How to tackle Microsoft 365 account compromise and credential theft

A lot has changed since Sumo Logic last gave our two cents on how to secure Office 365. In the meantime, Office 365 has become Microsoft 365 (M365), and Sumo has continued evolving and expanding its security offering.

Today’s threat actor is adept at compromising M365 accounts through various methods. Stealing credentials through phishing email campaigns and brute-force attacks has become commonplace. Moreover, by exploiting vulnerabilities caused by inadvertent misconfigurations and user mistakes, attackers can bypass even password management controls such as multi-factor authentication (MFA). Therefore, security teams must plan for compromised Microsoft 365 accounts and credential theft emergencies.

We believe cloud-native security technologies powered by machine learning are the best way to respond to these incidents. They minimize the alert triage and incident response time, noticeably lessening the workload of security professionals. We’ll describe how in the following sections.

The Microsoft 365 alert triage problem

If you’ve ever responded to an M365 account compromise, you know the primary problem security analysts must address:

Does an alert point to an actual M365 account compromise or a legitimate activity?

You may also need to quickly answer these questions:

1. Where did a suspicious login occur?

2. What is the common geolocation of the M365 account logins?

3. Where has the user logged in over the last several days?

4. On what device does this user account typically log in?

5. Have others tried to log in from the same IP address?

These questions call for effective alert triage and threat investigation. On the one hand, the triage and investigation processes must be thorough to guarantee reliable and actionable insights. On the other hand, they must be as fast as possible and based on accurate information to make a prompt threat response viable.

Answering the above questions also requires making data-driven security decisions. That typically implies considering numerous aspects of an incident before taking action.

How does this look in practice?

Answering the questions cybersecurity analysts ask

Where did the suspicious login occur?

One of the best practices in an investigation is to relate an IP address to a physical location and generate a signal when a user authenticates from a place they have never logged in to before. Automating the geolocation search so that investigators do not even have to open a new browser to look up the information they need can be a great advantage in saving effort and time.

In addition to the location of a suspicious M365 login, analysts usually need to investigate the following:

• The physical location from where an affected Microsoft 365 account has logged in over extended periods

• The usual geolocation of M365 account logins

• A possible land speed violation

Sumo Logic’s geolocation functionality can help you address these issues. Sumo queries the necessary data from third-party databases and uses the results to enrich your logs. You can search for an entity’s whereabouts, visualize the results, and add them to your dashboard. our data starts making sense and telling a story about what happened and how it may affect your organization.

Credential theft or not?

Suppose you observe multiple Microsoft 365 accounts attempting to log in from the same IP address. You can hypothesize that a hacker has executed a brute-force attack trying to guess users’ login credentials.

The problem, however, is that the same data might point to a group of employees being somewhere at a conference. Coworkers staying at the same place on a business trip is also plausible.

It is essential to obtain the threat intel necessary to test your hypothesis as soon as possible and determine whether you are facing an M365 credential theft attack. Sumo can help you achieve this by automatically enriching your logs with the latest threat information and showing if a particular IP address is already associated with malicious activities.

What does the access history reveal?

By distilling information, you can figure out the:

• User-agent

• Count of total logins from each IP

• Number of days an M365 account has logged in from different IPs

These and similar observables can prove crucial to triaging alerts about a compromised account and stolen M365 credentials.

Sumo Logic can identify event types, IP addresses, and users and whether they log in successfully. It allows you to obtain an account login history by IP, state, town, and Autonomous System Number (ASN).

What do the user-agent details show?

User-agents are trivial to spoof. Still, a clear-cut indication of the user-agent can be invaluable. That is especially true when determining whether an M365 login is legitimate or unauthorized.

Suppose an М365 account logs in exclusively on a Mac. That has been a repetitive pattern for the last 30 days, but things suddenly change. You notice a login on a Linux machine. This change can support the hypothesis that a malicious agent might have compromised the account.

To help you better understand what is happening, Sumo Logic enables you to:

• Check the user-agent

• Investigate related information

• Inform the right person about the incident

• Remediate the incident

• Generate a report

It is worth noting that you can automate this process to the extent you consider appropriate.

Zero-trust architecture and M365 security threats

If building an adaptable long-term security strategy is one of your organization’s overarching goals, Sumo can help you implement a zero-trust architecture.

Zero trust assumes that an organization can’t trust users and devices, regardless of their physical location and device ownership. More precisely, a zero-trust model continuously monitors and revalidates users’ and devices’ identities, whether or not:

• They request access to an organization’s resources from inside or outside a traditionally defined network perimeter

• Devices belong to the company or the users (privately owned)

Also, a zero-trust architecture entails RBAC — a strict role-based access control.

In general terms, zero trust allows organizations to strengthen their security posture — virtually anything from email security to data breach defense. Regarding M365 security threats, a zero-trust model can lead to much better visibility and access management. Good visibility and access management can prevent threat actors from wreaking havoc on your organization, even if they manage to steal credentials and compromise an M365 account.

Sumo Logic helps you:

• Monitor and analyze your logs and traffic

• Inspect security-relevant data regardless of the data source and environment (cloud, local, or hybrid)

• Set granular access control

• Check geolocation and user or device identity

• Detect anomalies and broken patterns

• Build a standard operating procedure specifically for M365 account compromise and credential theft attacks

• Orchestrate third-party tools to respond to them

• Automate time-consuming actions, making it possible for your analysts to focus on making data-driven decisions

With these features, you can implement or improve a zero-trust architecture, safeguarding your organization against M365 attacks.

The main takeaway

Security incidents like Microsoft 365 account compromise and credential theft can easily lead to data breaches and sensitive data exfiltration. Sumo Logic’s security suite can help you ward off these risks through:

1. Automated expeditious alert triage

2. Efficient incident investigation

3. Swift incident response

Help your security teams work smarter and faster.