Office 365 / Outlook
Detection Rules for Office 365 / Outlook
App: Office 365 | MITRE Tactic | MITRE Technique | Criticality | ||||||
---|---|---|---|---|---|---|---|---|---|
Suspicious login activity | Initial Access, Credential Access | T1078: Valid Accounts, T1110: Brute Force | High | ||||||
|
|||||||||
Unusual Email Forwarding | Persistence, Exfiltration | T1098: Account Manipulation, T1071: Application Layer Protocol | High | ||||||
|
|||||||||
Suspicious Attachment or URL | Defense Evasion, Command and Control | T1204: User Execution, T1105: Ingress Tool Transfer | Critical | ||||||
|
|||||||||
Privileged Account Activity | Privilege Escalation, Persistence | T1098: Account Manipulation, T1078: Valid Accounts | Critical | ||||||
|
|||||||||
Unusual IP Access | Defense Evasion, Initial Access | T1078: Valid Accounts, T1133: External Remote Services | High | ||||||
|
|||||||||
Phishing Campaign Detection | Initial Access | T1566: Phishing, T1204: User Execution | Critical | ||||||
|
|||||||||
Mass Email Deletion | Impact, Defense Evasion | T1070: Indicator Removal on Host, T1565: Data Destruction | Medium | ||||||
|
|||||||||
Rule Change Monitoring | Persistence, Privilege Escalation | T1098: Account Manipulation, T1078: Valid Accounts | High | ||||||
|
|||||||||
Admin Activities Outside Working Hours | Privilege Escalation, Defense Evasion | T1078: Valid Accounts, T1098: Account Manipulation | Medium | ||||||
|
API’s and Scope
App: Office 365 | API | API Scope(s) |
---|---|---|
Suspicious login activity | Microsoft Graph API, GeoIP Lookup API, IP Reputation APIs | User.Read.All |
AuditLog.Read.All Directory.Read.All | ||
Unusual Email Forwarding | Microsoft Graph API, VirusTotal API, Reverse DNS Lookup API | Mail.ReadWrite |
MailboxSettings.ReadWrite | ||
Suspicious Attachment or URL | VirusTotal API, Google Safe Browsing API, Microsoft Graph API | Public API access (VirusTotal) |
Google Safe Browsing API Key Mail.Read, Mail.ReadWrite (Graph) | ||
Privileged Account Activity | Microsoft Graph API, IP Reputation APIs | User.ReadWrite.All |
AuditLog.Read.All | ||
Unusual IP Access | Microsoft Graph API, IP Reputation APIs, GeoIP Lookup API | AuditLog.Read.All |
User.Read.All | ||
Phishing Campaign Detection | Microsoft Graph API, VirusTotal API, Microsoft Graph Security API | Mail.Read |
Mail.ReadWrite VirusTotal API Key SecurityEvents.Read.All | ||
Mass Email Deletion | Microsoft Graph API | Mail.Read.Write |
AuditLog.Read.All | ||
Rule Change Monitoring | Microsoft Graph API | MailboxSettings.ReadWrite |
Mail.ReadWrite | ||
Admin Activities Outside Working Hours | Microsoft Graph API | AuditLog.Read.All |
User.Read.All |
Reports and Widgets for CISO
App: Office 365 | Widgets | Description |
---|---|---|
Suspicious Login Activity | Geo-location Map | Visualizes suspicious login activities by geographic location and tracks abnormal login attempts. |
Login Attempts Timeline User Login Trends |
||
Email Forwarding Rule Changes | List of New Forwarding Rules | Provides visibility into email forwarding rule changes and helps identify potential exfiltration risks. |
Rule Change Timeline Rule Change Comparison |
||
Suspicious Attachments and URLs | Malicious Attachments Detected | Shows trends of suspicious attachments and URLs, highlighting high-risk phishing or malware attempts. |
Phishing URL Trends Attachment Type Breakdown |
||
Privileged Account Activity | Privileged Account Activity Summary | Highlights abnormal or unauthorized activities by privileged accounts to identify potential misuse. |
Recent Privilege Escalations Top Users with Elevated Privileges |
||
Unusual IP Access Report | Geo-location of IPs | Provides an overview of unusual IP access, with insights into access frequency and geographic trends. |
IP Reputation Scores Access Attempt Timeline |
||
Phishing Campaign Analysis | Detected phishing attempts | Visualizes phishing detection and highlights users and domains frequently involved in phishing attacks. |
Top phishing targets Phishing domains detected |
||
Mass Email Deletion Monitoring | Users with high email deletion rates | Monitors large-scale email deletions that may indicate data destruction or account compromise. |
Deletion timeline Recovered emails |
||
Mailbox Rule Change Monitoring | Rule change trend | Tracks mailbox rule changes to detect potential misuse of forwarding rules or auto-deletion settings. |
Top users with rule changes Rule types breakdown |
||
Admin Activity Report | Admin login trends | Helps monitor and audit admin activities, especially those happening outside working hours. |
Admin changes to mailboxes Admin activity geo-location |