<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Shadow-It - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/shadow-it/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/shadow-it/feed.xml" rel="self" type="application/rss+xml"/><item><title>M365 Copilot Access from Non-Compliant Devices</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-m365-copilot-non-compliant-access/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-m365-copilot-non-compliant-access/</guid><description>Detects Microsoft 365 (M365) Copilot access from non-compliant or unmanaged devices, potentially indicating shadow IT, BYOD policy violations, or compromised endpoints accessing sensitive data.</description><content:encoded><![CDATA[<p>This detection identifies instances where users access M365 Copilot from devices that do not meet corporate compliance standards. This can expose sensitive organizational data. The activity is identified by analyzing M365 Copilot Graph API logs for access events originating from devices flagged as either non-compliant (deviceDetail.isCompliant=false) or unmanaged (deviceDetail.isManaged=false). The detection aggregates information by user, operating system, and browser to provide context around the non-compliant access. The goal is to uncover potential shadow IT usage, violations of Bring Your Own Device (BYOD) policies, or compromised endpoints accessing corporate resources through M365 Copilot. This detection is based on version 4 of the Splunk ESCU detection <code>e26bc52d-9cbc-4743-9745-e8781d935042</code>.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>User attempts to access Microsoft 365 Copilot application.</li>
<li>Azure AD evaluates device compliance and management status during authentication.</li>
<li>If the device is not compliant (deviceDetail.isCompliant=false) or unmanaged (deviceDetail.isManaged=false), the sign-in attempt is logged in Azure AD Sign-in logs.</li>
<li>The M365 Copilot Graph API captures the sign-in event and its associated device details.</li>
<li>Security monitoring tools ingest the M365 Copilot Graph API logs.</li>
<li>The detection identifies events where <code>deviceDetail.isCompliant</code> or <code>deviceDetail.isManaged</code> is false while accessing Copilot.</li>
<li>The detection aggregates the data by user, device operating system, and browser to highlight patterns of non-compliant access.</li>
<li>Security teams are alerted to the potential policy violations or compromised endpoints accessing M365 Copilot.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to data leakage, unauthorized access to sensitive information, and violation of corporate security policies. The number of affected users and the sensitivity of data accessed depend on the organization's M365 Copilot usage and the data accessible through Copilot. Organizations may face compliance violations and regulatory fines if sensitive data is accessed from non-compliant devices. This situation impacts the security domain of endpoints, which can introduce threats into web applications and expose company data.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Ensure the Splunk Add-on for Microsoft Office 365 is properly configured to ingest Azure AD Sign-in logs via the Graph API, as described in the &quot;how_to_implement&quot; section.</li>
<li>Deploy the Sigma rule <code>M365 Copilot Access from Non-Compliant Devices</code> to detect unauthorized access attempts and tune it for your environment.</li>
<li>Investigate users flagged by the detection, focusing on devices labeled as non-compliant or unmanaged in the M365 Copilot Graph API logs.</li>
<li>Develop or refine BYOD policies to address the risks of accessing corporate resources from personal devices and communicate these policies clearly to employees.</li>
<li>Implement stricter Conditional Access policies in Azure AD to block access to M365 Copilot from non-compliant or unmanaged devices, using device compliance as a condition.</li>
<li>Regularly review and update device compliance policies to ensure they align with current security best practices.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>m365</category><category>copilot</category><category>device-compliance</category><category>byod</category><category>shadow-it</category></item></channel></rss>