Automating Azure Account Compromise Investigations

For anyone that is involved with Investigating account compromises in Azure, they will likely tell you that this can be incredibly time-consuming. Purview has the ability to create an audit log for a specific time frame on a user account, but this can return vague information, such as the internet message ID of any emails that were accessed, and does not include the subject of the mail, if it had attachments, who sent it etc.

A recent case in our environment saw just four minutes of unauthorized activity on a compromised account, yet it required several hours of manual investigation to determine:

• What emails were accessed or sent

• What files in OneDrive or SharePoint were accessed, downloaded or shared

• Whether any mailbox rules were added to the account

• If additional MFA methods were registered during the window

These manual processes not only delay response times but also consume valuable SOC resources. To address this, I have developed an automated investigation process using PowerShell and an Azure App to collect all relevant forensic data from our sentinel environment within minutes and add all information into a readable excel spreadsheet that can be shared with our colleagues within the information governance team.

The only thing required to kick off the investigation is the users Office 365 email address and the dates and time that the account was accessed by a third party.

This script streamlines key forensic checks by:

• Identifying emails and files accessed or modified

• Detecting unauthorized mailbox rule changes

• Validating MFA modifications

• Cross-referencing access attempts with Azure and public IP addresses

By eliminating the need for manual log searches across multiple platforms and to obtain useful information related to emails accessed, such as the sender, subject, date it was sent etc, this automation reduces investigation time from hours to minutes, allowing the Cyber team to focus on remediation and response. This presentation will walk through how the automation works, the challenges faced, and the impact on incident response efficiency.