Back to BlogNew Detections Update: Microsoft 365 Security
Alert fatigue and the overwhelming amount of data spit out by most security tools can derail your best efforts to effectively detect and respond to security threats. Blumira takes a radically different approach to defensive security to focus on what’s critical and urgent, and less on sending you tons of noisy alerts – resulting in better security outcomes for your organization.
We keep our platform up to date by creating, testing and releasing new detection rules into our platform every two weeks based on threat-based research and observed attack patterns. Our approach in surfacing meaningful, actionable findings is intentionally different in an industry overloaded with notifications that often lack context, making it difficult for non-security experts to manage both IT and security for their organizations.
Automating Manual Security Tasks For Your IT Team
Blumira’s platform is designed to be easy to use and manage, streamlining security operations and improving your time to remediation through guided response. We do the heavy lifting for you to make security as easy as possible for your IT team.
Our incident detection engineering (IDE) team strives to:
- Create actionable intelligence while automating level 1 SOC (security operation center) duties into alert analyses and workflows
- Test every detection rule in lab environments, tuning it for noisy false positives before rolling it out to our platform to reduce alert fatigue
- Consolidate all correlated logs and evidence under open findings, instead of opening multiple findings to significantly reduce alert volume and give additional context for repeat alerts
- Prioritize every finding automatically by different threat levels to make sure Priority 1 Threat alerts get the attention they deserve
Learn more about Blumira’s different types of findings.
Here’s a summary of a few of the latest Microsoft 365 detections we’ve added, mapped to different MITRE ATT&CK tactics:
Privilege Escalation
In this tactic, a threat actor is trying to gain higher-level permissions on your system or network. They may do so by trying to take advantage of system weaknesses, misconfigurations and vulnerabilities (MITRE).
Elevation of Exchange Admin Privilege
In this detection, we notify you when a user account has been assigned administrative permissions in your Exchange Online organization. One example is when a user is added to the Organization Management role group in Exchange Online.
While this could be a legitimate action, threat actors can also use this tactic to gain higher-level permissions on your system. Blumira surfaces this finding and walks you through next steps to take for response.
Data Exfiltration
Threat actors use different techniques to steal data from your network, including compressing and encrypting data to avoid detection while removing it through different command and control channels.
File Shared With Personal Email Address
Blumira detects when a user shares a document to an external email address, since this type of activity can expose internal documents and files to external entities and also allow for data exfiltration for malicious purposes.
As a best security practice, we recommend to regularly audit file and share permissions within Microsoft 365 and to instruct all employees on the proper protocols and procedures of handling sensitive data.
Execution
Execution is when an attacker attempts to run malicious code on a local or remote system. Execution techniques are often paired with other tactics to explore a network, steal data or achieve other similar goals, according to MITRE.
Malware Detection
Blumira detects when Microsoft has alerted on a malicious campaign targeting your Microsoft 365 environment. Blumira also detects when a user may have malicious emails in their inbox, due to junk email settings. For organizations with mailboxes in Exchange Online, there’s an email protection feature that can detect and neutralize malicious phishing, spam or malware messages.
Email Sending Limit Exceeded & User Restricted From Sending Email
To help protect against spam, mass-mailing worms and viruses, Microsoft 365 applies email receiving and sending limits. Blumira detects whenever a user exceeds their sending limit, and whenever a user is restricted from sending an email.
Initial Access
A threat actor’s first objective is to gain a foothold or initial access to your network using techniques such as targeted spear phishing and exploiting web server weaknesses (MITRE).
Activity From Infrequent Country
Blumira detects activity from an infrequent country in your Microsoft 365 environment. In these cases, we recommend contacting the user(s) to verify that they made both attempted/successful logins. It is possible they are authenticating over a VPN or cloud provider as opposed to their credentials being compromised.
Credential Access
It can be hard to tell if one of your users is logging in, or if a threat actor is using legitimate credentials to access your system. By stealing account names and passwords through keylogging and credential dumping, attackers can leverage different techniques to evade detection and create other accounts to help further their attack.
Unusual ISP for an OAuth App
The detection identifies an OAuth app connecting to your cloud application from an ISP that is uncommon for the app. This may indicate that an attacker tried to use a legitimate compromised app to perform malicious activities on your cloud applications. Blumira recommends checking your Microsoft 365 Security & Compliance console or their documentation on anomaly detection alerts to learn more.
IT Operations
While many of our detection rules are security-focused, we also notify you of misconfigurations that can lead to security or IT disruptions. Other examples include when we detect a significant decrease in logs being sent from a device, high availability failover, system notifications, license expiration warnings and more.
Fix Incorrect Connector
If your organization has its own email server (also called on-premises server), you must set up connectors to enable mail flow between Microsoft 365 or Office 365 and your email server. For mail flow to work correctly, you must validate and turn on your connectors as a part of the setup process. See the Microsoft documentation on how to troubleshoot mail flow to learn more.
Additional Microsoft 365 findings released to Blumira’s platform include:
- User requested to release a quarantined message
- Tenant Allow/Block List entry is about to expire
- Malware auto purge failed due to user configuration
- Creation of forwarding/redirect rule
Microsoft 365 Detection and Response Made Easy
With Blumira, we’ve made it fast and easy to achieve advanced visibility, detection, response and reporting capabilities across your Microsoft 365 environment.
Cloud Security in Minutes: With Blumira’s Cloud Connectors, you can set up a cloud SIEM in minutes with pre-tuned detection rules applied automatically to your integration; no additional infrastructure, agent or sensor required. Now available for Microsoft 365, Duo Security and AWS.
“The process of configuring the connector was straightforward – taking only 10 minutes or so.” — Naveed Khan, Ennovo Group (MSP)
Affordable and Accessible to SMBs: Traditional SIEMs have priced out small and medium-sized businesses, proving to be too complex to set up and get operational. Blumira’s cloud SIEM is affordably priced and built for IT teams of any size to easily use. Our teams take care of the parsing, detection rules, tuning, data correlation and more so you can get more security value out of our SIEM with minimal time and effort.
Broad Security Coverage: With many different integrations and detections across on-premises and cloud services, Blumira gives you deeper visibility into third-party applications and correlates data across your endpoint security, identity, cloud infrastructure, firewall and many other solution providers to quickly identify threats and help guide you through response.