Microsoft 365|Security

CISA and CrowdStrike Tools Make Detecting Compromised Microsoft 365 Accounts Easier

The Cybersecurity and Infrastructure Security Agency (CISA) recently released a PowerShell-based tool to help organizations detect compromised accounts and applications in Microsoft Azure and 365.

Following the SolarWinds attack in late 2020, which used malicious SolarWinds files that could have given nation-states access to networks, Microsoft outlined the complex techniques used as part of the attack.

Post-Compromise Threat Activity in Microsoft Azure and 365

The attack involved compromising a network through malicious code in the SolarWinds Orion product. It allowed the attacker to elevate privileges and get access to an organization’s trusted SAML token-signing certificate. Security Assertion Markup Language (SAML) is an open standard that facilitates user logon to on-premises and cloud services. The attacker could then forge SAML tokens to impersonate the organization’s existing users, including privileged accounts.

An attacker could access any resources trusted by an organization’s SAML token signing certificates. And because a signing certificate is the basis on which federated trust relationships are formed, service providers like Microsoft Azure might not detect forged tokens.

Sponsored Content

Maximize Value from Microsoft Defender

In this ebook, you’ll learn why Red Canary’s platform and expertise bring you the highest possible value from your Microsoft Defender for Endpoint investment, deployment, or migration.

Microsoft says that its built-in security and monitoring features in its cloud were able detect any anomalies in SAML authentication. And that Microsoft Defender malware definitions have been updated to detect malicious SolarWinds files.

CISA Sparrow

The CISA PowerShell tool is designed to detect unusual activity that might impact a Microsoft 365 or Azure environment.

“CISA has created a free tool for detecting unusual and potentially malicious activity that threatens users and applications in an Azure/Microsoft O365 environment. The tool is intended for use by incident responders and is narrowly focused on activity that is endemic to the recent identity- and authentication-based attacks seen in multiple sectors.”

The tool (sparrow.ps1) is available for free on GitHub. It can be used by incident responders to narrow the scope of user and application activity that might indicate authentication-based attacks. The tool checks the unified audit log in Azure for indicators of compromise, lists Azure AD domains, and checks Azure service principals and related Microsoft Graph API permissions to alert incident responders of potentially malicious activity.

CrowdStrike Reporting Tool for Azure

Not to be left out, CrowdStrike has also created a PowerShell reporting tool for Azure. The tool is designed a bit differently from the CISA effort. CrowdStrike’s script is free and can be downloaded on GitHub.

The script is designed to expose information about permissions and configuration settings that are hard to find in Azure, like Mail Forwarding Rules for Remote Domains, Exchange Online PowerShell Enabled Users, and Service Principal Objects with KeyCredentials.

The tool came about as CrowdStrike was investigating whether its systems had been compromised as part of the SolarWinds attack. Microsoft had informed the company that an Azure reseller’s account was being used to try and read CrowdStrike emails using a compromised Azure account. The attempted breach turned out to be unsuccessful.

SAML authentication-based attacks aren’t unique to Microsoft platforms

While these two tools have been designed to work specifically with Azure and Microsoft 365, the SAML issue that was exploited during the SolarWinds attack isn’t unique to Microsoft. SAML is widely used and it could affect other organizations and service providers.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: