Address compromised user accounts with automated investigation and response
The improved Microsoft 365 security center is now available in public preview. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new. This topic might apply to both Microsoft Defender for Office 365 and Microsoft 365 Defender. Refer to the Applies To section and look for specific call-outs in this article where there might be differences.
- Exchange Online Protection
- Microsoft Defender for Office 365 plan 1 and plan 2
- Microsoft 365 Defender
Microsoft Defender for Office 365 Plan 2 includes powerful automated investigation and response (AIR) capabilities. Such capabilities can save your security operations team a lot of time and effort dealing with threats. Microsoft continues to improve security capabilities. Recently, AIR capabilities were enhanced to include a compromised user security playbook (currently in preview). Read this article to learn more about the compromised user security playbook. And see the blog post Speed up time to detect and respond to user compromise and limit breach scope with Microsoft Defender for Office 365 for additional details.
The compromised user security playbook enables your organization's security team to:
Speed up detection of compromised user accounts;
Limit the scope of a breach when an account is compromised; and
Respond to compromised users more effectively and efficiently.
Compromised user alerts
When a user account is compromised, atypical or anomalous behaviors occur. For example, phishing and spam messages might be sent internally from a trusted user account. Defender for Office 365 can detect such anomalies in email patterns and collaboration activity within Office 365. When this happens, alerts are triggered, and the threat mitigation process begins.
For example, here's an alert that was triggered because of suspicious email sending:
And here's an example of an alert that was triggered when a sending limit was reached for a user:
Investigate and respond to a compromised user
When a user account is compromised, alerts are triggered. And in some cases, that user account is blocked and prevented from sending any further email messages until the issue is resolved by your organization's security operations team. In other cases, an automated investigation begins which can result in recommended actions that your security team should take.
You must have appropriate permissions to perform the following tasks. See Required permissions to use AIR capabilities.
View and investigate restricted users
You have a few options for navigating to a list of restricted users. For example, in the Security & Compliance Center, you can go to Threat management > Review > Restricted Users. The following procedure describes navigation using the Alerts dashboard, which is a good way to see various kinds of alerts that might have been triggered.
Go to https://protection.office.com and sign in.
In the navigation pane, choose Alerts > Dashboard.
In the Other alerts widget, choose Restricted Users.
This opens the list of restricted users.
Select a user account in the list to view details and take action, such as releasing the restricted user.
View details about automated investigations
When an automated investigation has begun, you can see its details and results in the Security & Compliance Center. Go to Threat management > Investigations, and then select an investigation to view its details.
To learn more, see View details of an investigation.
Keep the following points in mind
Stay on top of your alerts. As you know, the longer a compromise goes undetected, the larger the potential for widespread impact and cost to your organization, customers, and partners. Early detection and timely response are critical to mitigate threats, and especially when a user's account is compromised.
Automation assists, but does not replace, your security operations team. Automated investigation and response capabilities can detect a compromised user early on, but your security operations team will likely need to engage and do some investigation and remediation. Need some help with this? See Review and approve actions.
Don't rely on a suspicious login alert as your only indicator. When a user account is compromised, it might or might not trigger a suspicious login alert. Sometimes it's the series of activities that occur after an account is compromised that triggers an alert. Want to know more about alerts? See Alert policies.