Detecting compromised Microsoft 365 accounts is about to become much easier
The Cybersecurity and Infrastructure Security Agency (CISA) has released a new PowerShell-based tool that will make it easier for administrators to detect compromised applications and accounts in both Azure and Microsoft 365 environments.
The release of the tool comes after Microsoft disclosed how cybercriminals are using stolen credentials and access tokens to target Azure customers in a recent blog post as well as in a previous blog post published earlier this month. Carefully reviewing both posts will provide Azure admins with the knowledge they need to spot anomalous behavior in their tenants.
- We've put together a list of the best productivity tools around
- These are the best email services on the market
- Also check out our roundup of the best free office software
CISA provided further insight on its new PowerShell-based tool, which is available to download on GitHub, in a notification on its site, saying:
“CISA has created a free tool for detecting unusual and potentially malicious activity that threatens users and applications in an Azure/Microsoft O365 environment. The tool is intended for use by incident responders and is narrowly focused on activity that is endemic to the recent identity- and authentication-based attacks seen in multiple sectors.”
Azure security tools
CISA's new PowerShell-based tool was created by the agency's Cloud Forensics team and has been given the name Sparrow. The tool itself can be used to narrow down large sets of investigation modules and telemetry “to those specific to recent attacks on federated identity sources and applications”.
Sparrow is able to check unified the unified Azure and Microsoft 365 audit log for indicators of compromise (IoCs), list Azure AD domains and check Azure service principals and their Microsoft Graph API permissions in order to discover potential malicious activity.
However, CISA isn't the only one who has released a new Azure security tool as the cybersecurity firm CrowdStrike has done so as well. While investigating whether or not its systems were affected by the SolarWinds hack, Microsoft told the firm that an Azure reseller's account was trying to read its corporate emails using compromised Azure credentials.
In order to help admins more easily analyze their Azure environments and better understand the privileges assigned to third-party resellers and partners, CrowdStrike has released its free CrowdStrike Reporting Tool for Azure (CRT).
- We've also highlighted the best identity management software
Via BleepingComputer
No comments