Triggers
- An account has executed O365 operations with either tools, scripting engines or command line interfaces which could be\u00a0maliciously used by attackers.
Possible Root Causes
- An attacker is \”living off the land\” through the misuse of authorized tools (curl, AutoHotKey32, etc.) to extend their attack.
- An attacker has used a scripting engine (Powershell, Python, and others) to build and execute attack tools.
- When attacker is not careful, the default User Agent strings are submitted by these tools, indicating that the operation is not done interactively by a legitimate human user.
- Automation tools and scripts are sometimes used by power users and IT personnel to access O365.
Business Impact
- Automated tools increase attack speed and volume while reducing human error, and attackers that successfully leverage them have an opportunity to move faster and in some cases with a lower chance of detection.
- Use of automation tools is a \”force multiplier\” that increases chances of successful breaches and data exfiltration, significantly increasing risks to the enterprise.
Steps to Verify
- Investigate O365 operation in context of the user, verify if this user would reasonably conduct these types of operations.
- Investigate tooling or scripting engine to validate if this is an appropriate and approved tool for a user of this type.