Office 365: Breach Detection with Cloud App Security

I previously wrote about reviewing Office 365 accounts that you suspect being compromised using the Audit Log. This is useful when you are doing remediation work. But what if you could catch the attacker in the act, and secure a compromised account before any malicious action is taken? Being proactive in IT is always less damaging, and time consuming, than being reactive. With the use of Office 365 Cloud App Security you can do just that, by being alerted of potentially problematic situations so you can investigate and act as quick as possible, including breach detection.

Office 365 Cloud App Security is available with Office 365 Enterprise E5 licensing. If your using a different Office 365 Enterprise subscription, you can also purchase it as an add-on. While Cloud App Security has several features, including app discovery, more extensive audit logs, and a discovery dashboard, this article will focus specifically on the use of policies and alerts.

There are two ways to access Office 365 Cloud App Security:

  1. Directly via, where you login in with your Office 365 global admin account.
  2. From your Office 365 Admin Portal:
    1. Go to the Security center
    2. Select More Resources on the left sidebar
    3. Select Microsoft Cloud App Security

You should be taken directly to the Policies page, which is what we are focusing on. If you aren’t, it can be accessed via the left sidebar menu, under Control. Here, you will be presented with several pre-defined policies, as well as the option to create your own. I am going to highlight a few of the pre-defined ones that I think are the most beneficial in regard to catching breaches in the act.

Impossible Travel

From the policy description:

“This policy profiles your environment and triggers alerts when activities are detected from the same user in different locations within a time period that is shorter than the expected travel time between the two locations.”

This policy uses the account’s geo location at sign-in and compares it to the last known location. If it is not possible for the user to have traveled from the old to new sign-in location in the duration between logins, then an alert is generated. Very useful in preventing breaches from foreign attackers.

Activity from Infrequent Country

From the policy description:

“This policy profiles your environment and triggers alerts when activity is detected from a location that was not recently or never visited by the user or by any user in the organization.”

Another useful policy to protect against foreign attackers. This policy, like some of the others, detects anomalies via the use of entity behavioral analytics and machine learning. In this case, if an account is accessed from a country it has never been accessed from before then an alert is generated. This does have the possibility of triggering false positives if a user is traveling to new locations. However, it will also provide critical notice when an account is accessed from a bad actor in a foreign country.

Suspicious Inbox Manipulation Rule

From the policy description:

“A suspicious inbox rule was set on a user’s inbox. This may indicate that the user account is compromised, and that the mailbox is being used to distribute spam and malware in your organization.”

When an account is compromised to be used to distribute spam to both internal and external recipients, we often find that the attacker sets up rules to cover his tracks prior to spamming. This includes rules to delete new messages, so that if recipients respond to make the sender aware their mailbox has been compromised the response is never seen. If an account is compromised, then with the help of this policy you can secure it in time before the spam is ever sent out.

All the policies give the option for you to set a scope of user’s being monitored. This useful in case there are certain users that are causing false positives frequently, such as alerts from the Activity from Infrequent Country policy due to a user’s travel. You can also configure where alerts are sent, to specific email addresses, as well as the ability to send text messages. Something useful for the 24/7 System Administrator who wants to make sure he never misses alerts from critical policies.

I suggest you review the other pre-defined policies to see what else might fit into your organization. As well as the custom policy option, which may help you with alerting on something you’ve been wanting to but have not previously had the means to do so. When it comes to security in today’s age, the more awareness you have the better defense you can put up.

Have any questions regarding Office 365 breach detection? Don’t hesitate to contact us at any time!

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author