Thanks to our API integrations into a multitude of SaaS collaboration platforms, Abnormal is able to uniquely detect signals of compromised accounts.
In this case, all the signals did come solely from Microsoft 365, but we did see signs of Renee's account being compromised, so an alert was created. If I click into this alert, I can see a timeline and breakdown of exactly how the system came to this verdict.
At 12:33, Renee logged into her account from San Francisco. An hour and a half later, a login was observed from Hong Kong. This kicked off an impossible travel alert, and then 11 minutes later, we saw this mail rule created to move messages from two users to the junk folder.
This is a very common tactic for threat actors to hide their tracks. What this did was create an ATO alert—an account takeover alert. From this point, an alerted analyst is then able to come directly into the portal and, with a couple of clicks, completely remediate this compromised account: sign out of active sessions, block account access, and/or trigger a password reset.
Of course, we do have a multitude of integrations with different SIEM, SOAR, and identity management platforms, if you ever wanted to correlate this data or even automate the remediation workflows.
