Rapid Response to Microsoft 365 Security Incidents

Rapidly detect, contain, and remediate M365 breaches with our Incident Response support to get you back to business faster.

This video will be loaded from YouTube while playing. By clicking here you accept the data protection declaration of HVS Consulting / IS-FOX and YouTube.

500+ customers trust our cyber security expertise

This video will be loaded from YouTube while playing. By clicking here you accept the data protection declaration of HVS Consulting / IS-FOX and YouTube.

Allianz
Amadeus
Audi
Munich Airport
LBBW
Lufthansa
Osram
RS
Saarlb
VKB

Experienced a breach?

Please reach out to our Incident Response hotline at +49 89 890 63 62 61 or submit a request for immediate assistance:
Get immediate assistance

The challange: Microsoft 365 identity theft

Cloud identity compromise poses a high risk to enterprise IT. Attackers can exploit various techniques to access user identities without malware or server compromise. Inadequate security configurations and monitoring can make user compromise as simple as extracting reused passwords from publicly available breach data.

Moreover, attackers are increasingly sophisticated, overcoming commonly used Multi-Factor Authentication (MFA) measures like Push notifications (Microsoft Authenticator) or Time-Based One-Time Passwords (TOTP).  These factors are phished by the attackers using Adversary-in-the-Middle schemes.

Our experts have mastered hundreds of incident response engagements over the last 10 years, from medium-sized businesses to large corporations (DAX40) and have built up a wealth of experience.​

Adobestock 88348922 1 (10)

The solution: Rapid response to cloud breaches

In the face of a cloud breach, swift and effective action is key. Our priority is to contain the incident and minimize its impact on your operations. We meticulously comb through various logs in Azure, Entra, M365, O365 and Exchange online to pinpoint any malicious activity and grasp the full scope of the attack. Here's how we do it:
Triage Assessment
Containment​
Our containment efforts focus on halting the attackers progress and preventing further damage, ensuring their impact is minimized. We review prior containment measures and enact additional steps if necessary. Whether it's resetting passwords in EntraID, terminating active sessions, eliminating persistence techniques like email forwarding or alternative MFA methods, our goal remains steadfast: Prevention of further damage.
Disk Ram Analysis
Evidence Acquisition and Analysis​
We acquire, correlate and analyze your cloud logs, like O365 activity logs. Suspicious activity on unmanaged devices, anomalous geolocations, or other unusual behavior in the cloud environment – no stone is left unturned. With these attack insights, we implement further containment measures and preempt future risks.
Compromise Assessments
Root Cause Analysis​
We conduct thorough assessments to unveil the root cause of the compromise. Phishing attacks often serve as the entry vector for such breaches, prompting us to analyze message traces and audit logs. Our approach extends beyond the obvious, leveraging OSINT techniques and client triage packages. Through this multi-faceted approach, we not only uncover the root cause but also pave the way for effective mitigation strategies.

The approach

It's evident that facing a cyberattack on your organization isn't a matter of "if" but "when." Attaining cybersecurity readiness demands a fresh approach to detection and response, emphasizing proactive hunting for signs of current or previous compromise.

Reporting the M365 incident

No matter if you are dealing with an M365 incident, an O365 compromise, an Entra incident or a compromised Exchange online Mailbox, your first step is always to alert the HvS IR team via our emergency hotline +49 89 890 63 62 61 or submit a request here.

Our experts will receive your request and take care of all the following steps to guide you through the complete incident response process as fast as possible.

Reporting the M365 incident


< >

First Response Call

In a first response call we will establish a report about the current situation and collect all the facts necessary to take follow-up actions with the goal of rapidly containing and remediating the incident.

The first response call, including the situation report and the decisions will be documented by HvS to enable you to focus at the topics and decision at hand.

First Response Call


< >

Containment

To minimize further impact, like data loss or reputational damage, a quick containment is key. Our experience incident responders will guide you through all the necessary containment measures.

With prepared checklist and thorughly tested containment measures, the containment will be implemented in a fast and reliable fashion. 

Containment


< >

Forensic Analysis

Next is the assessment of the attack by forensisc analysis. By acquiring evidences like various types of cloud logs, our forensic experts will assess the entry vector as well as the activities of the attackers.

The gathered intelligence will help us to remediate the incident in the next step and to prevent incidents like this in the future. 

Forensic Analysis


< >

Remediation and Lessons learned

Based on the forensic results we will decided on necessary remediation measures.

In order to learn from the incident, you will be provided with a thorough report, including a management summary, a detailed timeline, as well as recommendations to prevent incidents like this in the future.

Remediation and Lessons learned


< >

Get immediate assistance

Please reach out to our Incident Response hotline at +49 89 890 63 62 61 or submit a request here for immediate assistance.

How we handle your data, you will find in our privacy information.

Why HvS-Consulting?

Experience

> 20

years of experience in cyber security and we are still learning every day.
Hvs Employees

> 50

highly qualified employees. We see ourselves as a "boutique" and deliver class instead of mass.
Clients

> 500

satisfied customers, incl. 50% of DAX corporations and hundreds of medium-sized companies.
Client Employees

> 1 Mio.

sensitized employees, managers, administrators and developers, at home and abroad.

Your questions answered

After initial detection of the incident, speed is of utmost importance to prevent further damage and impact on your organization, like data loss or reputational damage. In past incidents we have seen exfiltration of emails and SharePoint data, further internal phishing or even frauds in the six figures with only one compromised cloud identity.

Without rapid and adequate containment measures, a small incident quickly develops to a high-impact incident. Hence contact our IR experts as soon as possible after the initial detection via our emergency hotline +49 89 890 63 62 61 or submit a request here.

Microsoft Cloud incident are usually detection with alerts from Microsoft Defender suite, foremost Microsoft's Identity protection. Typical alerts you might see are:

  • Atypical travel
  • Anomalous Token
  • Suspicious browser
  • Unfamiliar sign-in properties
  • Malicious IP address
  • Suspicious inbox manipulation rules
  • Password spray
  • Impossible travel
  • New country
  • Activity from anonymous IP address
  • Suspicious inbox forwarding
  • Mass Access to Sensitive Files
  • Verified threat actor IP
  • Additional risk detected
  • Anonymous IP address
  • Admin confirmed user compromised
  • Microsoft Entra threat intelligence
  • Possible attempt to access Primary Refresh Token (PRT)
  • Anomalous user activity
  • User reported suspicious activity
  • Suspicious API Traffic
  • Suspicious sending patterns
  • Leaked credentials
  • Microsoft Entra threat intelligence
  • Token issuer anomaly
  • Unusual volume of external file sharing
  • Messages have been delayed

When seeing some of these alerts in your environment you should take them seriously and take immediate response actions.

Over the last years many organizations have identified multifactor authentication (MFA) as a very important security measure to protect user accounts.

In the past any MFA method was sufficient to protect an enterprise from most phishing threats. With MFA becoming more and more widespread adversaries have adapted their phishing attacks accordingly.

Today it is common for attackers to use Adversary-in-the-Mittle (AitM), also known as Man-in-the-Middle (MitM) phishing websites that can circumvent the protection by non-phishing-resistant MFA methods like SMS tokens, TOTPs or mobile app push notifications.

During both phishing attacks the user is first lead to a phishing website and deceived to enter their credentials. During common  phishing, the attackers simply save the users credentials for later use. AitM- the more sophisticated variant – uses a malicious proxy server that hosts the phishing page.

This proxy is used to dynamically forward the login information of the user towards Microsoft in real-time to trigger an authentication process and the corresponding MFA mechanisms.

Depending on the MFA method of the user the phishing page then displays whatever prompt, form or information the real Microsoft page would display to the user. This way the user can complete the MFA process on the phishing page which is then again forwarded to Microsoft by the attacker.

The resulting multifactor authenticated session token is kept by the attacker and not forwarded to the user.

Since most cloud incident still start with an initial phishing mail, the best way to prevent such incidents if the implementation of multi-factor authentication, included phishing-resistant factors, in combination with a comprehensive awareness campaign.

For emergencies, please reach to our Incident Response hotline:

+49 89 890 63 62 61

Or submit a request for immediate assistance.

For other inquiries, please reach out here.

Related resources