Business email compromise is one of the most common type of cyber security incident a company can face today. Making use of cloud services such as Microsoft 365 makes procurement and deployment of email services very simple to any business. At the same time those services, by default, are available for anyone to access – unlike the traditional on-premises email system. What's often overlooked when using the cloud are the features available for protecting the identities and services from malicious access.
How does a compromise happen
A typical pattern Fraktal has witnessed in their investigations is that a user or an admin account without multifactor autentication in use has been compromised by an attacker. The password might have been gained by phishing, guessing, or it was leaked from another breached service where the same password had been used also.
What happens next
Once an account is compromised, the attacker typically starts to gather information by analysing the level of the user's access permissions and contents of their email correspondence. Later, they add email forwarding rules and other automations to intercept messaging and participating in conversations. Finally, there's an attempt to create or divert a payment transaction.
Analysis of Azure AD and Office 365 logs
In any digital forensics case, knowledge of logging capabilities and expertise in analysing events is essential. Our experts have worked in many cases involving Azure AD and Microsoft 365 services and know the features and limits.
Mitigating the issue
Fraktal's team has proven expertise in managing on-going incidents. Our experts can provide quick analysis and provide expert advice to stop an on-going attack, make sure the services are no longer compromised, and the attacker will not be able to immediately regain access.
Advising cloud security
Fraktal delivered actionable advise on how to improve security logging coverage and retention times, so that for any future incidents there would be better information available for investigations.
Technologies and methods
Azure AD provides indentity protection capabilities, risk insights, and identity event logs.
Security auditing capabilities of Microsoft 365 cloud services are essential in investigations.
Azure services such as Log Analytics, Sentinel and Storage accounts are often used when improving log coverage, analysis and retention for the future.