Defending Against Rules and Forms Injection

Over the last year, Office 365 security has been tracking an emergent attacker persistence mechanism in the Exchange Online ecosystem. The release of a security research tool called Ruler enables an attacker to install a persistence mechanism once an account has been breached to maintain access even through a password roll. While we haven’t seen…

0

Defending Against Illicit Consent Grants

Problem Overview Office 365 Security has been tracking an emergent threat to customer data in the Office 365 cloud over the last year. This blog post is intended to help IT Administrators of Office 365 organizations detect, monitor, and remediate this threat. In its simplest form, the attack consists of an adversary creating an Azure…

0

Managing asset inventory in Office 365

In Office 365, servers are continuously provisioned and destroyed as the service is upgraded and scaled to meet customer demand. To assess the coverage of our security monitoring and patch management processes, we needed an asset inventory system that met the following criteria: The system must ascertain the current state of the fleet accurate to…


Using Frequency Analysis to Defend Office 365

As security threats evolve, so must defense. In Office 365, we have engineering teams dedicated to building intrusion detection systems that protect customer data against new and existing threats. In this blog, we are talking about a security monitoring challenge of cloud services and our recent attempt to solve it. Let us start with two…


Mitigating Client External Forwarding Rules with Secure Score

Client created rules, that Auto-Forward email from users mailboxes to an external email address, are becoming an increasingly common and fruitful data exfiltration method being used by bad actors today and something we see quite a lot of in the Office 365 Service. There are a lot of legitimate reasons for using rules that externally Auto-Forward email,…

2

Hidden Treasure: Intrusion Detection with ETW (Part 2)

In our last post, we discussed how Event Tracing for Windows (ETW) provides a wealth of knowledge in addition to what’s available from the Windows Security Event Log. While we can gain increased insight into Windows activity, ETW was originally meant as a high-volume debug trace. Without some mechanism for filtering or reducing event volume,…


DNS Intrusion Detection using Dnsflow

In the DNS Intrusion Detection in Office 365 post we introduced strategies implemented in Office 365 to detect anomalous DNS activity. Dnsflow is one of those strategies and involves aggregating DNS data processed by the DNS servers in Office 365. In this post, we discuss detailed benefits, challenges and implementation of Dnsflow. We also discuss how…

0

DNS Intrusion Detection in Office 365

In Office 365, we are committed to protecting our customer’s data. We implement and exercise industry leading security practices to ensure that customer’s data is safe. Intrusion detection is one such security practice which ensures that we are notified about any anomalous activity or behavior on our servers or in our network. We monitor and…

2

Hidden Treasure: Intrusion Detection with ETW (Part 1)

Today’s defenders face an increasing obstacle with information asymmetry. With the advent of in-memory attacks and targeted malware, defenders cannot simply rely on the default event logs provided by Windows. Attackers may make use of process hollowing to hide their code within a seemingly benign process as well as routing their Command & Control traffic…


Defending Office 365 with Graph Analytics

In Office 365, we are continually improving the detection and response systems that safeguard your data. We gather many terabytes of telemetry from our service infrastructure each day and apply real-time and batch analytics to rapidly detect unauthorized access. The same engineers who design and operate the Office 365 service also analyze and act on…