top of page
  • kevinkeathley3

An Additional 12 Behavioral Models to Fluency Microsoft 365 Detection

Microsoft 365 is a single point of failure for security to organizations that relies on its mechanisms to alert them to suspicious activities. Fluency ties into Microsoft 365 to provide behavioral detection of possible compromised accounts and insider threats.

Fluency continues to add to its advanced set of behavioral rules. Our models require zero-search, as they are based on our design of interrogating the raw data stream as it comes in with our rules and before it’s written to storage. The result is an immediate notification of trouble.

New behavioral models included are:

Azure Active Directory Add User Pattern Verification

Organizations that use specific patterns for their account names need an automated method of detecting anomalies when new accounts are created during a compromise. For example, an organization may standardize usernames as Alternatively, another organization may use This rule processes the username of a new account and applies a pattern, specific to a customer, to that username to verify if it matches. If it does not match the pattern, then it will alert as suspicious activity.

Exchange New, Disable, and Remove Transport

When an attacker gains access to an organizations M365 account using compromised and elevated credentials (such as a global administrator – typically a c-level executive that has unnecessary permissions), sometimes it is beneficial to create an exchange-wide transport rule to hide alerts from Microsoft security or from the organizations financial institution(s). These rules, unlike inbox rules, are not commonly created on a frequent basis. This rule will alert when a new transport rule is created, disabled, or removed so that an analyst can investigate.

Exchange Mailbox Permission

One tactic of an attacker is granting a compromised account Full Access to other account mailboxes. This is typically done via adding or modifying mailbox permissions. This rule triggers on any change where Full Access permissions are given, especially from previously unknown administrators.

Exchange Recipient Permission SendAs and Set Mailbox GrantSendOnBehalf

Setting the GrantSendOnBehalf permission to a mailbox and SendAs permission for a recipient are common tactics for attackers to use authorized accounts for nefarious purposes. Once an account is compromised, an attacker can grant the permissions for the account to be able to send e-mails on behalf of the financial officer, c-level executive, or other recognized authority figure. This is typically used in conjunction with attempting to access an organization’s financial assets (theft) or proprietary data (espionage). These rules will trigger, and while it is not uncommon for administrative assistants to use these features, it is not a permission change that tends to occur frequently. Thus, even in situations where it is authorized, an analyst will be alerted and can easily determine whether it is malicious or not.

New and Disable Inbox Rule

While it is common in many organizations for user to create inbox rules to filter incoming e-mail, there are indicators that can alert analysts to suspicious activity. For example, when an attacker wishes to hide certain e-mails from prying eyes, several e-mail rules across several accounts are typically among the first items created. These rules can be anything from moving/deleting e-mails from Microsoft Security to alerts from financial institutions or other organization members. These Fluency rules look for activity outside of learned behavior, such as multiple rules being created within a short timeframe, or rules created for other accounts, and alert analysts. Analysts can determine if the rules are legitimate or not.

Login Office365 and Shared Network Address

Microsoft 365 login activity should always be monitored for anomalous activity. Indicators such as a login by a user from a new location or even ISP (both checked by Fluency) should alert analysts to possible compromise activity. When multiple users log in from the same IP, and that IP is not part of the organization’s IP range, then it may indicate that multiple accounts have been compromised by an attacker. In these cases, and others, Fluency has rules available to provide alerts when these activities occur.

Teams Modification

A commonly used service of Microsoft 365 is Microsoft Teams. Teams is used for collaboration within an organization (as well with invited guests) in order to chat and share files. Because of the sensitive nature of some of these Teams channels, caution must be taken to ensure that they are not compromised. This rule alerts on various modifications to Microsoft Teams channel permissions and roles that may indicate a compromise.


By integrating Fluency with Microsoft 365, organizations will substantially elevate their overall security posture while reducing their business risk.This applies to other providers such as Gmail.Fluency allows for external alerting and analysis tools that may be the only ones available when an attacker disrupts those the cloud provider normally offers (such as e-mail alerts).Fluency brings our clients a full library of Global behavioral rules covering everything from cloud providers to your networks and more.Once we deploy our rules for a new client and the machine learning kicks in, we work diligently with our clients to “tune” the rules, based on their unique individual environment, to reduce the extraneous alerts that otherwise are called “false positives”.Fluency is also continually striving to create new behavior rules as conditions change and new tactics, techniques and indicators are identified.We are committed to our clients. We believe having our repository of rules available from day one helps them realize time-to-value much faster than they otherwise can.

61 views0 comments


bottom of page