Figure 1 shows a screenshot of MITRE’s ATT&CK Matrix for Office 365. The operating environment of Microsoft 365 is unique enough that a specific subset of adversarial TTPs are required to conduct threat hunts and investigations within these cloud environments.
As an obfuscation measure, we do not differentiate in this writeup which appearances of “” are connected to which customer’s incident.) Microsoft 365’s MITRE ATT&CK Matrix These are placeholders and should be replaced in your queries with your own admin and user email addresses. (Please note that the queries and examples below refer to and so forth. Cross-referencing data from both cases showed that the two compromises may be related to the same (unknown) threat actor. Sophos MDR concluded that email account compromise took place in both cases, using remarkably similar tactics, techniques, and procedures (TTPs).
In this article, we will provide a detailed walkthrough of each step in the attack flow, along with the purpose of each attack technique and the query by which each is identified in XDR.
Microsoft Graph handles dataflow and access in Microsoft’s cloud (ie., 365, Windows, and Enterprise Mobility + Security) its Security API can connect multiple security providers and lets them operate in a federated fashion as needed. This prompted an investigation into sets of Microsoft Graph security events forwarded to Sophos XDR, to identify whether suspicious or malicious activity occurred. During the week of February 20, 2023, Sophos X-Ops MDR team received two separate requests for threat hunts related to unusual activity in two customers’ Microsoft 365 (formerly Office 365) environments.
0 kommentar(er)
