Threat Hunting in M365 Environment
Over the last few years, Threat Actors have augmented their efforts in developing novel and sophisticated attack techniques to target Enterprise Cloud environments. Microsoft 365 is a cloud based software as a service provided by Microsoft and includes services like Exchange online, Flows, SharePoint online, Teams. Attackers consistently target M365 services in order to gain initial access, maintain persistence and perform data exfiltration. Several investigations have revealed that threat actors have not only been able to successfully compromise Cloud environments but also persist and move laterally. Organizations have found it increasingly difficult to protect Cloud services and detect threat actor activities. We will talk through ways of how blue teams can hunt for some of the techniques that threat actors use to target M365. Some of the areas that we will cover include,
1. Automated Email Forwarding
2. Delegation
3. Mailbox folder Permissions
4. OAuth Grants
5. Flows to automate Data Extraction
6. MFA Bypass Scenarios
7. Persistent Privileged roles
8. Abusing SharePoint Online
9. Log evasion techniques
10. Hunting from Unified Audit Logs
Thirumalai Natarajan
Thirumalai Natarajan is a Senior Manager with Mandiant Consulting where he leads incident response remediation engagements for large-scale breaches and proactive security assessments for global organizations. Over his career experience, Thiru has built and managed security operation centers and detection engineering teams across APAC to support organizations to improve their detection and defense posture. He has advisory experience with CXO’s and senior management across industries during the time of compromise. He has spoken in various conferences such as Black Hat Asia, Virus Bulletin, BSides SG, SANS Threat Hunting, DFIR summits.