{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/shadow-it/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["M365 Copilot","Azure AD"],"_cs_severities":["medium"],"_cs_tags":["m365","copilot","device-compliance","byod","shadow-it"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies instances where users access M365 Copilot from devices that do not meet corporate compliance standards. This can expose sensitive organizational data. The activity is identified by analyzing M365 Copilot Graph API logs for access events originating from devices flagged as either non-compliant (deviceDetail.isCompliant=false) or unmanaged (deviceDetail.isManaged=false). The detection aggregates information by user, operating system, and browser to provide context around the non-compliant access. The goal is to uncover potential shadow IT usage, violations of Bring Your Own Device (BYOD) policies, or compromised endpoints accessing corporate resources through M365 Copilot. This detection is based on version 4 of the Splunk ESCU detection \u003ccode\u003ee26bc52d-9cbc-4743-9745-e8781d935042\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser attempts to access Microsoft 365 Copilot application.\u003c/li\u003e\n\u003cli\u003eAzure AD evaluates device compliance and management status during authentication.\u003c/li\u003e\n\u003cli\u003eIf the device is not compliant (deviceDetail.isCompliant=false) or unmanaged (deviceDetail.isManaged=false), the sign-in attempt is logged in Azure AD Sign-in logs.\u003c/li\u003e\n\u003cli\u003eThe M365 Copilot Graph API captures the sign-in event and its associated device details.\u003c/li\u003e\n\u003cli\u003eSecurity monitoring tools ingest the M365 Copilot Graph API logs.\u003c/li\u003e\n\u003cli\u003eThe detection identifies events where \u003ccode\u003edeviceDetail.isCompliant\u003c/code\u003e or \u003ccode\u003edeviceDetail.isManaged\u003c/code\u003e is false while accessing Copilot.\u003c/li\u003e\n\u003cli\u003eThe detection aggregates the data by user, device operating system, and browser to highlight patterns of non-compliant access.\u003c/li\u003e\n\u003cli\u003eSecurity teams are alerted to the potential policy violations or compromised endpoints accessing M365 Copilot.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to data leakage, unauthorized access to sensitive information, and violation of corporate security policies. The number of affected users and the sensitivity of data accessed depend on the organization's M365 Copilot usage and the data accessible through Copilot. Organizations may face compliance violations and regulatory fines if sensitive data is accessed from non-compliant devices. This situation impacts the security domain of endpoints, which can introduce threats into web applications and expose company data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the Splunk Add-on for Microsoft Office 365 is properly configured to ingest Azure AD Sign-in logs via the Graph API, as described in the \u0026quot;how_to_implement\u0026quot; section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eM365 Copilot Access from Non-Compliant Devices\u003c/code\u003e to detect unauthorized access attempts and tune it for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate users flagged by the detection, focusing on devices labeled as non-compliant or unmanaged in the M365 Copilot Graph API logs.\u003c/li\u003e\n\u003cli\u003eDevelop or refine BYOD policies to address the risks of accessing corporate resources from personal devices and communicate these policies clearly to employees.\u003c/li\u003e\n\u003cli\u003eImplement stricter Conditional Access policies in Azure AD to block access to M365 Copilot from non-compliant or unmanaged devices, using device compliance as a condition.\u003c/li\u003e\n\u003cli\u003eRegularly review and update device compliance policies to ensure they align with current security best practices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-m365-copilot-non-compliant-access/","summary":"Detects Microsoft 365 (M365) Copilot access from non-compliant or unmanaged devices, potentially indicating shadow IT, BYOD policy violations, or compromised endpoints accessing sensitive data.","title":"M365 Copilot Access from Non-Compliant Devices","url":"https://feed.craftedsignal.io/briefs/2024-01-03-m365-copilot-non-compliant-access/"}],"language":"en","title":"CraftedSignal Threat Feed - Shadow-It","version":"https://jsonfeed.org/version/1.1"}