Attack Chain

1. An attacker crafts a spearphishing email designed to bypass standard security filters.
2. The email is sent to a target user within the Microsoft 365 environment.
3. Microsoft Defender for Office 365 analyzes the email and identifies it as suspicious but fails to block delivery.
4. The email is delivered to the user’s Inbox or Junk folder.
5. The user opens the email and clicks on a malicious link or opens a malicious attachment (e.g., a macro-enabled document).
6. The link redirects the user to a credential harvesting site, or the attachment executes malicious code (e.g., via PowerShell).
7. The attacker gains access to the user’s account or system.
8. The attacker uses the compromised account to further propagate the attack, exfiltrate data, or deploy malware within the organization.

Impact

The impact of this threat can be significant. Successful exploitation can lead to the compromise of user accounts, data theft, malware infection, and financial loss. Organizations may experience business disruption, reputational damage, and legal liabilities. The number of affected users and the extent of the damage will depend on the attacker’s objectives and the organization’s security controls.

Recommendation

• Deploy the Sigma rule provided to detect suspicious email delivery events within your Microsoft 365 environment and tune for your specific environment.
• Investigate any alerts generated by the Sigma rule to determine the root cause of the bypass and remediate any potential damage.
• Review and adjust Microsoft Defender for Office 365 settings to improve detection accuracy and blocking capabilities.
• Educate users about the risks of phishing emails and encourage them to report suspicious messages.
• Monitor the TIMailData operation within the M365 audit logs for further analysis and threat hunting.