Security teams must look for signs of malicious activity inside Microsoft environments to detect attacks in their early stages. This will contain threats before they turn into a data breaches.
That's according to Vectra AI, who has released its 2021 Q2 Spotlight Report, Vision and Visibility: Top 10 Threat Detections for Microsoft Azure AD and Office 365.
The research details the top 10 threat detections that customers receive by relative frequency when Vectra detects abnormal behaviour in a customer environment, which are then used by customers to help ratify attacks in cloud environments.
The research found 71% of companies suffered seven account takeovers of authorised O365 users on average last year.
“As more organisations shift from traditional on-premises Active Directory to Azure AD, it becomes increasingly important that security pros have visibility into suspicious behaviour," says Tim Wade, technical director for CTO team at Vectra.
"If security teams can spot the subtle behaviours that indicate an attack is in progress, they have an opportunity to halt the adversary in their tracks.
If however the security team cannot detect suspicious operations in their Azure AD environment, an attacker may take advantage of the ability to escalate privileges or take over user accounts to get to valuable data or disrupt critical cloud services," he says.
“This report highlights just how much opportunity attackers also have to move into, through, and out of Office 365 to get to their ultimate goal. Office 365 can be just the first foothold used to pivot into a traditional on-network asset, or house valuable data targeted for theft.
“Topping the list of threats detected were risky Exchange operations in Office 365," Wade adds.
"If security teams are unable to detect such operations, an attacker may be able to gain access to sensitive information contained within email.
"This could lead to intellectual property or sensitive data being stolen," he says.
"If attackers can manipulate Exchange, they can access information contained in email, siphon off information by forwarding emails externally, or even trigger the execution of scripts which can help them move laterally or siphon off data.
Highlights of the research include:
- The Top 10 Threat Detections seen across Microsoft Azure AD and Office 365 allow security teams to detect infrequent behaviour that is abnormal or unsafe across their environments.
- Regardless of company size, Office 365 Risky Exchange Operation detection was at or near the top of the list of detections seen by Vectra customers.
- Common actions by actors in the Azure AD environment during a recent supply chain attack would map back to Vectra-defined detections and alert the security team about the threat.
“Deploying meaningful artificial intelligence (AI) as a core pillar when extracting informative data from your network, both on-premise and off, is critical in obtaining an advantage against malicious adversaries,” says Matt Pieklik, senior consulting analyst at Vectra.
“Security teams must be armed with full visibility to detect potentially dangerous activity across applications, in real-time, from the endpoint to the network and cloud.
As a leader in the productivity space with over 250 million active users, Microsoft Office 365 has also piqued the interest of looming cybercriminals due to the platform's large audience. In fact, during a recent global survey of 1,112 security professionals, Vectra uncovered how criminals are regularly bypassing security controls including multi-factor authentication (MFA), proving that determined attackers are still able to gain access.
Solving for the challenges organisations continue to see from cybercriminals involves understanding the behaviours adversaries are motivated to take. This means having the ability to collect and aggregate the data that uncovers these behaviours in a way that can be operationalised by security staff.
Vectra has created Cognito Detect for Office 365 and Azure AD, which automatically detects and responds to hidden cyberattacker behaviours, accelerates incident investigations, and enables proactive threat hunting. The application offers visibility into Power Automate, Teams, eDiscovery, Compliance Search, Azure AD backend, Exchange, SharePoint, third party Software-as-a-service (SaaS) providers, and more.