sales@siconsult.com

Phone: +44 (0)20 332 70699

Visit Si Engineering

SiConsult Location SiConsult Location SiConsult Location

The Latest Cyber
Intelligence
from Si

Phishing: What are the important Office 365 logs to examine?

Even the most hardened information systems are susceptible to a slick con artist. The art of deception employed in a well-crafted phishing email has the potential to dupe us all. In fact, there are few of us who are invulnerable to this threat actor.

Obviously, there are ways to make yourself less of a target. Elements such as multifactor authentication, security awareness and email spam filters add additional layers of protection. But our interest here is to highlight some of the Office365 logs which point towards an account compromise.

Microsoft O365 Cloud services logs are rich in content and deliver all you need to build the following basic use cases. Since Phishing remains one of the leading threat actors, if you don’t monitor these events, you leave yourself blind to risks.

Use Case #1: Mailbox login activity from unusual geo location

Do you expect your users to login from Afghanistan or the Congo? Probably not. So, here is what to look for in 3 simple steps!

  1. Check for event “MailboxLogin-succeded” in O365 logs.
  2. Baseline normal login geolocations.
  3. Flag, monitor and investigate any sign-in attempt from an unusual location.

Use Case #2: Inbox rule creation

Once an attacker gains access to the mailbox, it becomes easier to add and modify the inbox rules. An attacker can use this to their advantage. Either by moving emails to a particular folder, by forwarding an email to an email address, or even by starting an application. Auditing inbox rule is a must. Remember to ensure that it is enabled for all mailboxes. You can check for events “New InboxRule Succeeded” and “Set InboxRule Succeeded” in O365 audit logs.

Use Case #3: More than one source geolocation IP login in a day

Can you travel from Cardiff to Cape Town in 2 hours? Look for impossible travel logins.

If a user is logging in from multiple locations in a day, an alert and an investigation needs to be conducted. With some fine tuning around this alert, this use case has the potential to yield positive results to detect user account compromise.

Use Case #4: Auto forwarding set (conditional and unconditional forwarding)

Treat auto forwarding as a potential indicator of account compromise.

Similar to inbox rule creation, an attacker can also set auto forwarding to pass on all emails to an external address. In response, event “Set Mailbox Succeeded” should be alerted, and fields such as “DeliverToMailboxAndForward” and “ForwardingSMTPAddrress” can provide you with the necessary information.

Ideally, a normal user should not be allowed to set unconditional forwarding. Both conditional and unconditional forwarding needs to be monitored and verified to ensure that there is no potential account compromise or data exfiltration being attempted.

Use Case #5: OneDrive/SharePoint - Monitor files with external sharing set to all

To evade AV detections, attackers may also use SharePoint online to store malicious files and share the link in a phishing email. To monitor this, look for file permission changes event in O365 logs and check the External Sharing field. It is recommended by Microsoft to use a separate site to share content that requires external sharing. That way you can easily keep track of files that are being shared and accessed externally.

Use Case #6: OneDrive/SharePoint suspicious file detection

OneDrive, which uses SharePoint online as a backend, also has an antivirus engine that scans files. It can flag suspicious files under event “File Malware Detected” and this is something that you can set an alert on and investigate. It is always recommended that you should backup only known file types to OneDrive to avoid contamination.

The race between compromise and detection is never-ending. It is, however, important to minimize the time difference between the point of time when account was compromised and the time when it was detected. With the above use cases, we can implement another layer of detection, rather than relying on traditional signature-based detection.

For further recommendations and for tips for staying safe online, contact a member of our team here.

New call-to-action

All News

Register and stay up to date with Si’s Cyber Intelligence

Interested in our services?

Do you have a question or need more information?

We would like to hear from you! Please complete the form below and a representative from Si will follow up with you as soon as possible.

Close

Al Barsha Business Point, Office 501, Al Barsha One, P.O. Box 283996, Dubai, UAE

CALL OFFICE EMAIL OFFICE
Close

7 Greenwich View Pl, Canary Wharf, London E14 9NN

CALL OFFICE EMAIL OFFICE
Close

Supreme Headquarters Building, Office 807-810, Survey No. 36, Pune-Bangalore Highway, Baner, Pune 411045, India

CALL OFFICE EMAIL OFFICE

Thank you for your enquiry. We will be in touch shortly.

Thank you for signing up to Si news.

Thank you for your download request. We will email it shortly.

Thank you for your partner registration application. We will be in touch shortly.

Thank you for your enquiry. We will be in touch shortly.

Thank you for your download request. We will email it shortly.

Thank you – your request has been submitted and you will be contacted within 24 hours.

Thank you – your request has been submitted and you will be contacted within 24 hours.

Thank you – your interest in this event has been submitted and you will be contacted within 24 hours.