Skip to content

SenseOn SOC Playbook: M365 Compromised Account

The following process is how managed providers of SenseOn should extend the investigation of incidents in end customer estates and contains best practice guidance for additional manual threat hunting and containment.

This playbook documents the steps an analyst should take when investigating a suspected compromised account using the M365 Response Actions feature, as part of the Entra ID integration, at SenseOn.

  • M365 Unfamiliar sign-in properties
  • M365 Atypical travel
  • M365 Anonymous IP address
  • M365 Password Spray

Process Flowchart

Malware flowchart

Identification

Other alerts

Use the following hunt lab query to identify any other unusual alerts associated with the suspect IP or compromised user: 

SELECT
  _time_observed,
  title,
  description,
  severity,
  user_logon_ip,
  user_principal
FROM
  cloud_ms_graph_alert
WHERE
  has(user_logon_ip, '<ip_address>')
  OR arrayStringConcat(user_principal, ',') LIKE '%<compromised_user>%'

Logon Behaviour

Using the telemetry ingested through Microsoft Graph API integration, identify any other unusual logons for the user or suspect IP address: 

SELECT
  _time_observed,
  ip_address,
  user_principal_name,
  location_country_code,
  location_city,
  sign_in_error_code
FROM
  cloud_ms_sign_in_log
WHERE
  user_principal_name LIKE '%<compromised user>%'
  OR ip_address = '<suspect IP>'

Suspicious Cloud Actions

Using telemetry ingested through the Microsoft Entra ID integration, identify any suspicious O365 actions performed by the compromised user or suspect IP address: 

SELECT
  _time_observed,
  client_ip,
  user_id,
  workload,
  operation,
  raw
FROM
  cloud_ms_o365_activity_log
WHERE
  user_principal_name LIKE '%<compromised user>%'
  OR ip_address = '<suspect IP>'

Suspicious Account Modification

Using telemetry ingested through the Microsoft Entra ID integration, identify any suspicious account modifications performed by the compromised user or suspect IP address: 

SELECT
  _time_observed,
  initiator_user_ip,
  initiator_user_principal_name,
  initiator_app_name,
  activity_name,
  operation_type,
  category,
  target_resource_user_principal_names,
  target_resource_modified_properties
FROM
  cloud_ms_directory_audit_log
WHERE
  initiator_user_principal_name LIKE '%<compromised user>%'
  OR initiator_user_ip = '<suspect IP>'
  OR arrayStringConcat(target_resource_user_principal_names,',') LIKE '%<compromised user>%'

Review the User’s Device

Use the following hunt lab query to identify the user’s device: 

SELECT
  DISTINCT user,
  _hostname
FROM
  endpoint_logged_in_user
WHERE
  lower(user) LIKE lower('%<user>%')
Use the below query to identify any malicious behaviour to understand the cause of this compromise: 
SELECT
    _time_observed, _hostname, username, command
FROM
    endpoint_process
WHERE
    lower(_hostname) LIKE lower(%<device>%)
ORDER BY
    _time_observed ASC
Should this compromise be a result from a malware infection, the malware playbook should followed

Containment

After confirming the account is compromised, an impact assessment should be performed before containment actions are taken.

Impact Assessment

  1. Assess the number of users impacted - If more than 2 users are impacted escalate internally.
  2. Assess the account severity of these users.
  3. Is customer escalation required? If any user is listed as a priority account, follow the standard escalation procedure to a senior analyst prior to customer notification.

Contain Account

  1. Disable the user account, through the SenseOn platform, after gaining approval.
    1. Each customer should have pre-agreed decision criteria to enable timely containment with the minimum of business impact.
  2. Revoke active M365 sessions using the SenseOn platform.
  3. Quarantine Endpoint: If endpoint compromise is suspected, isolate the device

Action for customer

  1. Block offending IP Addresses: If malicious/unauthorised IPs are identified, block them at the firewall, proxy, or cloud gateway.

Review

  1. Review all IOCs across environment to ensure no additional compromise has occurred during incident
  2. Review user lockout status to ensure account hasn’t been unlocked during incident by Service desk or other means
  3. Review active user sessions across device, new sessions seen after lockout may indicate gap that needs escalation

Eradication

Action for customer

  1. Enforce a new strong and unique password.
  2. Ensure MFA is enabled and properly configured.
  3. Require re-authentication on all devices.
  4. Disable any backdoor accounts or malicious OAuth applications.
  5. Remove any mailbox rules added by a threat actor
  6. Remove unauthorised admin accounts or service tokens.

Recovery

Joint action for customer and provider of SenseOn MDR

  1. SenseOn MDR provider to monitor for ongoing activity with created threat hunting queries, this ensures no gaps in the containment and eradication stages
  2. Create ‘health monitoring’ tasks for endpoint & user behaviour, this is a check to be performed on a frequent basis
  3. Verify user identity before re-enabling the account.
  4. Restore legitimate access for the user after securing the account.
  5. Conduct a thorough audit of permissions and ensure least privilege is applied.
  6. Agree with customer on successful recovery once no additional anomalous behaviour identified post eradication period