The top 10 signs that Office 365 and Azure have been compromised
As more systems move to the cloud the threat landscape becomes more complex and detecting events that require urgent attention is more difficult.
Many businesses are turning to AI to help and threat detection specialist Vectra AI has released a new report focusing on the top 10 threat detections seen across Microsoft Azure AD and Office 365 environments.
Issues include risky O365 Exchange operations that may indicate an attacker is manipulating Exchange to gain access to specific data or further attack progression. Abnormal Azure AD operations that may indicate attackers are escalating privileges and performing admin-level operations after regular account takeover. And O365 accounts seen downloading an unusual number of objects which may indicate an attacker is using SharePoint or OneDrive download functions to exfiltrate data.
"Topping the list of threats detected were risky Exchange operations in Office 365," Tim Wade, technical director for the CTO team at Vectra says. "If security teams are unable to detect such operations, an attacker may be able to gain access to sensitive information contained within email. This could lead to intellectual property or sensitive data being stolen. If attackers can manipulate Exchange, they can access information contained in email, siphon off information by forwarding emails externally, or even trigger the execution of scripts which can help them move laterally or siphon off data."
Other issues include suspicious sharing activity, external Teams access and suspicious mail forwarding. All of which could point to attacker activity.
Wade adds, "As more organizations shift from traditional on-premises Active Directory to Azure AD, it becomes increasingly important that security pros have visibility into suspicious behavior. If security teams can spot the subtle behaviors that indicate an attack is in progress, they have an opportunity to halt the adversary in their tracks. If however the security team cannot detect suspicious operations in their Azure AD environment, an attacker may take advantage of the ability to escalate privileges or take over user accounts to get to valuable data or disrupt critical cloud services."
You can read more and get a full copy of the report with all 10 indicators on the Vectra blog.