Notes from the Field • 3 Mins READ

Hook, Line and Sinker. Phishing and Office 365 Account Compromise

by Eleanor Barlow • Feb 2020

Phishing: What are the important Office 365 logs to examine?

Even the most hardened information systems are susceptible to a slick con artist. The art of deception employed in a well-crafted phishing email has the potential to dupe us all. In fact, there are few of us who are invulnerable to this threat actor.

Obviously, there are ways to make yourself less of a target. Elements such as multifactor authentication, security awareness and email spam filters add additional layers of protection. But our interest here is to highlight some of the Office365 logs which point towards an account compromise.

Microsoft O365 Cloud services logs are rich in content and deliver all you need to build the following basic use cases. Since Phishing remains one of the leading threat actors, if you don’t monitor these events, you leave yourself blind to risks.

Use Case #1: Mailbox login activity from unusual geo location

Do you expect your users to login from Afghanistan or the Congo? Probably not. So, here is what to look for in 3 simple steps!

  1. Check for event “MailboxLogin-succeded” in O365 logs.
  2. Baseline normal login geolocations.
  3. Flag, monitor and investigate any sign-in attempt from an unusual location.

Use Case #2: Inbox rule creation

Once an attacker gains access to the mailbox, it becomes easier to add and modify the inbox rules. An attacker can use this to their advantage. Either by moving emails to a particular folder, by forwarding an email to an email address, or even by starting an application. Auditing inbox rule is a must. Remember to ensure that it is enabled for all mailboxes. You can check for events “New InboxRule Succeeded” and “Set InboxRule Succeeded” in O365 audit logs.

Use Case #3: More than one source geolocation IP login in a day

Can you travel from Cardiff to Cape Town in 2 hours? Look for impossible travel logins.

If a user is logging in from multiple locations in a day, an alert and an investigation needs to be conducted. With some fine tuning around this alert, this use case has the potential to yield positive results to detect user account compromise.

Use Case #4: Auto forwarding set (conditional and unconditional forwarding)

Treat auto forwarding as a potential indicator of account compromise.

Similar to inbox rule creation, an attacker can also set auto forwarding to pass on all emails to an external address. In response, event “Set Mailbox Succeeded” should be alerted, and fields such as “DeliverToMailboxAndForward” and “ForwardingSMTPAddrress” can provide you with the necessary information.

Ideally, a normal user should not be allowed to set unconditional forwarding. Both conditional and unconditional forwarding needs to be monitored and verified to ensure that there is no potential account compromise or data exfiltration being attempted.

Use Case #5: OneDrive/SharePoint – Monitor files with external sharing set to all

To evade AV detections, attackers may also use SharePoint online to store malicious files and share the link in a phishing email. To monitor this, look for file permission changes event in O365 logs and check the External Sharing field. It is recommended by Microsoft to use a separate site to share content that requires external sharing. That way you can easily keep track of files that are being shared and accessed externally.

Use Case #6: OneDrive/SharePoint suspicious file detection

OneDrive, which uses SharePoint online as a backend, also has an antivirus engine that scans files. It can flag suspicious files under event “File Malware Detected” and this is something that you can set an alert on and investigate. It is always recommended that you should backup only known file types to OneDrive to avoid contamination.

The race between compromise and detection is never-ending. It is, however, important to minimize the time difference between the point of time when account was compromised and the time when it was detected. With the above use cases, we can implement another layer of detection, rather than relying on traditional signature-based detection.

For further recommendations and for tips for staying safe online, contact a member of our team here.