What We Saw in 90 days from 4 Million Microsoft Office 365 Accounts

What We Saw in 90 days from 4 Million Microsoft Office 365 Accounts

What We Saw in 90 days from 4 Million Microsoft Office 365 Accounts

What We Saw in 90 days from 4 Million

Microsoft Office 365 Accounts

What We Saw in 90 days from 4 Million

Microsoft Office 365 Accounts

Chris Morales
October 13, 2020

Vectra is excited to announce the release of our 2020 Spotlight Report on Microsoft Office 365. With the growing distributed workforce and rapid adoption of cloud-based applications to accommodate remote workers, Microsoft Office 365 is one of the most widely used suites of productivity applications in the world, with over 258 million Office 365 and 75 million Teams users.

The new report draws on data observed in over 4 million participating accounts from June-August 2020. During this time, Vectra discovered extensive amounts of lateral movement within Office 365 environments, and we have quantified exponential growth in the threat surface that the cloud presents. Check out the executive summary to learn about high-level takeaways and read the full report for an in-depth analysis.

Email and user accounts are frequently used cyberattackers to gain entry into a network. Vectra research highlights that attackers who gain access use tools that are built into an organization’s cloud environments, such as Microsoft Power Automate and eDiscovery, for lateral movement.  

With remote work projected to remain high, we expect this trend to continue in the months to come, as attackers continue to exploit human behavior and use the legitimate tools provided by the cloud to establish a foothold and remain undetected within a target organization.    

Key findings

This report contains analysis findings from Cognito Detect for Office 365 deployments and highlights how attackers use native Office 365 services to enable attacks.

Highlights from the report include:

  • 96% of customers sampled exhibited lateral movement behaviors  
  • 71% of customers sampled exhibited suspicious Office 365 Power Automate behaviors  
  • 56% of customers sampled exhibited suspicious Office 365 eDiscovery behaviors
  • How Power Automate and eDiscovery are used to create and automate malicious command-and-control communication and facilitate data exfiltration
  • How attackers leverage Microsoft federation services authentication to bypass multifactor authentication (MFA) and embedded security controls
  • How the Cognito network detection and response (NDR) platform from Vectra identified and blocked real-life instances of business email compromise and phishing campaigns, as shown in case studies from a mid-sized manufacturer and a research university

In addition, the report assesses the top ten most common suspicious behaviors in Office 365 over the designated three-month period. An analysis of these findings emphasizes the need to swiftly identify user data misuse and recognize the value of understanding how entities utilize privileges within SaaS applications like Office 365 and beyond.

The Vectra 2020 Spotlight Report on Office 365 demonstrates the value of NDR when it comes to discovering attacks and enabling security teams to halt any damaging principles that have been installed because of lateral movement.

Deployed in minutes without agents, Cognito Detect for Office 365 automatically identifies and prioritizes attacker behaviors, streamlines investigations, and enables proactive threat hunting. In its first 90 days of availability, Cognito Detect for Office 365 was adopted, deployed and proceeded to protect over 4 million accounts.

Get the entire report or to learn more, please contact us or schedule a demo.

About the author

Chris Morales

Chris Morales is Head of Security Analytics at Vectra, where he advises and designs incident response and threat management programs for Fortune 500 enterprise clients. He has nearly two decades of information security experience in an array of cybersecurity consulting, sales, and research roles. Christopher is a widely respected expert on cybersecurity issues and technologies and has researched, written and presented numerous information security architecture programs and processes.

Author profile and blog posts

Most recent blog posts from the same author



December 10, 2020
Read blog post
Threat detection

攻撃者がビジネスメールを使ってOffice 365を侵害する方法

December 3, 2020
Read blog post

攻撃者が使用するOffice 365ツールとオープンサービス

October 19, 2020
Read blog post