Using the Office 365 Activities API to Investigate Business Email Compromises
Tags
country: Canada Nigeria Mauritius Poland United States Of America
maec-delivery-vectors: Watering Hole
attack-pattern: Data Credentials - T1589.001 Ip Addresses - T1590.005 Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Python - T1059.006 Software - T1592.002 Web Services - T1583.006 Web Services - T1584.006 Tool - T1588.002 Powershell - T1086
Show in Graph
Common Information
Type Value
UUID c558e192-9277-4038-8c38-73ddb7e1526e
Fingerprint 3839469e6a5f84c1
Analysis status DONE
Considered CTI value 0
Text language
Published June 18, 2018, 8:34 p.m.
Added to db Sept. 26, 2022, 9:31 a.m.
Last updated Nov. 18, 2024, 4:35 a.m.
Headline Hiding in Plain Sight: Using the Office 365 Activities API to Investigate Business Email Compromises
Title Using the Office 365 Activities API to Investigate Business Email Compromises
Detected Hints/Tags/Attributes 67/3/15
Source URLs
Redirection Url
Details Source https://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/
URL Provider
Details Provider Source level domain
Details crowdstrike.com www.crowdstrike.com
Attributes
Details Type #Events CTI Value
Details Domain 12 
outlook.office.com
Details Domain 27 
outlook.office365.com
Details Domain 17 
mail.read
Details Domain 21 
contoso.com
Details Domain 1 
retriever.py
Details Domain 57 
crowdstrike.com
Details Email 1 
victim@contoso.com
Details Email 5 
services@crowdstrike.com
Details File 1 
retriever.py
Details Url 1 
https://outlook.office.com/api/v2.0
Details Url 1 
https://outlook.office365.com/api/v1.0
Details Url 1 
https://outlook.office.com/mail.read
Details Url 1 
https://outlook.office.com/api/v2.0/me/activities
Details Url 1 
https://outlook.office365.com/api/v1.0/me/activities
Details Url 1 
https://outlook.office.com/api/v2.0/users(‘victim@contoso.com