Skip to the main content.

2 min read

How Microsoft 365 Identified Suspicious Behavior Other Security Programs Missed

How Microsoft 365 Identified Suspicious Behavior Other Security Programs Missed

Recently, CloudServus received a high-severity alert from the Microsoft 365 Security & Compliance Center of one of our clients: a user account had been potentially compromised and, as a result, had been restricted from sending messages outside of the organization.

As we dug further into the issue, we noticed an interesting parallel between the activity of the users involved in the situation and some of the most dangerous cyber attacks occurring today.

Here’s what happened, and why it matters for you:

Shared Credentials Trigger a Shutdown

In our client’s case, Microsoft’s alert was triggered by a relatively benign activity. The user – one of our client’s employees – had shared her credentials with another employee. The second employee then used her credentials to log in to another workstation at the company. When the second employee began sending messages from the additional workstation using the borrowed credentials, Defender for Office 365 flagged the activity as suspicious and blocked the user from sending outbound email.

In the end, the situation was easily resolved. Creating a shared mailbox and updating email sending procedures internally allowed the team to resume sending messages without triggering alerts (though the compromised account will have to be on its best behavior going forward!).

However, what was notable about the situation wasn’t how quickly we were able to get our client’s email accounts back up and running. It was that our client’s employees had inadvertently performed a pen test, demonstrating how effective Microsoft has become at identifying and preventing potential phishing attacks.

How Our Client’s Activity Mimicked a Phishing Attack

Viewed through another lens, our client’s behavior closely resembled the activity that would have occurred in an actual, successful phishing attack.

  • In our client’s case, one employee deliberately shared her credentials with another. In a phishing attack, the attacker would gain access to the same credentials by having duped the user into inadvertently revealing them.
  • The second employee in our client’s case moved to a different workstation within the company and logged in with the borrowed credentials. After successfully phishing for credentials, an attacker would effectively do the same thing – moving laterally through the internal network to identify weak points that could be accessed and exploited.
  • When our client’s second employee began sending emails from her workstation, she unintentionally mirrored the behavior of a phishing attacker, who would use any access gained to send messages from what would appear to recipients to be a trusted location.

Though Defender for Office 365 successfully – and correctly – identified the threat and restricted the compromised account, other tools used by the client missed the issue entirely. Despite sending a high volume of emails with borrowed credentials, a well-known email hygiene product, as well as a ‘cutting-edge’ email encryption and security tool did not raise any red flags or alerts.

What Microsoft’s Alerts Mean for You

Our client’s experience demonstrates how effective Microsoft’s next generation of email security has become at stopping potential attacks.

You may be confident that your employees would never share logins or behave in this way, but ultimately, that’s beside the point. As phishing attacks grow more and more sophisticated and frequent every day, every business needs to be concerned about the potential repercussions associated with employee credentials being accidentally compromised.

Phishing attacks nearly doubled in frequency from 2019 to 2020, according to FBI data. What this phenomenal win proves is that Microsoft 365 and Defender for Office 365 are two of the best tools you can have on your side when it comes to protecting your business’s most sensitive data.

Want to learn more? You may already own the rights to some of the security tools mentioned here. A Cloud Security Assessment with the CloudServus team will review your current security posture, provide a detailed Executive Report deliverable, and provide actionable next steps for remediation. Contact us today for more information.

Navigating the Future with Windows 365: Your Complete Cloud-Based Workspace

Navigating the Future with Windows 365: Your Complete Cloud-Based Workspace

Cloud computing has transformed the business landscape, offering unparalleled flexibility and efficiency. A leader in this evolution is Microsoft...

Microsoft Fabric vs. Power BI: What's the Difference?

Microsoft Fabric vs. Power BI: What's the Difference?

It’s more important than ever today for businesses to make data-driven decisions. But while 90% of organizations indicate that data is increasingly...

Countdown to Windows Server 2012 R2 EOL: Upgrade & Migration Choices Explained

Countdown to Windows Server 2012 R2 EOL: Upgrade & Migration Choices Explained

The deadline for Windows Server 2012 support is fast approaching; the end of support date is October 10th, 2023. As this technology is set to become...