Official blog of the Office 365 Security team
121 followers 0 articles/week
Defending Against Rules and Forms Injection

Over the last year, Office 365 security has been tracking an emergent attacker persistence mechanism in the Exchange Online ecosystem. The release of a security research tool called Ruler enables an attacker to install a persistence mechanism once an account has been breached to maintain access even through a password roll. While we haven't seen...

Wed Feb 21, 2018 21:54
Defending Against Illicit Consent Grants

Problem Overview Office 365 Security has been tracking an emergent threat to customer data in the Office 365 cloud over the last year. This blog post is intended to help IT Administrators of Office 365 organizations detect, monitor, and remediate this threat. In its simplest form, the attack consists of an adversary creating an Azure...

Thu Jan 25, 2018 01:55
Managing asset inventory in Office 365

In Office 365, servers are continuously provisioned and destroyed as the service is upgraded and scaled to meet customer demand. To assess the coverage of our security monitoring and patch management processes, we needed an asset inventory system that met the following criteria: The system must ascertain the current state of the fleet accurate to...

Fri Dec 22, 2017 08:40
Using Frequency Analysis to Defend Office 365

As security threats evolve, so must defense. In Office 365, we have engineering teams dedicated to building intrusion detection systems that protect customer data against new and existing threats. In this blog, we are talking about a security monitoring challenge of cloud services and our recent attempt to solve it. Let us start with two...

Sun Sep 17, 2017 22:10
Mitigating Client External Forwarding Rules with Secure Score

Client created rules, that Auto-Forward email from users mailboxes to an external email address, are becoming an increasingly common and fruitful data exfiltration method being used by bad actors today and something we see quite a lot of in the Office 365 Service. There are a lot of legitimate reasons for using rules that externally Auto-Forward email,...

Tue Jul 25, 2017 22:19
Hidden Treasure: Intrusion Detection with ETW (Part 2)

In our last post, we discussed how Event Tracing for Windows (ETW) provides a wealth of knowledge in addition to what’s available from the Windows Security Event Log. While we can gain increased insight into Windows activity, ETW was originally meant as a high-volume debug trace. Without some mechanism for filtering or reducing event volume,...

Wed May 10, 2017 06:34

Build your own newsfeed

Ready to give it a go?
Start a 14-day trial, no credit card required.

Create account