Detecting compromised Microsoft 365 accounts is about to become much easier Open Lock
The Cybersecurity and Infrastructure Security Agency (CISA) has released a new PowerShell-based tool that will make it easier for administrators to detect compromised applications and accounts in both Azure and Microsoft 365 environments.
The release of the tool comes after Microsoft disclosed how cybercriminals are using stolen credentials and access tokens to target Azure customers in a recent blog post as well as in a previous blog post published earlier this month. Carefully reviewing both posts will provide Azure admins with the knowledge they need to spot anomalous behavior in their tenants.
CISA provided further insight on its new PowerShell-based tool, which is available to download on GitHub, in a notification on its site, saying:
“CISA has created a free tool for detecting unusual and potentially malicious activity that threatens users and applications in an Azure/Microsoft O365 environment. The tool is intended for use by incident responders and is narrowly focused on activity that is endemic to the recent identity- and authentication-based attacks seen in multiple sectors.”
CISA’s new PowerShell-based tool was created by the agency’s Cloud Forensics team and has been given the name Sparrow. The tool itself can be used to narrow down large sets of investigation modules and telemetry “to those specific to recent attacks on federated identity sources and applications”.
Sparrow is able to check unified the unified Azure and Microsoft 365 audit log for indicators of compromise (IoCs), list Azure AD domains and check Azure service principals and their Microsoft Graph API permissions in order to discover potential malicious activity.
However, CISA isn’t the only one who has released a new Azure security tool as the cybersecurity firm CrowdStrike has done so as well. While investigating whether or not its systems were affected by the SolarWinds hack, Microsoft told the firm that an Azure reseller’s account was trying to read its corporate emails using compromised Azure credentials.
In order to help admins more easily analyze their Azure environments and better understand the privileges assigned to third-party resellers and partners, CrowdStrike has released its free CrowdStrike Reporting Tool for Azure (CRT).
Via BleepingComputer
The Cybersecurity and Infrastructure Security Agency (CISA) has released a new PowerShell-based tool that will make it easier for administrators to detect compromised applications and accounts in both Azure and Microsoft 365 environments. The release of the tool comes after Microsoft disclosed how cybercriminals are using stolen credentials and access…
Recent Posts
- Prime Video movie of the day: Road House is an action-packed remake of the ’80s cult classic
- CBP is interrogating TikTok employees
- The European Union is investigating Meta’s election policies
- Assassin’s Creed Mirage trust falls onto the iPhone this June
- Netflix movie of the day: Baby Driver is an incredible action movie with a stunning soundtrack and 92% on Rotten Tomatoes
Archives
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- September 2022
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- December 2011