Threat Hunting in Microsoft 365 Environment

SANS DFIR Summit 2022

Speakers: Thirumalai Natarajan Muthiah & Anurag Khanna

Threat Hunting

Over the last few years, Threat Actors have augmented their efforts in developing novel and sophisticated attack techniques to target Enterprise Cloud environments. Microsoft 365 is a cloud based software as a service provided by Microsoft and includes services like Exchange online, Flows, SharePoint online, Teams. Attackers consistently target M365 services in order to gain initial access, maintain persistence and perform data exfiltration. Several investigations have revealed that threat actors have not only been able to successfully compromise Cloud environments but also persist and move laterally. Organizations have found it increasingly difficult to protect Cloud services and detect threat actor activities. We will talk through ways of how blue teams can hunt for some of the techniques that threat actors use to target M365. Some of the areas that we will cover include,

1. Automated Email Forwarding
2. Delegation
3. Mailbox folder Permissions
4. OAuth Grants
5. Flows to automate Data Extraction
6. MFA Bypass Scenarios
7. Privileged roles
8. Suspicious Sign-in
9. Message Trace & eDiscovery
10. Hunting from Unified Audit Logs

View upcoming Summits: http://www.sans.org/u/DuS
Download the presentation slides (SANS account required) at https://www.sans.org/u/1iaE