Overview
After you have completed the Integrating with Microsoft 365 procedure, you can use the tests below to trigger Blumira's detections for certain Microsoft 365 activity.
Microsoft 365: Creation of External forwarding/redirect rule in Exchange
Many times, threat actors will create inbox rules in compromised accounts to lengthen the amount of time before the compromise is detected. These rules sometimes remove email from sent folders or delete all incoming messages to the victim's mailbox.
To test the "Microsoft 365: Creation of External forwarding/redirect rule in Exchange" detection, do the following:
- Log in to outlook.office.com.
- Navigate to Settings > Mail > Rules.
- Configure a forwarding rule that sends mail to an external domain.
Note: Rule behaviors that keep mail internal to your organization will not generate a finding. - In Blumira, navigate to Reporting > Findings and locate the newly created finding, then answer the workflow questions to resolve the finding.
- Delete the test rule in Outlook.
Azure: Entra ID Global Admin Role Assignment
A global administrator has full permissions over the entire Azure tenant, similar to a domain administrator in on-premise Active Directory. This role should be protected and access limited to as few individuals as possible to prevent abuse of these permissions.
To test the "Azure: Entra ID Global Admin Role Assignment" detection, complete the steps in this article.