Skip to main content

Detecting compromised Microsoft 365 accounts is about to become much easier

Open Lock
(Image credit: Pixabay)
Audio player loading…

The Cybersecurity and Infrastructure Security Agency (CISA) has released a new PowerShell-based tool that will make it easier for administrators to detect compromised applications and accounts in both Azure (opens in new tab) and Microsoft 365 (opens in new tab) environments.

The release of the tool comes after Microsoft disclosed how cybercriminals are using stolen credentials and access tokens to target Azure customers in a recent blog post (opens in new tab) as well as in a previous blog post (opens in new tab) published earlier this month. Carefully reviewing both posts will provide Azure admins with the knowledge they need to spot anomalous behavior in their tenants.

CISA provided further insight on its new PowerShell-based tool, which is available to download on GitHub (opens in new tab), in a notification (opens in new tab) on its site, saying:

“CISA has created a free tool for detecting unusual and potentially malicious activity that threatens users and applications in an Azure/Microsoft O365 environment. The tool is intended for use by incident responders and is narrowly focused on activity that is endemic to the recent identity- and authentication-based attacks seen in multiple sectors.”

Azure security tools

CISA's new PowerShell-based tool was created by the agency's Cloud Forensics team and has been given the name Sparrow. The tool itself can be used to narrow down large sets of investigation modules and telemetry “to those specific to recent attacks on federated identity sources and applications”.

Sparrow is able to check unified the unified Azure and Microsoft 365 audit log for indicators of compromise (IoCs), list Azure AD domains and check Azure service principals and their Microsoft Graph API permissions in order to discover potential malicious activity.

However, CISA isn't the only one who has released a new Azure security tool as the cybersecurity firm CrowdStrike (opens in new tab) has done so as well. While investigating whether or not its systems were affected by the SolarWinds hack (opens in new tab), Microsoft told the firm that an Azure reseller's account was trying to read its corporate emails using compromised Azure credentials.

In order to help admins more easily analyze their Azure environments and better understand the privileges assigned to third-party resellers and partners, CrowdStrike has released its free CrowdStrike Reporting Tool for Azure (opens in new tab) (CRT).

Via BleepingComputer (opens in new tab)

Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.