404-892-1500 info@b2btech.com

B2B Tech Blog

Malicious Actvity Detector

Advanced Security Flows with Microsoft Office 365

Breaches That Happened

 

EQUIFAX

Data Theft

Attack took 75 days to detect.
Estimated cost: $600 million

May 14
Attackers breach accounts and start collecting information

Jul 29
Equifax is informed of breached account by a Breached User

Jul 30
Exploit is remediated

CITY OF ATLANTA

Malware Installation

Attack took 20 days before malware was launched
Estimated cost: over $17 million

Mar 2
Iranian SamSam group uses brute force technique to breach account.
Ransomware (malware) is propagated to many servers silently encrypting HDDs.

Mar 22
Ransomware screen launched.

Aug 6
Exploit is “mostly” remediated

Flawless Collaboration

MAD365 is a defense-in-depth strategy designed by Microsoft that utilizes AADP, O365 ATP, CAS, Power BI, and Azure Automation. Get proactive by letting Microsoft tools automatically hunt for compromised accounts instead of relying on compromised users to alert you or attackers to make a mistake. Phish Hunter is a cutting-edge approach that correlates both user sign-in and user behavior to discover compromised accounts that otherwise might remain hidden. Use these cloud-powered real-time attack forensics to increase protection from sophisticated and targeted phishing attacks.

AADP

Azure Active Directory P1 conditional access policies and MFA block attackers from signing in to Office 365.

CAS

Microsoft Cloud App Security provides forensic behavioral data and multiple pivots for attack investigation, maintains known attack signature policies, and tracks indications of compromise for discovering unknown attacks.

ATP

Office 365 Advanced Threat Protection protects users from phishing URLs at time-of-click and allows revocation/blocking of the attack URLs.

Azure Auto

MAD365 dramatically reduces response times by enforcing account protection, account remediation, and modification

of access policies automatically or via workflow/delegation based on the threat assessment.

Features

An effective defense-in-depth strategy involves multiple layers of protection based on email content, user identity, user behavior, and threat insights.

Email

Exchange Online Protection
Block Known Bad Mail
Office 365 Advanced Threat Protection
Protect Unknown Bad Mail

Identity

Conditional Access
Block Risky Sign In

Multi-factor Authentication
Challenge
Azure Identity Protection
Detect Risky Sign In

Behavior

Microsoft Cloud App Security
Remediate Known Attack

Microsoft Cloud App Security
Challenge Unknown Attack

 

Insight

Threat Intelligence
Investigate Attack

Multi-factor Authentication
Challenge
Power BI
Correlate Attack Vectors

Trusted User Phishing Attack

A Trusted User Phishing Attack (a.k.a. TU Phish) is an attack initiated by a compromised account from inside of the organization or from another trusted organization. This type of attack is different from spoofing and is particularly difficult to detect and defeat with traditional and even advanced threat protection when it emerges as a highly targeted attack. The best protection is provided by a defense-in-depth strategy that includes policies for known attack signatures and correlates multiple indications of compromise to discover new attack signatures. Risk-based automated remediation also helps to stop attacks that are in progress while minimizing false positives.

 

  1. Bad actor sends email
  2. Recipient clicks the link and compromises her credentials
  3. Office 365 CAS detects the Known Attack Signature based on the attacker’s behaviors
  4. Flow begins a Threat Assessment and Automatic Remediation based on Risk
  5. Power BI and Threat Intelligence can provide additional profile analysis to find the source of the attack
  6. Once the source has been determined the admin can block the common attack vector (URL or IP
  7. Additional Phishing attempts are then blocked prior to the user being compromised

Better together

Add local insights to cloud intelligence and enforcement

Automatically prevent and remediate

Receive actionable threat intelligence

Identify attack profile

Deploy policy signature and protection