Share on:

Over one million organizations use Microsoft 365, making it one of the most widely used cloud productivity suites. 

But its popularity — as well as the valuable data that is stored within those environments — makes it an appealing target for cybercrime. In fact, adversaries attack Microsoft 365 more than any other software environment, according to Statista.

For smaller or under-resourced IT teams, detecting and responding to Microsoft 365 threats may not take priority over juggling day-to-day IT tasks and keeping your environment up and running. Plus, detection and response platforms can be too costly. 

Fortunately, Blumira offers a free SIEM with detection and response for Microsoft 365 environments that includes a wide range of pre-tuned detections. Here are eight of our favorites: 

  • Impossible Travel Activity

Impossible travel detections track information such as GPS address, IP address, or user’s device to pinpoint users’ location and determine whether a behavior was physically possible. If not, it could indicate that an adversary is attempting to infiltrate an environment.

For example, if a user logs into Microsoft 365 to check email in New York and then downloads a OneDrive file in Poland an hour later, that would be considered impossible travel; it’s physically impossible to get from New York to Poland in that span of time.

  • Mass download

A user downloading or accessing a massive amount of files in a short span of time could be a legitimate action — or it could be a sign of data exfiltration. Data exfiltration, or data theft, is often one of the last stages of a ransomware attack, as threat actors threaten to publish sensitive information if a victim doesn’t pay the ransom.

Some sites mass download files to infect a computer with a virus or force harmful scripts to download without user knowledge or permission, which is another reason why it’s important to detect mass downloads. 

  • Malware campaign detected in SharePoint and OneDrive

SharePoint and OneDrive are common targets of malware within the Microsoft product suite; in October 2022, Bitdefender researchers discovered a cryptojacking campaign that takes advantage of a OneDrive sideloading vulnerability, as just one example. And an Office 365 flaw discovered by Proofpoint allows ransomware to encrypt SharePoint and OneDrive files — and potentially permanently. 

Unfortunately, Microsoft doesn’t have the best reputation when it comes to removing malware from its products. In fact, the vendor has the worst reaction time (29 days) of the top ten sites that host the most malware URLs, according to URLhaus. Detecting malware campaigns in SharePoint and OneDrive is particularly crucial.

  • Suspicious inbox rule creation

Suspicious inbox rules can be a sign of a business email compromise (BEC) attack, and Microsoft is one of the top brands impersonated in BEC attacks, according to Abnormal Security.

Once an attacker gains access to a victim’s email, they will often create inbox rules, like email forwarding, to copy in- and outgoing emails, with the goal of guaranteeing access even if the credentials are changed. The threat actor could also be attempting to monitor a user’s account and gather intelligence to use later in a broader attack.

  • Unusual external user file activity

This detection generates an alert when a user outside of your organization with access to SharePoint or OneDrive performs unusual activity. This activity could include accessing, downloading or deleting an unusual amount of files. 

Detecting unusual file activity helps protect your organization against data theft, ransomware, and other malicious behavior.

  • Suspicious email sending patterns detected

Suspicious email sending patterns, like sending out massive amounts of email, can be an early indicator of a compromised account. When this alert is triggered, the user is at risk of Microsoft restricting them from sending email.

Although legitimate behavior can sometimes trigger this detection, it’s important to detect this activity and check whether the user account is compromised.

A study from Hornetsecurity found that one out of every four IT professionals either aren’t aware or don’t believe that Microsoft 365 can be affected by a ransomware attack. However, Microsoft 365 is a common entry point for ransomware threat actors, as well as a way to help ransomware spread throughout the organization. 

Signs of ransomware can include turning off services, deleting logs and files, stopping processes, and modifying boot settings. With so many indicators of compromise and a variety of techniques from sophisticated attackers, this detection is particularly useful because it encompasses a wide range of tactics. 

  • Activity from infrequent country

This detection uses machine learning and behavioral analytics to generate a profile of your organization, and then alerts when activity occurs from a location that users within the organization didn’t recently visit, or never visited.

Similar to impossible travel, monitoring activity from an infrequent country can help prevent attacks from foreign threat actors.  

Detect Microsoft 365 Threats For Free With Blumira

These detections are just a sliver of what you’ll get when you sign up for Blumira’s Free Edition — the industry’s only free threat detection and response platform for Microsoft 365 environments.

Here’s the value of what you get for free:

  • Security monitoring for Microsoft 365, with unlimited users and data (no special licensing required)
  • Easy, guided setup with Cloud Connectors that takes only minutes
  • Detection rules automatically rolled out to your account, fine-tuned to filter out the noise
  • Summary dashboard of key findings and security reports
  • Playbooks with each finding to guide you through response steps
  • 14 days of log data retention – upgrade for up to one year

Sign up for your free account to take advantage of these Microsoft 365 detections and more.

Security news and stories right to your inbox!