Configuring Microsoft 365 - ATO detection

Modified on Sat, 7 Sep at 4:28 PM


About Microsoft 365 - ATO detection 

If you have integrated Perception Point with Microsoft 365 [inline or API], you can enhance your protection by enabling the Perception Point-Microsoft 365 ATO [account takeover] detection functionality. This functionality monitors user activity in your Microsoft 365 accounts to detect possible ATO attempts.

To enable the Microsoft 365 ATO detection functionality, mailbox auditing must be enabled in your Microsoft 365 account. Perception Point analyzes the Microsoft 365 audit log, and uses various algorithms to detect suspicious user activity. Suspicious user activity includes behavior such as:

  •  creating suspicious mailbox rules [for example, forwarding, redirecting, moving, or deleting emails]
  • performing suspicious login attempts, such as too-fast-to-travel logins. In addition, Perception Point X-Ray tries to identify unusual login patterns and login attempts from unfamiliar locations or devices.

Suspicious ATO activity appears as events in the Cases page and in the Events page.


If the Perception Point IR Team detects a possible account takeover in your organization, they will send an email with a subject similar to "URGENT - Possible Account Take Over". The email will include details of the suspected account takeover. The email will be sent to the recipients that are specified in the "Alert via email on malicious cases" setting. Work together with the Perception Point IR Team to investigate and resolve the issue.

  • After you enable ATO detection, we recommend that you also enable alerts for suspected ATO attempts. 
  • You can enable Microsoft 365 ATO only if the Perception Point-Microsoft 365 integration [inline or API] is already enabled in your organization. 

Licensing:

 There are no additional licensing requirements for enabling the ATO functionality.

Note:

ATO can't be enabled in bulk for multiple organizations - to enable ATO, it is necessary to perform the procedure below individually for each organization.

Disclaimer:

 After you perform the procedures below to enable the ATO detection functionality, Perception Point X-Ray will attempt to detect ATO attempts in all the email accounts in your organization. It is not possible to limit the ATO detection functionality to protect only specified domains, groups of users, or users. Please consider the associated privacy issues before implementing the ATO functionality.



Configuring Microsoft 365 - ATO detection 

Perform the following steps to configure the Microsoft 365 - ATO detection functionality.

Step 1. Enabling auditing in Microsoft 365 

This step enables mailbox auditing in Microsoft 365. If you have a Microsoft 365 E5 subscription, mailbox auditing may already be enabled for your organization. For more information about auditing, see the official Microsoft documentation .

  1. Open the Microsoft 365 Compliance Center at https://compliance.microsoft.com/auditlogsearch [Solutions > Audit].

  1. Click "Start recording user and admin activity" near the top of the page.

Note: 

  • Clicking the "Start recording user and admin activity" button enables mailbox auditing in Microsoft 365. 
  • If this button doesn't appear, then mailbox auditing is probably already enabled for your organization - and you can continue with Step 2 below.

 

Step 2. Enabling ATO detection in Perception Point X-Ray 

This step enables the ATO detection functionality in Perception Point X-Ray. It must be performed by an admin user with the Admin role.

Note: Make sure to perform Step 2 in the [child] organization in which scans are performed - not in the parent organization.

  1. In Perception Point X-Ray, in the left navigation menu, select Account > Channels.
  2. Under Enabled Channels, click inside Email Service > Microsoft 365 to display the Account Takeover (ATO) detection option.

Note: If you don't see the Account Takeover (ATO) detection option, contact Perception Point Support.

  1. Click Edit [] - on the right of the Account Takeover (ATO) detection option.
  2. Select the Enable check box.
  3. Click Save

You'll be redirected to sign-in to your Microsoft account.

  1. Sign-in to your Microsoft account as a global admin.
     You'll see a list of the permissions that are required.

        2. Click Accept.

Microsoft 365 > Account Takeover (ATO) detection should now appear as Enabled in Perception Point X-Ray.

From now on, Perception Point X-Ray will try to detect ATO attempts in the Microsoft 365 email accounts in your organization.

 

Important: After you have completed this step, it may take up to 24 hours before audit data begins to be received by Perception Point X-Ray. To ensure that the ATO detection functionality is correctly configured, after 24 hours, check that there are some ATO-detection related events in the Events page.

You should be able to see ATO-detection related events in the Events page in Perception Point X-Ray. Look for events such as UserLoggedIn, New-InboxRule, and Set-InboxRule

 

Monitoring ATO detections


You can use both the Cases page and the Events page to monitor suspected ATO attempts - the Cases page is the recommended location. 

Monitoring in the Cases page

In the Cases page, you can monitor suspected ATO attempts in your organization. 

Monitoring in the Events page

In the Events page, you can monitor suspected ATO attempts in your organization. Each suspected ATO attempt is assigned a High severity in the Events page. The type of the event is:

  • For mailbox rule issues: New-InboxRule or Set-InboxRule
  • For login issues: User-LoggedIn



A bit more about enabling ATO detection

  • ATO detection is performed in "near real-time" [not real-time]. This slight delay in detection occurs because Perception Point X-Ray must wait for Microsoft to record the user actions in the audit log. It typically then takes a few minutes for Perception Point X-Ray to receive audit log events, and only thereafter can the Perception Point X-Ray ATO algorithms be performed on the audit log.
  • When ATO detection is first enabled, Perception Point X-Ray will analyze the events that are available in Microsoft audit log. This may include events from the previous few days. Therefore ATO attempts may be detected even if the attempts were performed a few days prior to the enabling of ATO detection.
  • After you enable ATO detection, it may take about a week for the system to "learn" the users' behavior, and to then be able to produce more accurate alerts.



References:

https://docs.perception-point.io/WP/Content/PP/MS-365-ATO.htm

Acronis: https://docs.perception-point.io/acronis/Content/PP/MS-365-ATO.htm

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article