An employee gave credentials to a criminal group (the assumption is the employee sold credentials, or was blackmailed to provide them). The criminal group used these credentials to log into Office 365 from the same geo-location the employee was in, and used the employee’s permissions to read classified information (the assumption is that they took snapshots of certain screens which displayed sensitive information). CASB and ATO mechanisms were not effective since the criminals used the employee’s credentials, and DLP was also ineffective since no files were downloaded or shared.
The sequence of activities performed by employees during a working session in the Office 365 suite of applications.
TrackerIQ learned session working profiles for the entire organization and for each user, and used these working profiles to detect abnormal/suspicious sessions (i.e. journeys). The underlying assumption is that sequences of activities by the imposter do not match a normal working profile (neither of the entire organization, nor an individual).
Even detection of anomalies that were not malicious were important to the customer. Employees are required to explain any deviation from normal working profiles.
Monitoring employee activities and generating alerts about abnormal journeys, even if these journeys are not malicious, is important as a preventive control, given the number of alerts generated is small (e.g. 1-2 a day).
Banking, publicly traded
SaaS (Microsoft Office 365)
The main collaboration tool for company employees. Main workloads used by the company are AAD (Azure Active Directory), Exchange, SharePoint, OneDrive, Teams, PowerBI, …
Audit logs generated by Office 365 and available under its E3/E5 license. Log files audit user (i.e. employee) activities in the Office 365 suite of applications.