What do these detections mean?
You've received a cloud detection alert indicating that a user in your environment has been potentially breached. These customer alerts identify detection of suspicious activities on O365 accounts, which are possible once an attacker has stealthily logged in.
These common activities include:
Disabling or Removal of Anti-Phish Protections:
The basic elements of an anti-phishing policy are:
- The anti-phish policy: Specifies the phishing protections to enable or disable, and the actions to apply options.
- The anti-phish rule: Specifies the priority and recipient filters (who the policy applies to) for an anti-phish policy.
Turning off the URL scanning of links present in a mailbox
Safe Links is a feature that provides URL scanning. Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.
Turning off the auto-checking of attachments before they are delivered into a mailbox:
Safe Attachments uses a virtual environment to check attachments in email messages before they're delivered to recipients (a process known as detonation).
Disabling or Removal of Malware protections
EOP offers multi-layered malware protection that's designed to catch all known malware traveling into or out of your organization
Turning off the logging of Unified Audit Logs, which record user and admin O365 account activity
When audit log search in the compliance center is turned on, user and admin activity from your organization is recorded in the audit log and retained for 90 days at least.
How do I investigate if an alert is a legitimate threat
Consider going through the following actions to investigate if the threat is legitimate or not. Items 1 - 7 are included in the alert email itself.
1. User Confirmation: Ask the user if they performed the detected actions. If the actions are legitimate, the ticket can be closed.
2. Unsuccessful Logins: Determine how many successful or unsuccessful logins were attempted in the last 24 hours? Under TwentyFourHourLoginAnalytics, we have different fields.
The number_login_attempts and number_sucessful_logins fields indicate the number of login attempts that were made and how many of those were successful. In the above mentioned alert, 84 out of 85 were successful. If there are many unsuccessful login attempts, it is likely the alert indicates malicious activity.
The successful_logins_apps_and_freqs tells which applications were successfully accessed and how many times. Alternatively, the failed_logins_apps_and_freqs would mention failed logins to any of the applications.
3. Logon errors: If you see a logon error of Idslocked, it means the account was locked after multiple unsuccessful login attempts. A zero under the field of number_idslocked_login_attempts does not indicate malicious activity.
4. Distinct IP Logins: number_distinct_logins will tell you if there were logins from a large number of distinct IPs? Logins from a large number of distinct IPs may indicate VPN use by the user or could be malicious activity.
5. Elevated Permissions: Were the user’s permissions elevated? - If the user type changed recently, it could be an indicator of privilege escalation by an attacker.
UserType- The type of user that performed the operation. The following values indicate the user type.
0 - A regular user
2 - An administrator in your Microsoft 365 organization
3 - A Microsoft datacenter administrator or datacenter system account
4 - A system account
5 - An application
6 - A service principal
7 - A custom policy
8 - A system policy
User_types_changes: lists the different types of changes in the user type, if any, in a deduplicated chronological order. User_Types would list all user types of all the events that occurred in the last 24 hours.
For example, consider 9 events in the last 24 hours where UserType changed. Say, 0 for the first 3 events, 2 for the next 5 events and 0 for the last event. In an array form, user types for 9 events would look like ["0", "0", "0", "2", "2", "2", "2", "2", "0"]. The user_types_changes would be [‘Escalation’, ‘De-escalation’] and user_types would be [‘0’, ‘2’, ’0’].
6. External Access: Was the activity performed by someone outside of the organization? This field can be found under TwentFourHourExchangeAnalytics. If the field is set to false, then it was an insider activity. If the field is set to true, it was an outsider activity.
7. Suspicious User Activity: Under TwentFourHourExchangeActivityAnalytics, the field operations_and_freqs mentions the events and activities performed by the user along with their respective frequencies in the last 24 hours. For example, if the field resulted in ["Remove-MalwareFilterRule'', 3], it means that the operation Remove-MalwareFilterRule was performed thrice in the last 24 hours.
Additional steps that you can perform to complete the investigation:
8. Other User Activity: Did the affected user do anything else suspicious in the past 24 hours? Filter the Unified Audit Log for the specific user in the last 24 hours by going to Audit Log Search under the Security and Compliance Centre as documented HERE. Similarly you can look for suspicious activity in other O365 accounts.
9. Forwarding Rules: Check for any new forwarding rules set (More info here and here).
Recommended remediation steps
1. Disable the user account by following these steps.
2. Revoke any admin access or special/privileged permissions the user has been granted.
3. Sign out of all sessions and revoke tokens for the affected users (both in O365 and Azure - steps here)
4. Remove any suspicious forwarding addresses set at the mailbox level (Info on forwarding addresses here). You can view reports and insights by using these steps.
5. Remove any suspicious inbox level rules, set within the mailbox.
Here’s how:
If you want to do this via the GUI go to the o365 Admin Center -> Exchange Admin Center -> permissions -> Outlook web app policies. Then double click on "OwaMailboxPolicy-Default" or whichever policy you want to edit. Next select Features on the left side, scroll to the bottom, select More options and under Information Management uncheck Inbox Rules. Finally, click Save.
6. Investigate malicious email that was delivered in O365.
7. View reports in the Security & Compliance centre for malicious attachments.
8. If you need to preserve the content for investigation/litigation or insurance purposes then it is suggested to place the mailbox in a legal hold. (see here for info)
9. Enable mailbox auditing (Click here for the Microsoft guide to enable Mailbox Auditing, which is disabled by default)
10. Check Email and SharePoint permissions and rules (Please note that SharePoint sites have their own system for permissions).
11. Reset password (Ensure that this is synced across if using AD Connect) via Microsoft's suggested steps.
12. Enable or reset MFA and ensure it is only their device being enrolled.
13. Re-enable the user account in Azure AD.
14. Monitor activity on the account (Check mailbox audit logs).
For other suggested steps for responding to a compromised Microsoft account, read here.
Recommended additional precautions
1. Microsoft's suggested steps: https://docs.microsoft.com/en-us/archive/blogs/office365security/using-office-365-activity-data-to-improve-your-cybersecurity-stance-and-capability
2. Configure anti malware protection in Exchange
3. Configure O365 policies for increased security