Dark Reading: Detecting Malicious User Behavior Within and Across Applications
RevealSecurity logo
Case Study

Detecting Office 365 Data
Leakage by an Attacker

Detected malicious activities

An employee gave credentials to a criminal group (the assumption is the employee sold credentials, or was blackmailed to provide them). The criminal group used these credentials to log into Office 365 from the same geo-location the employee was in, and used the employee’s permissions to read classified information (the assumption is that they took snapshots of certain screens which displayed sensitive information). CASB and ATO mechanisms were not effective since the criminals used the employee’s credentials, and DLP was also ineffective since no files were downloaded or shared.

User journey analyzed

The sequence of activities performed by employees during a working session in the Office 365 suite of applications.

Process and assumptions

TrackerIQ learned session working profiles for the entire organization and for each user, and used these working profiles to detect abnormal/suspicious sessions (i.e. journeys). The underlying assumption is that sequences of activities by the imposter do not match a normal working profile (neither of the entire organization, nor an individual).

TrackerIQ analysis results (over 6 months monitoring of Office 365 log data)

  • TrackerIQ generates 1-2 alerts a day for the entire usage of Office 365
  • The imposter was identified (within hours of the event)
  • Additional malicious activities were identified, including a handful of malicious activities detected every month only by TrackerIQ (i.e. unknown to the organization without TrackerIQ)

Even detection of anomalies that were not malicious were important to the customer. Employees are required to explain any deviation from normal working profiles.

Customer feedback

Monitoring employee activities and generating alerts about abnormal journeys, even if these journeys are not malicious, is important as a preventive control, given the number of alerts generated is small (e.g. 1-2 a day).

TrackerIQ benefits

  • Quick initial tuning of the detection model using historical data, including detection of past suspicious activities
  • Continuous monitoring of employee journeys to detect ongoing suspicious activities and as a preventive control
  • An out-of-the-box solution: No need to learn in-depth the Office 365 logs and/or to develop rules for Office 365
  • Few alerts per month (around 1-2 a day) allows to focus on true suspicious activities
  • An easy-to-use investigation tool for the business analyst


Banking, publicly traded

Application type

SaaS (Microsoft Office 365)

Application usage

The main collaboration tool for company employees. Main workloads used by the company are AAD (Azure Active Directory), Exchange, SharePoint, OneDrive, Teams, PowerBI, …

Data analyzed

Audit logs generated by Office 365 and available under its E3/E5 license. Log files audit user (i.e. employee) activities in the Office 365 suite of applications.