< Back to Tag
Apr 27, 2023

Gradient Cyber M365 Detections (Targeting: Users and Organization)

Microsoft 365 is a cloud-based service designed to increase productivity and provide enterprise level services without having to invest into physical infrastructure such as servers. Since this is entirely online, this makes attacks on your tenant possible from anyone with internet access. Typically, attackers target accounts and use multiple techniques to attempt gaining access such as brute forcing credentials. These alerts are available in 365 if you have the E5 license with the additional security add-on and above.

Gradient Cyber believes that you should have these alerts no matter what your organization’s license is. Therefore, we have built custom alerting for the above malicious activity.

This new detection can alert you before an attacker has a chance to compromise your credentials. It’s important to stay on top of your security and know that attackers are lurking. This will serve as a great way to review your security settings and help Identify when attackers are showing an interest in your organization. In a nutshell, when you’re being targeted.

A bit more clarity on the wording ‘targeted’

What we mean by ‘targeted’ is that offenders are actively looking for a way to breach your organization’s defenses. Let’s introduce a quick example: data shows multiple failed logins from the same IP, for the same user. A pattern emerges, a clear indication that this particular user is of interest to the offender. This is an example of a user being targeted.

If data shows several failed login attempts from the same IP, but this time, multiple users are involved, then this is an example of an organization being targeted.

Knowing that attackers start lurking, you’d double down on the efforts to improve security, make sure that your defenses are up-to-date and implemented tenant wide. A few recommendations are listed below:

  • Ensure MFA is enabled for all users.
  • If applicable, use conditional access policies to restrict access.
  • Block Legacy Authentication protocols.

A closer look at how we do this. 

We use thresholds: the number of failed logins, the number of IPs where the failed logins originate from, and the number of users involved to determine if the targeting is for a user or it involves the entire organization.

The interval used to determine targeting is 24 hours. Failed logins have to meet the criteria below to trigger an alert:

  • For user targeted, an alert is triggered if the number of attempts exceeds 10 from a single IP or if failure attempts are detected from more than 2 IP addresses.
  • For organization targeted, an alert is triggered if the number of users targeted exceeds 5 and the number of failed attempts surpasses 5.
  • For both scenarios we filter out IPs that you have deemed as safe based on responses from previous reports sent and any other feedback received.

The output for the customer is enhanced with the Application ID and threat intel feeds to provide additional context such as the application targeted and whether the IP is malicious or part of a VPN or proxy service. The alerts can be further tailored to meet your individual needs: for instance, we can filter IPs, users, and even implement different thresholds.


Our new detections will keep you informed and help you stay vigilant when offenders are focused on your organization and attempting to gain access to your environment. 

Gradient Cyber ingests 365 logs; we are continually working on improving our custom detections by adding to the existing or just making security available for the masses. Stay tuned!