Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30
minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to
obtain unauthorized access to user accounts.
Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in
features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining
settings to better detect and prevent attacks.
Identifies the modification of an anti-phishing rule in Microsoft 365. By default, Microsoft 365 includes built-in
features that help protect users from phishing attacks. Anti-phishing rules increase this protection by refining
settings to better detect and prevent attacks.
Identifies when a DomainKeys Identified Mail (DKIM) signing configuration is disabled in Microsoft 365. With DKIM in
Microsoft 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the
receiving email system to validate that the messages were generated by a server that the organization authorized and
were not spoofed.
Identifies when a malware filter policy has been deleted in Microsoft 365. A malware filter policy is used to alert
administrators that an internal user sent a message that contained malware. This may indicate an account or machine
compromise that would need to be investigated. Deletion of a malware filter policy may be done to evade detection.
Identifies when a safe attachment rule is disabled in Microsoft 365. Safe attachment rules can extend malware
protections to include routing all messages and attachments without a known malware signature to a special hypervisor
environment. An adversary or insider threat may disable a safe attachment rule to exfiltrate data or evade defenses.
Identifies when a Safe Link policy is disabled in Microsoft 365. Safe Link policies for Office applications extend
phishing protection to documents that contain hyperlinks, even after they have been delivered to a user.
Identifies a transport rule creation in Microsoft 365. As a best practice, Exchange Online mail transport rules should
not be set to forward email to domains outside of your organization. An adversary may create transport rules to
Identifies when a transport rule has been disabled or deleted in Microsoft 365. Mail flow rules (also known as transport
rules) are used to identify and take action on messages that flow through your organization. An adversary or insider
threat may modify a transport rule to exfiltrate data or evade defenses.
In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator
is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD
identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and
Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all
subscriptions and their settings and resources.
Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based
on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can
abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or
having the corresponding privileges.
Identifies when custom applications are allowed in Microsoft Teams. If an organization requires applications other than
those available in the Teams app store, custom applications can be developed as packages and uploaded. An adversary may
abuse this behavior to establish persistence in an environment.
Identifies when external access is enabled in Microsoft Teams. External access lets Teams and Skype for Business users
communicate with other users that are outside their organization. An adversary may enable external access or add an
allowed domain to exfiltrate data or maintain persistence in an environment.
Identifies when guest access is enabled in Microsoft Teams. Guest access in Teams allows people outside the organization
to access teams and channels. An adversary may enable guest access to maintain persistence in an environment.
Detects the occurrence of emails reported as Phishing or Malware by Users. Security Awareness training is essential to
stay ahead of scammers and threat actors, as security products can be bypassed, and the user can still receive a
malicious message. Educating users to report suspicious messages can help identify gaps in security controls and prevent
malware infections and Business Email Compromise attacks.
Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account
to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can
evade spam/phishing detection mechanisms.
Detects the occurrence of mailbox audit bypass associations. The mailbox audit is responsible for logging specified
mailbox events (like accessing a folder or a message or permanently deleting a message). However, actions taken by some
authorized accounts, such as accounts used by third-party tools or accounts used for lawful monitoring, can create a
large number of mailbox audit log entries and may not be of interest to your organization. Because of this,
administrators can create bypass associations, allowing certain accounts to perform their tasks without being logged.
Attackers can abuse this allowlist mechanism to conceal actions taken, as the mailbox audit will log no activity done by
Identifies the occurence of files uploaded to OneDrive being detected as Malware by the file scanning engine. Attackers
can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access.
Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunity to gain
initial access to other endpoints in the environment.
Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide
permissions to an application. An adversary may create an Azure-registered application that requests access to data such
as contact information, email, or documents.
Identifies the occurence of files uploaded to SharePoint being detected as Malware by the file scanning engine.
Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their
access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunities
to gain initial access to other endpoints in the environment.