Account Compromise Detection for Office 365


Credential harvesting is not the hacker’s end goal. It’s just a step in a much grander scheme.

Using these compromised credentials, hackers take over Office 365 accounts belonging to corporate users. This is called Business Email Compromise (BEC), a specific kind of email-based account compromise designed to spread phishing at the organization. The hacker’s goal is to financial loss, commit data exfiltration, and degrade the organization’s reputation.

The issue of account compromise is highly critical because Microsoft Office 365 offers many integrations with third-party applications. Once the hacker has gained control over a trusted account, they typically sift through the email to learn more about the victim’s role in the company, and their relationship with other employees and partners. They’ll investigate the victim’s calendar, SharePoint folders, and OneDrive files.

With this knowledge, hackers will launch a phishing campaign targeting other employees at the organization and partners. To avoid this activate MFA, perform semi-frequent password resets, and program conditional access.

Signs of a Compromised Account

  • Mailbox rule that deletes all your emails
  • An Internal user sending phishing emails
  • Missing or deleted emails, and other suspicious configuration changes
  • New inbox rules, such as automatically forward emails to unknown addresses or moving them to other folders
  • Changes to the user’s display name
  • Unusual credential changes, such as multiple password changes
  • Mail forwarding rules that aren’t part of company best practices
  • Suspicious login events

“Avanan also has a cool report that notes any suspicious login attempts and has allowed me to quickly reset any user accounts passwords that get hit too many times from Hacker nations.”

CTO, Retail Industry

How Avanan Detects Compromised Accounts

Avanan has developed an algorithm to detect compromised accounts, using a number of threat signals appearing in the Office 365 instance. The adaptive technology looks at email activity, and correlates that with account activity and user behavior.

Because Avanan is so tightly integrated with the full Office 365 Suite, it can correlate login information, policy edits, file activity, data shares or other anomalous behavior across the entire suite. This identifies the insider threat and blocks malicious behavior before it happens.

“Superman” Login Alerts
Flags logins that would be impossible for a human, such as logging in from two different continents in a short period of time.

Anomaly Detection
Identifies insecure behaviors, such as users mass-downloading files, CCing hundreds of recipients on a single email, etc.

Retrospective Analysis
Continuous analysis that introduces the concept of time into the security paradigm. Shortens adversary dwell time by using what you discover in the past to inform predictive discovery of security threats using this historical context and knowledge.

“Their dashboard alerted us to "superman" geo-impossible simultaneous logins which enabled to so shut down a compromised account. They even created a custom report of foreign logins which I review each morning; this is way easier than Microsoft's interface for alerts.”

Sr. IT Project Manager, Construction

How Avanan Remediates Compromised Accounts

Anomaly Description Remediation Action
besides alerting/education
Compromised/Lost Devices Detecting cases of authenticated devices (phones?) - lost/taken over
  • Reset password
  • One-time sign-out
  • Wipe device
Brute-force attack Identifying brute-force attacks (trying multiple passwords, multiple users) - associated with a single campaign (IP? Device, network, VPN provider)
  • Enforce MFA
  • Reset Passwords
  • Conditional Access: block IP, subnet
Logins behind VPN Successful logins behind VPN/proxies
  • Reset password
  • Suspend User
  • Enforce MFA
  • Conditional-access - block IP
Unsecured successful authentications Logins from old browsers, internet-kiosks, subject to password grabbers and vulnerabilities.
  • Reset Password
  • Enforce MFA
Unusual authentication protocols Logins/emails using ‘old’ authentication protocols - IMAP, pop3 etc.
  • Reset Password
  • Enforce MFA
Too-many devices Identifying logins (success/fail) with different device fingerprints
  • Reset Password
  • Enforce MFA
GEO-wall Extending our GEO capabilities to allow GEO-walling - detecting and preventing of logins from hostile locations
  • Conditional access - block IP/locations
Outbound phishing campaign Detecting outbound phishing emails - indicating of an account take over
  • Suspend user
  • Contain’ outbound emails
Too many ‘bounced’ emails High load of ‘bounced’ emails, indicate a massive outbound email campaign
  • Suspend user
  • Contain’ outbound emails
Unlikely device (down version) Connection from unlikely devices
  • Reset Password
  • Enforce MFA


Cloud Account Takeover

Ready to see the threats hiding in your inbox?

Approve the Avanan app in one click. From within your email environment, the patented AI will build a social graph connecting users across your organization, and identify phishing, malware, and other advanced threats that have been hiding in your collaboration suite immediately.