's account, create inbox rules to hide or redirect sensitive emails, enabling them to conduct fraudulent activities undetected. This activity is often performed through \u003ccode\u003eNew-InboxRule\u003c/code\u003e or \u003ccode\u003eSet-InboxRule\u003c/code\u003e operations. The detection strategy involves analyzing mailbox rule attributes such as short or unusual rule names, automated marking of emails as read, and moving emails to specific folders (e.g., RSS, Archive). A scoring mechanism is applied to identify combinations of these attributes indicative of malicious intent. Detecting these rules early can prevent financial loss and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e Attacker gains unauthorized access to an Office 365 account, possibly through phishing, credential stuffing, or other methods.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (If Needed):\u003c/strong\u003e The attacker may attempt to escalate privileges within the compromised account to gain further control.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRule Enumeration (Optional):\u003c/strong\u003e The attacker may enumerate existing inbox rules using commands to understand the current configuration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Rule Creation/Modification:\u003c/strong\u003e The attacker creates a new inbox rule or modifies an existing one using \u003ccode\u003eNew-InboxRule\u003c/code\u003e or \u003ccode\u003eSet-InboxRule\u003c/code\u003e operations within Exchange. This rule is designed to hide or redirect emails.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRule Configuration:\u003c/strong\u003e The attacker configures the rule to automatically mark emails as read (\u003ccode\u003eMarkAsRead=\u0026quot;True\u0026quot;\u003c/code\u003e), move them to specific folders like \u0026quot;RSS\u0026quot;, \u0026quot;Conversation History\u0026quot;, or \u0026quot;Archive\u0026quot; (\u003ccode\u003eMoveToFolder\u003c/code\u003e), or forward them to an external address. The rule name is often short and/or nonsensical.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEmail Hiding/Redirection:\u003c/strong\u003e The rule is activated, and incoming emails matching the rule's criteria are automatically hidden, moved, or redirected, preventing the legitimate user from seeing them.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Fraudulent Activity:\u003c/strong\u003e The attacker monitors the redirected emails for sensitive information or uses the compromised account to send fraudulent emails, initiate fraudulent transactions, or perform other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack can lead to significant financial losses, data breaches, and reputational damage. Attackers can use hidden or redirected emails to gather sensitive information, conduct phishing campaigns against internal and external contacts, and initiate fraudulent wire transfers. The number of victims and the scale of the damage depend on the attacker's objectives and the duration of the compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInstall the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events to provide the necessary logs for detection.\u003c/li\u003e\n\u003cli\u003eInstall the Splunk TA URL Toolbox (\u003ca href=\"https://splunkbase.splunk.com/app/2734/\"\u003ehttps://splunkbase.splunk.com/app/2734/\u003c/a\u003e) to enable entropy calculation for rule names.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eO365 BEC Email Hiding Rule Created\u003c/code\u003e to your SIEM and tune the \u003ccode\u003eentropy_score\u003c/code\u003e and \u003ccode\u003elen_score\u003c/code\u003e thresholds based on your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eMonitor Office 365 management activity logs for \u003ccode\u003eNew-InboxRule\u003c/code\u003e and \u003ccode\u003eSet-InboxRule\u003c/code\u003e operations, focusing on rules with suspicious attributes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-o365-bec-email-hiding/","summary":"This analytic detects suspicious Office 365 mailbox rule creation, a common technique used in Business Email Compromise (BEC), by scoring rule attributes like short names, marking emails as read, and moving emails to specific folders.","title":"O365 BEC Email Hiding Rule Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-03-o365-bec-email-hiding/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Office 365","Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["office365","azuread","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection focuses on identifying the addition of application role assignments to users within Microsoft Office 365. The activity is monitored through the \u003ccode\u003eo365_management_activity\u003c/code\u003e dataset, specifically targeting \u0026quot;Add app role assignment grant to user\u0026quot; operations. This is significant because unauthorized modifications to user roles can lead to privilege escalation, allowing attackers to gain elevated access to critical resources and data within the O365 environment. Monitoring this activity is crucial for defenders to identify and prevent potential breaches or internal misuse. References such as FireEye's report on UNC2452 and CISA Alert AA21-008A highlight the importance of monitoring such events, as attackers often leverage compromised credentials and elevated privileges to further their objectives within the cloud environment. The provided detection logic is designed to be implemented within Splunk environments utilizing the Microsoft Office 365 add-on.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised user account within the Office 365 environment (T1136.003).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised account to authenticate to Azure Active Directory.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to add an application role assignment grant to a user, modifying the user's permissions.\u003c/li\u003e\n\u003cli\u003eThis action generates an \u0026quot;Add app role assignment grant to user\u0026quot; event within the \u003ccode\u003eo365_management_activity\u003c/code\u003e logs.\u003c/li\u003e\n\u003cli\u003eThe detection identifies this specific event, triggered by the attacker's attempt to elevate privileges.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker escalates their privileges, gaining unauthorized access to sensitive data and resources.\u003c/li\u003e\n\u003cli\u003eThe attacker may then use these elevated privileges to move laterally within the O365 environment.\u003c/li\u003e\n\u003cli\u003eThe final objective is to exfiltrate sensitive data or establish persistence within the environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could lead to significant data breaches, unauthorized access to sensitive information, and potential reputational damage. By escalating privileges, attackers can bypass security controls and access critical business applications and data stored within the Office 365 environment. The number of affected users and the extent of the damage will depend on the specific roles granted and the sensitivity of the accessed data. This can affect any organization using Office 365, ranging from small businesses to large enterprises, and can have significant financial and operational consequences.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInstall and configure the Splunk Microsoft Office 365 add-on to collect the necessary logs (data_source).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your Splunk environment to detect suspicious \u0026quot;Add app role assignment grant to user\u0026quot; events and tune the rule for your specific environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected events to determine if the role assignment was authorized and legitimate, referencing the detection results for specific users and destinations as outlined in the drilldown searches.\u003c/li\u003e\n\u003cli\u003eMonitor the \u003ccode\u003eo365_management_activity\u003c/code\u003e logs for unusual patterns of role assignment changes, using the provided search query as a starting point.\u003c/li\u003e\n\u003cli\u003eReview user accounts added to privileged roles.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-o365-app-role-assignment/","summary":"This analytic detects the addition of an application role assignment grant to a user in Office 365, which can indicate unauthorized privilege escalation or the assignment of sensitive roles, leading to unauthorized access within the Office 365 environment.","title":"O365 Add App Role Assignment Grant User","url":"https://feed.craftedsignal.io/briefs/2024-01-03-o365-app-role-assignment/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Office 365","Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["cloud","office365","credential-access","password-spraying"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis analytic identifies a high volume of failed login attempts originating from a single source IP address targeting Office 365 accounts. The activity is monitored using Office 365 management activity logs, specifically AzureActiveDirectoryStsLogon records. By aggregating these logs in 5-minute intervals, the analytic counts failed login attempts and triggers when the count exceeds a defined threshold. This behavior is significant as it commonly indicates brute-force attacks or password spraying, which are methods used by attackers to compromise accounts. Successful attacks can lead to data breaches, lateral movement, and further malicious activities. The initial Splunk ES-CU detection was published on 2026-04-17, version 11.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies potential target Office 365 accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a password spraying or brute-force attack against the identified accounts, using a single source IP address.\u003c/li\u003e\n\u003cli\u003eThe UserLoginFailed events are logged within the Office 365 management activity logs as AzureActiveDirectoryStsLogon records.\u003c/li\u003e\n\u003cli\u003eSplunk ingests the Office 365 management activity events using the Splunk Microsoft Office 365 Add-on.\u003c/li\u003e\n\u003cli\u003eThe analytic aggregates the failed login attempts by source IP address within 5-minute intervals.\u003c/li\u003e\n\u003cli\u003eIf the number of failed attempts from a single IP exceeds the defined threshold (e.g., 10), a detection event is triggered.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to a compromised Office 365 account.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised account for data exfiltration, lateral movement, or further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful password spraying or brute-force attack can lead to the compromise of Office 365 accounts. This can result in data breaches, unauthorized access to sensitive information, and potential financial loss. The compromise of even a single account can provide attackers with a foothold for lateral movement within the organization, potentially impacting a wider range of systems and data. The CISA alert AA21-008A highlights the risks of password spraying and emphasizes the importance of monitoring for this type of activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect high numbers of login failures from a single source and tune the threshold based on your environment to minimize false positives.\u003c/li\u003e\n\u003cli\u003eEnable and monitor Office 365 management activity logs, specifically AzureActiveDirectoryStsLogon records (\u003ccode\u003eo365_management_activity\u003c/code\u003e) to ensure the data source for the detection is available.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, focusing on the source IP address (\u003ccode\u003esrc_ip\u003c/code\u003e) and the affected user accounts (\u003ccode\u003euser\u003c/code\u003e) to determine if the activity is malicious.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Office 365 accounts to mitigate the risk of successful password-based attacks, as referenced in the MITRE ATT\u0026amp;CK technique T1110.001.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-o365-login-failures/","summary":"The analytic detects multiple failed login attempts in Office365 Azure Active Directory from a single source IP address, potentially indicating brute-force or password spraying attacks.","title":"High Number of Failed Office 365 Logins from Single Source","url":"https://feed.craftedsignal.io/briefs/2024-01-03-o365-login-failures/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Office 365"],"_cs_severities":["high"],"_cs_tags":["account-compromise","office365","payroll-fraud","data-destruction"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of compromised Office 365 accounts exhibiting behavior indicative of payroll redirection fraud. The attack involves an adversary gaining access to a target's email account and subsequently deleting email messages related to password resets, banking information, and direct deposit updates. The attacker's objective is likely to manipulate the victim's payroll settings to redirect funds to an account under their control. This activity requires timely detection, as the window of opportunity for such redirection is typically short. This brief uses detections developed and released in the splunk-escu project, specifically released around April 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target's Office 365 account via credential theft or phishing (not directly observed in source).\u003c/li\u003e\n\u003cli\u003eThe attacker searches the mailbox for keywords related to password resets, banking information, direct deposit, and payroll changes (e.g., \u0026quot;password\u0026quot;, \u0026quot;banking\u0026quot;, \u0026quot;direct deposit\u0026quot;, \u0026quot;OTP\u0026quot;, \u0026quot;MFA\u0026quot;).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies emails matching the keywords.\u003c/li\u003e\n\u003cli\u003eThe attacker deletes the identified emails. This is often done using \u0026quot;SoftDelete\u0026quot; or \u0026quot;HardDelete\u0026quot; operations.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the victim's payroll or banking information using data gleaned from the accessed emails or via impersonation.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to maintain access to the compromised account, potentially setting up forwarding rules or other persistence mechanisms (not directly observed in source).\u003c/li\u003e\n\u003cli\u003eThe attacker monitors for any alerts or notifications related to the changes they made, and attempts to delete or suppress them (not directly observed in source).\u003c/li\u003e\n\u003cli\u003eThe attacker successfully redirects payroll funds to their own account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack of this nature results in financial loss for the victim. It can also cause reputational damage to the organization if employees' payroll information is compromised. The number of victims can vary greatly depending on the scope of the attack. This type of attack often targets employees in finance or HR departments, or those with access to sensitive payroll data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect instances where users receive and delete emails related to both password resets and payroll changes. Tune the rule for your environment to minimize false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the user's mailbox activity and login history. Use the drilldown searches to view the detection results for the affected user.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Office 365 accounts to reduce the risk of credential theft.\u003c/li\u003e\n\u003cli\u003eEducate employees about the risks of phishing and social engineering attacks, and how to identify suspicious emails.\u003c/li\u003e\n\u003cli\u003eMonitor Office 365 audit logs for suspicious activity, such as unusual login locations, excessive email deletions, or changes to mailbox settings.\u003c/li\u003e\n\u003cli\u003eReview and enforce strong password policies to prevent attackers from easily guessing or cracking passwords.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-o365-payroll-compromise/","summary":"Attackers compromise O365 accounts and delete emails related to password resets and payroll changes, potentially redirecting payroll to attacker-controlled accounts.","title":"O365 Email Password and Payroll Compromise","url":"https://feed.craftedsignal.io/briefs/2024-01-o365-payroll-compromise/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Active Directory","Microsoft 365"],"_cs_severities":["high"],"_cs_tags":["azuread","office365","cross-tenant","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are increasingly targeting Microsoft 365 environments, including Azure Active Directory, to establish persistence and facilitate lateral movement. A key technique involves manipulating cross-tenant access policies. These policies govern how an organization trusts and interacts with external Azure Active Directory tenants. By modifying these policies, attackers can grant themselves unauthorized access to resources, synchronize user accounts for long-term access, and bypass multi-factor authentication (MFA) controls. This activity can be difficult to detect due to the legitimate use of cross-tenant access for business collaboration. This type of attack was observed in August 2023, and impacts any organization using Azure AD cross-tenant access features.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a privileged account within the target Azure Active Directory tenant, possibly via credential phishing or password spraying.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Azure portal or uses PowerShell modules to interact with Azure Active Directory.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies existing cross-tenant access policies configured within the target tenant.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies an existing cross-tenant access policy or creates a new one to establish a trust relationship with an attacker-controlled Azure Active Directory tenant.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the cross-tenant access policy to allow specific actions, such as user synchronization or application access, from the attacker-controlled tenant.\u003c/li\u003e\n\u003cli\u003eThe attacker synchronizes user accounts from the attacker-controlled tenant into the target tenant, granting themselves persistent access.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the synchronized accounts to access sensitive resources and perform lateral movement within the target environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful manipulation of cross-tenant access policies can lead to significant damage. Attackers can gain persistent, unauthorized access to sensitive data, applications, and infrastructure within the victim's Microsoft 365 environment. This may lead to data exfiltration, financial fraud, or disruption of business operations. The CrowdStrike blog post referenced in the source material highlights real-world instances of these attacks, and it should be considered a critical threat to organizations relying on cross-tenant access configurations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eO365 Cross-Tenant Access Policy Change Detected\u003c/code\u003e to your SIEM to detect unauthorized changes to cross-tenant access policies using Office 365 management activity logs.\u003c/li\u003e\n\u003cli\u003eReview existing cross-tenant access policies for unexpected or overly permissive configurations.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, including privileged accounts, to reduce the risk of initial compromise.\u003c/li\u003e\n\u003cli\u003eMonitor Azure Active Directory audit logs for suspicious activity related to cross-tenant access policy management.\u003c/li\u003e\n\u003cli\u003eRegularly audit and review permissions associated with synchronized accounts to identify and remediate any excessive privileges.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-o365-cross-tenant-access-change/","summary":"Adversaries modify Azure Active Directory cross-tenant access policies for lateral movement or persistence within compromised Microsoft 365 environments.","title":"O365 Cross-Tenant Access Policy Changes","url":"https://feed.craftedsignal.io/briefs/2024-01-02-o365-cross-tenant-access-change/"}],"language":"en","title":"CraftedSignal Threat Feed - Office365","version":"https://jsonfeed.org/version/1.1"}