Vectra: 10 most common threats for Azure AD and Office 365 customers

Elevate your enterprise data technology and strategy at Transform 2021.

Research into the most frequently observed malicious behavior in Azure Active Directory and Office 365 found that malicious activity often looks a lot like legitimate user activity, said Vectra AI, a threat detection and response company. Regardless of the size of the company, the risky O365 exchange transaction or attempted manipulation of Exchange was the most frequently observed behavior, Vectra said in the Q2 2021 Spotlight report, Vision and Visibility: Top 10 threat detections for Microsoft Azure AD and Office 365.

Above: has identified the 10 most common activities suggesting security threats in large enterprises.

Image Credit:

Research focused on the top 10 threat detections in Azure AD and Office 365 environments identified the most common activities that could indicate a security threat:

  1. O365 risky exchange transaction: Attempt to manipulate Exchange to access data.
  2. Suspicious Azure AD operation: Operations indicating that attackers increase privileges and perform tasks that require administrator access after regular account takeovers.
  3. Suspicious O365 download activity: The account downloads an unusual amount of objects, which suggests that an attacker is using SharePoint or OneDrive to exfiltrate data.
  4. O365 Suspicious Sharing Activity: The account is sharing files and folders at a higher volume than usual, suggesting that an attacker is using SharePoint to exfiltrate data or maintain network access.
  5. Creating redundant Azure AD access: Administrative privileges are granted to other entities, suggesting that attackers establish several methods to maintain access.
  6. Access to O365 external teams: An external account added to a team in O365, suggesting that an attacker added another account they control.
  7. Creating O365 Suspicious Feed Automation Workflows: Automated workflows created with Microsoft Power Automate, suggesting that the attacker establishes persistence in the environment.
  8. O365 Suspicious Mail Forwarding: Mail transferred to another account, suggesting that attackers collect or exfiltrate data without needing to maintain persistence.
  9. O365 unusual eDiscovery search: User creating or updating an eDiscovery search, suggesting that an attacker is scouting to find out what is accessible in the environment.
  10. Suspicious Sharepoint Operation O365: SharePoint administrative operations suggesting malicious actions.

Vectra calculated the relative frequency of threat detections that were triggered on its platform over a three month period based on the size of the customers (small, medium and large). users and admins run Office 365 and Azure AD activities more consistently compared to small organizations.

Top 10 Threat Detections for Small and Medium Businesses

Above: Small and medium-sized businesses had similar lists of the top 10 potential malicious activity.

Image Credit:

Small and medium-sized businesses have the same top 10 threat detections and differ slightly from the breakdown of types of detection found in large enterprises. For example, Office 365 DLL Hijacking, Office 365 Unusual Scripting Engine, and Office 365 Suspicious eDiscovery Exfil were in the top 10 for large enterprises, but not in the top 10 for medium and small businesses. Medium and small businesses included Office 365 Suspicious SharePoint Operation, Office 365 Suspicious eDiscovery Search, and Azure AD Suspicious Operation in

With 250 million active users, Office 365 has a big target on its back as cybercriminals spend time and resources crafting attacks targeting the platform’s large user base. Opponents increasingly find that overtly malicious actions are unnecessary when existing services and access used across an organization can simply be co-opted, misused, and abused.

In a recent Vectra survey of 1,000 security professionals, 71% said they had experienced an average of 7 authorized user takeovers in the past 12 months.

Read the full Q2 2021 Spotlight, Vision and Visibility: Top 10 Threat Detections for Microsoft Azure AD and Office 365 report.


VentureBeat’s mission is to be a digital city place for technical decision-makers to gain knowledge about transformative technology and conduct transactions. Our site provides essential information on data technologies and strategies to guide you in running your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the topics that interest you
  • our newsletters
  • Closed thought leader content and discounted access to our popular events, such as Transform 2021: Learn more
  • networking features, and more

Become a member

Source link

Comments are closed.