<img src="https://ws.zoominfo.com/pixel/JV60JGR5LG4sEWlH3Xte" width="1" height="1" style="display: none;">

Unfortunately, almost every organization at some point will have to manage a situation where a user’s account has been compromised. In this blog post, we present O365 native tools and techniques that organizations can utilize.

Microsoft has developed several tools for organizations to investigate suspicious activity or compromised accounts within Office 365 environments. Unfortunately, these tools are not always easy to locate or utilize.

In this blog post, we will walk through a few of the tools integrated into Office 365 to help organizations investigate account compromises if an employee’s account has been victimized via phishing, social engineering, or other forms of credential theft. The tools discussed in this post are available to all license levels of Office 365.

Tracking Logins in Azure Active Directory

The first step of an account compromise investigation often begins with identifying the attacker authenticating to the environment. Azure Active Directory Sign in logs are the most important resource to identify this activity. (Please note: if your organization uses a third-party identity provider, like Okta or Duo, records from that provider should replace or supplement the steps presented in this section) Azure Active Directory sign-in logs are located at the following URL:

Azure Active Directory Sign in URL

https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/SignIns

A screen shot of this page is presented below:

Azure Active Directory Sign in History

Azure Active Directory Sign In History

To analyze the data presented in this interface, use the integrated filters presented in the UI, or download the data to Excel for analysis. Unauthorized logins in an Azure Active Directory environment typically display one or more of the following characteristics:

  • Connection from a different location – Attackers typically connect to environments from different physical locations than where victims usually authenticate from.
  • Use of new IP address – Directly related to the above, the source IP address of an attacker connection will be different that addresses historically utilized by victims.
  • Use of different Client Applications – many attacks against organizations that have two-factor authentication utilize legacy protocols, like IMAP and SMTP, that bypass two-factor authentication requirements. Wherever possible, organizations should ensure that legacy authentication has been disabled in their environment. A full list of legacy protocols used by Office365 is available at the following URL: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication.
  • Changes to client operating system and browser – Users typically only connect from a limited number of different devices (e.g. a phone and a laptop), that have fairly static browser and operating system profiles, so that a login from a browser or operating system not previously seen merits investigation.
  • Changes to authentication response patterns – Changes to response sequences, such as an increase in the volume of login failures, or an even an increase in the volume of successful logins can be potential indications of malicious behavior.
  • Changes to IP address usage patterns – One account that is simultaneously authenticating from multiple IP addresses, or multiple accounts simultaneously authenticating from one previously unknown IP address can be an indication of malicious behavior.
  • Changes to login days and times – Changes to login days and times, such as a user suddenly authenticating on weekends, or authenticating late at night can be an indication of malicious behavior.

The following logs from a compromised user account demonstrate some of these characteristics:

  • The user account began authenticating from a new address, in a new location – user’s standard logins from Puerto Rico (“Guaynabo, null, PR”)
  • New client apps (IMAP and SMTP) were used – use of IMAP and SMTP are also reflected in Browser and Operating System fields being blank.

Azure Active Directory Sign In History from Compromised Account

Azure Active Directory Sign In History from Compromised Account

Reviewing Office 365 Alerts

If an account has been compromised, the activity may have triggered Office 365 alerts. These records are available in the Office 365 Protection Portal, which is located at the following URL:

Office 365 Alerts URL

https://protection.office.com/viewalerts

A screen shot of this menu is presented below:

Office 365 Alert Menu

Office 365 Alert Menu

Key default alerts that may be indicative of an account compromise include:

  • Email forwarding or redirect rule created – Attackers often make changes to Email forwarding and redirect settings when accessing a tenant, in order to hide their presence from the victim, as well as to ensure that the attacker has visibility into emails being sent to the victim.
  • Unusual volume of external file sharing – An attacker may change file sharing settings in an environment or upload their own files to share.
  • eDiscovery search started or exported – Attackers may look to take advantage of eDiscovery search capabilities in client environments in order to find potentially sensitive information in the environment.
  • A Potentially Malicious URL click was detected – Clicking on a malicious URL sent to a victim may have been the event that triggered the incident.

Organizations can also establish custom alerts to detect potentially malicious actions specific to their tenant.

Reviewing Office 365 Unified Audit Log

If we have identified an account compromise from Azure Active Directory Sign Ins and Office alerts, we need to identify what actions the attacker may have taken, both in order to maintain persistence in the environment, to attack other tenants, or to exfiltrate date from the victim environment. Logs associated with activity that the attacker took in Microsoft Exchange and SharePoint Online are accessible in the Unified Audit Log, which is located at the following URL:

Unified Audit Log URL

https://protection.office.com/unifiedauditlog

A screen shot of this page is presented below:

Unified Audit Log

Unified Audit Log

Please Note – if you access this URL, but don’t see any logs, you will need to enable audit logging.

 Logs can also be exported from this menu. These logs are a combination of comma delimited and JSON by default. To parse them properly, follow the instructions here: https://docs.microsoft.com/en-us/microsoft-365/compliance/export-view-audit-log-records?view=o365-worldwide

Parsed logs from the unified audit log are presented in the following screen shot:

Parsed Logs From Unified Audit Log

Parsed Logs from Unified Audit Logs

The Unified Audit Log can be used to trace SharePoint and Exchange online activities taken by the attacker in the environment.

Reviewing Detailed Exchange Message Activity

 Message trace in the Security & Compliance Center follows email messages as they travel through your Exchange Online organization. Organizations can determine if a message was received, rejected, deferred, or delivered by the service. Message trace functionality in Office 365 is necessary if attackers sent email messages using a victims account.

The Email Message Trace menu is located at the following URL:

Email message trace menu URL

https://protection.office.com/unifiedauditlog

This menu is presented in the following screen shot:

Email message trace menu

Email Message Trace Menu

Microsoft provides the following overview for Email trace report types:

  • Summary: Available if the time range is less than 10 days and requires no additional filtering options. The results are available almost immediately after you click Search. The report returns up to 20000 results.
  • Enhanced summary or Extended: These reports are only available as downloadable CSV files, and require one or more of the following filtering options regardless of the time range: By these people, To these people, or Message ID. You can use wildcards for the senders or the recipients (for example, *@contoso.com). The Enhanced summary report returns up to 50000 results. The Extended report returns up to 1000 results.

 Additional detail about the reporting options is available at the following URL: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/message-trace-scc?view=o365-worldwide

COMING SOON: PERFORMING INVESTIGATIONS IN AZURE SENTINEL

This post focused on capabilities native to all license of Office 365. In future posts, we will provide overviews of additional security detection and investigation capabilities available as add-ons to Microsoft Office subscriptions and Azure Sentinel.