Address compromised user accounts with automated investigation and response

Microsoft Defender for Office 365 Plan 2 includes powerful automated investigation and response (AIR) capabilities. Such capabilities can save your security operations team a lot of time and effort dealing with threats. Microsoft continues to improve security capabilities. Recently, AIR capabilities were enhanced to include a compromised user security playbook (currently in preview). Read this article to learn more about the compromised user security playbook. And see the blog post Speed up time to detect and respond to user compromise and limit breach scope with Microsoft Defender for Office 365 for additional details.

Automated investigation for a compromised user

The compromised user security playbook enables your organization's security team to:

  • Speed up detection of compromised user accounts;

  • Limit the scope of a breach when an account is compromised; and

  • Respond to compromised users more effectively and efficiently.

Compromised user alerts

When a user account is compromised, atypical or anomalous behaviors occur. For example, phishing and spam messages might be sent internally from a trusted user account. Defender for Office 365 can detect such anomalies in email patterns and collaboration activity within Office 365. When this happens, alerts are triggered, and the threat mitigation process begins.

For example, here's an alert that was triggered because of suspicious email sending:

Alert triggered because of suspicious email sending

And here's an example of an alert that was triggered when a sending limit was reached for a user:

Alert triggered by sending limit reached

Investigate and respond to a compromised user

When a user account is compromised, alerts are triggered. And in some cases, that user account is blocked and prevented from sending any further email messages until the issue is resolved by your organization's security operations team. In other cases, an automated investigation begins which can result in recommended actions that your security team should take.

Important

You must have appropriate permissions to perform the following tasks. See Required permissions to use AIR capabilities.

View and investigate restricted users

You have a few options for navigating to a list of restricted users. For example, in the Security & Compliance Center, you can go to Threat management > Review > Restricted Users. The following procedure describes navigation using the Alerts dashboard, which is a good way to see various kinds of alerts that might have been triggered.

  1. Go to https://protection.office.com and sign in.

  2. In the navigation pane, choose Alerts > Dashboard.

  3. In the Other alerts widget, choose Restricted Users.

    Other alerts widget

    This opens the list of restricted users.

    Restricted users in Office 365

  4. Select a user account in the list to view details and take action, such as releasing the restricted user.

View details about automated investigations

When an automated investigation has begun, you can see its details and results in the Security & Compliance Center. Go to Threat management > Investigations, and then select an investigation to view its details.

To learn more, see View details of an investigation.

Keep the following points in mind

  • Stay on top of your alerts. As you know, the longer a compromise goes undetected, the larger the potential for widespread impact and cost to your organization, customers, and partners. Early detection and timely response are critical to mitigate threats, and especially when a user's account is compromised.

  • Automation assists, but does not replace, your security operations team. Automated investigation and response capabilities can detect a compromised user early on, but your security operations team will likely need to engage and do some investigation and remediation. Need some help with this? See Review and approve actions.

  • Don't rely on a suspicious login alert as your only indicator. When a user account is compromised, it might or might not trigger a suspicious login alert. Sometimes it's the series of activities that occur after an account is compromised that triggers an alert. Want to know more about alerts? See Alert policies.

Next steps