Office 365 / Outlook

Detection Rules for Office 365 / Outlook

App: Office 365 MITRE Tactic MITRE Technique Criticality
Suspicious login activity Initial Access, Credential Access T1078: Valid Accounts, T1110: Brute Force High
Investigation Actions (APIs) Use GeoIP lookup APIs to determine unusual login locations.
Query IP reputation databases (AbuseIPDB, IPvoid).
Incident Creation Criteria Create an incident if the IP address is flagged as malicious, or if multiple unusual logins are detected from the same user.
Unusual Email Forwarding Persistence, Exfiltration T1098: Account Manipulation, T1071: Application Layer Protocol High
Investigation Actions (APIs) Investigate new email forwarding rule via Microsoft Graph API.
Use VirusTotal API to scan destination domains.
Incident Creation Criteria Create an incident if the forwarding rule points to a suspicious or unrecognized external domain.
Suspicious Attachment or URL Defense Evasion, Command and Control T1204: User Execution, T1105: Ingress Tool Transfer Critical
Investigation Actions (APIs) Use VirusTotal API to scan attachment hash for malware.
Use Google Safe Browsing API to scan suspicious URLs.
Incident Creation Criteria Create an incident if VirusTotal or URL scanning detects malware, phishing, or other high-risk threats.
Privileged Account Activity Privilege Escalation, Persistence T1098: Account Manipulation, T1078: Valid Accounts Critical
Investigation Actions (APIs) Review account activity and recent permission changes via Microsoft Graph API.
Use IP reputation services to check recent login IPs.
Incident Creation Criteria Create an incident if privilege escalation or admin activity is confirmed as unauthorized.
Unusual IP Access Defense Evasion, Initial Access T1078: Valid Accounts, T1133: External Remote Services High
Investigation Actions (APIs) Query IP reputation services like AbuseIPDB and IPvoid for suspicious IP addresses.
Cross-check geo-location via GeoIP APIs.
Incident Creation Criteria Create an incident if the IP is flagged as malicious, or if there are multiple suspicious logins from the same IP.
Phishing Campaign Detection Initial Access T1566: Phishing, T1204: User Execution Critical
Investigation Actions (APIs) Scan email headers and body content using VirusTotal and threat intel APIs.
Use Microsoft Graph API to analyze links in emails.
Incident Creation Criteria Create an incident if email content matches phishing patterns or VirusTotal flags it as a phishing attempt.
Mass Email Deletion Impact, Defense Evasion T1070: Indicator Removal on Host, T1565: Data Destruction Medium
Investigation Actions (APIs) Use Microsoft Graph API to check if a large number of emails were deleted in a short time.
Recover deleted emails for analysis.
Incident Creation Criteria Create an incident if email deletion is confirmed to be malicious or linked to account compromise.
Rule Change Monitoring Persistence, Privilege Escalation T1098: Account Manipulation, T1078: Valid Accounts High
Investigation Actions (APIs) Investigate mailbox configuration changes using Microsoft Graph API.
Review forwarding rules for unusual patterns.
Incident Creation Criteria Create an incident if unauthorized rule changes (e.g., forwarding to external addresses) are detected.
Admin Activities Outside Working Hours Privilege Escalation, Defense Evasion T1078: Valid Accounts, T1098: Account Manipulation Medium
Investigation Actions (APIs) Query Microsoft Graph API for admin activities conducted outside standard working hours.
Verify if the activity was pre-scheduled or legitimate.
Incident Creation Criteria Create an incident if the admin activity is confirmed unauthorized or does not have a valid justification.

API’s and Scope

App: Office 365 API API Scope(s)
Suspicious login activity Microsoft Graph API, GeoIP Lookup API, IP Reputation APIs User.Read.All
AuditLog.Read.All Directory.Read.All
Unusual Email Forwarding Microsoft Graph API, VirusTotal API, Reverse DNS Lookup API Mail.ReadWrite
MailboxSettings.ReadWrite
Suspicious Attachment or URL VirusTotal API, Google Safe Browsing API, Microsoft Graph API Public API access (VirusTotal)
Google Safe Browsing API Key Mail.Read, Mail.ReadWrite (Graph)
Privileged Account Activity Microsoft Graph API, IP Reputation APIs User.ReadWrite.All
AuditLog.Read.All
Unusual IP Access Microsoft Graph API, IP Reputation APIs, GeoIP Lookup API AuditLog.Read.All
User.Read.All
Phishing Campaign Detection Microsoft Graph API, VirusTotal API, Microsoft Graph Security API Mail.Read
Mail.ReadWrite VirusTotal API Key SecurityEvents.Read.All
Mass Email Deletion Microsoft Graph API Mail.Read.Write
AuditLog.Read.All
Rule Change Monitoring Microsoft Graph API MailboxSettings.ReadWrite
Mail.ReadWrite
Admin Activities Outside Working Hours Microsoft Graph API AuditLog.Read.All
User.Read.All

Reports and Widgets for CISO

App: Office 365 Widgets Description
Suspicious Login Activity Geo-location Map Visualizes suspicious login activities by geographic location and tracks abnormal login attempts.

Login Attempts Timeline

User Login Trends

Email Forwarding Rule Changes List of New Forwarding Rules Provides visibility into email forwarding rule changes and helps identify potential exfiltration risks.

Rule Change Timeline

Rule Change Comparison

Suspicious Attachments and URLs Malicious Attachments Detected Shows trends of suspicious attachments and URLs, highlighting high-risk phishing or malware attempts.

Phishing URL Trends

Attachment Type Breakdown

Privileged Account Activity Privileged Account Activity Summary Highlights abnormal or unauthorized activities by privileged accounts to identify potential misuse.

Recent Privilege Escalations

Top Users with Elevated Privileges

Unusual IP Access Report Geo-location of IPs Provides an overview of unusual IP access, with insights into access frequency and geographic trends.

IP Reputation Scores

Access Attempt Timeline

Phishing Campaign Analysis Detected phishing attempts Visualizes phishing detection and highlights users and domains frequently involved in phishing attacks.

Top phishing targets

Phishing domains detected

Mass Email Deletion Monitoring Users with high email deletion rates Monitors large-scale email deletions that may indicate data destruction or account compromise.

Deletion timeline

Recovered emails

Mailbox Rule Change Monitoring Rule change trend Tracks mailbox rule changes to detect potential misuse of forwarding rules or auto-deletion settings.

Top users with rule changes

Rule types breakdown

Admin Activity Report Admin login trends Helps monitor and audit admin activities, especially those happening outside working hours.

Admin changes to mailboxes

Admin activity geo-location