Using Frequency Analysis to Defend Office 365

As security threats evolve, so must defense. In Office 365, we have engineering teams dedicated to building intrusion detection systems that protect customer data against new and existing threats. In this blog, we are talking about a security monitoring challenge of cloud services and our recent attempt to solve it. Let us start with two…


Mitigating Client External Forwarding Rules with Secure Score

Client created rules, that Auto-Forward email from users mailboxes to an external email address, are becoming an increasingly common and fruitful data exfiltration method being used by bad actors today and something we see quite a lot of in the Office 365 Service. There are a lot of legitimate reasons for using rules that externally Auto-Forward email,…

2

Hidden Treasure: Intrusion Detection with ETW (Part 2)

In our last post, we discussed how Event Tracing for Windows (ETW) provides a wealth of knowledge in addition to what’s available from the Windows Security Event Log. While we can gain increased insight into Windows activity, ETW was originally meant as a high-volume debug trace. Without some mechanism for filtering or reducing event volume,…


DNS Intrusion Detection using Dnsflow

In the DNS Intrusion Detection in Office 365 post we introduced strategies implemented in Office 365 to detect anomalous DNS activity. Dnsflow is one of those strategies and involves aggregating DNS data processed by the DNS servers in Office 365. In this post, we discuss detailed benefits, challenges and implementation of Dnsflow. We also discuss how…

0

DNS Intrusion Detection in Office 365

In Office 365, we are committed to protecting our customer’s data. We implement and exercise industry leading security practices to ensure that customer’s data is safe. Intrusion detection is one such security practice which ensures that we are notified about any anomalous activity or behavior on our servers or in our network. We monitor and…

2

Hidden Treasure: Intrusion Detection with ETW (Part 1)

Today’s defenders face an increasing obstacle with information asymmetry. With the advent of in-memory attacks and targeted malware, defenders cannot simply rely on the default event logs provided by Windows. Attackers may make use of process hollowing to hide their code within a seemingly benign process as well as routing their Command & Control traffic…


Defending Office 365 with Graph Analytics

In Office 365, we are continually improving the detection and response systems that safeguard your data. We gather many terabytes of telemetry from our service infrastructure each day and apply real-time and batch analytics to rapidly detect unauthorized access. The same engineers who design and operate the Office 365 service also analyze and act on…


Using the Office 365 Secure Score API

The Office 365 Security Engineering team is pleased to announce the availability of the Office 365 Secure Score API. This API is fully integrated into the Microsoft Graph. If you are wondering what the Office 365 Secure Score is, get the low down here, or visit the experience here: https://securescore.office.com. Why Collect Secure Score Data?…

0

New Security Analytics Service: Finding and Fixing Risk in Office 365

Microsoft is pleased to announce the preview availability of a new security analytics service called the Office 365 Secure Score. The Secure Score is a security analytics tool that will help you understand what you have done to reduce the risk to your data in Office 365, and show you what you can do to…


Finding Illicit Activity The Old Fashioned Way

Finding bad guys doing bad things in your cloud services is a hard thing to do under even the best circumstances. There are a ton of idiosyncrasies at play, including the capabilities of the cloud applications you are using and the very unique nature of your users and the data you are storing in the…