Consent given to application associated with business email compromise attacks in Microsoft 365

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when a user consents to an application associated with business email compromises.

Strategy

Monitor Microsoft 365 Exchange audit logs to look for the operation Consent to application. Attackers who have gained unauthorized access to a victim’s account may add applications in order to collect emails or send out further phishing emails. In this detection, we try to identify the following applications:

  • eM Client - a desktop email client with full Microsoft Office 365 synchronization.
  • PerfectData Software - exports mailboxes for backup purposes.
  • Newsletter Software Supermailer - email newsletter software to send out high volume emails.

Triage and response

  1. Identify any additional unusual behaviors:
    • Previous failed logins.
    • Anomalous geo-location.
    • VPN usage.
  2. Determine if there is a legitimate use case for the new application by contacting the user {{@usr.email}}.
  3. If {{@usr.email}} is not aware of the application:
    • Investigate other activities performed by the user {{@usr.email}} using the Cloud SIEM - User Investigation dashboard.
    • Begin your organization’s incident response process and investigate.