Research on the most frequently seen malicious behavior in Azure Active Directory and Office 365 found that malicious activity often looks very similar to legitimate user activity, said Vectra AI, a threat detection and response company. Regardless of the size of the company, O365 Risky Exchange Operation, or attempts to manipulate Exchange was the most frequently seen behavior, Vectra said in the 2021 Q2 Spotlight Report, Vision and Visibility: Top 10 Threat Detections for Microsoft Azure AD and Office 365.

Above: Vectra.ai identified the top 10 most common activities suggesting security threats in large companies.

Image Credit: Vectra.ai

Research focusing on the top 10 threat detections in Azure AD and Office 365 environments identified the most common activities that can indicate a security threat:

1. O365 Risky Exchange Operation: Attempts to manipulate Exchange to get access to data.
2. Azure AD Suspicious Operation: Operations indicating attackers are escalating privileges and performing tasks which require administrator access after regular account takeovers.
3. O365 Suspicious Download Activity: Account is downloading an unusual amount of objects, suggesting an attacker is using SharePoint or OneDrive to exfiltrate data.
4. O365 Suspicious Sharing Activity: Account is sharing files and folders at a higher volume than usual, suggesting an attacker is using SharePoint to exfiltrate data or maintain access into the network.
5. Azure AD Redundant Access Creation: Administrative privileges are being assigned to other entities, suggesting attackers are establishing multiple methods of maintaining access.
6. O365 External Teams Access: An external account added to a team in O365, suggesting an attacker has added another account which they control.
7. O365 Suspicious Power Automate Flow Creation: Automated workflows created with Microsoft Power Automate, suggesting the attacker is establishing persistence in the environment.
8. O365 Suspicious Mail Forwarding: Mail forwarded to another account, suggesting attackers are collecting or exfiltrating data without needing to maintain persistence.
9. O365 Unusual eDiscovery Search: User creating or updating an eDiscovery search, suggesting an attacker is performing reconnaissance to learn what else is accessible in the environment.
10. O365 Suspicious Sharepoint Operation: Administrative SharePoint operations suggesting malicious actions.

Vectra calculated the relative frequency of threat detections that were triggered on its platform during a three-month span based on customer size (small, medium and large).Larger companies triggered fewer detections when compared to smaller companies — that may be because larger companies’ users and administrators perform Office 365 and Azure AD activity more consistently compared to smaller organizations.

Above: Small and medium companies had similar top 10 lists of potential malicious activities.

Image Credit: Vectra.ai

Medium and small companies have the same top 10 threat detections, and differed slightly from the breakdown of detection types found in large companies. For example, Office 365 DLL Hijacking, Office 365 Unusual Scripting Engine and Office 365 Suspicious eDiscovery Exfil were in the top 10 for large companies, but not in the top 10 for medium and small companies. Medium and small companies included Office 365 Suspicious SharePoint Operation, Office 365 Suspicious eDiscovery Search and Azure AD Suspicious Operation in

With 250 million active users, Office 365 has a big target on its back, as cybercriminals devote time and resources crafting attacks targeting the platforms large user base. Adversaries increasingly find that overtly malicious actions are unnecessary when existing services and access used throughout an organization can simply be co-opted, misused and abused.

In a recent Vectra survey of 1,000 security professionals, 71% said they had suffered an average of 7 account takeovers of authorized users over the last 12 months.

Read the full 2021 Q2 Spotlight Report, Vision and Visibility: Top 10 Threat Detections for Microsoft Azure AD and Office 365.