Cloud App Security provides several threats detection policies using machine learning and user behavior analytics to detect suspicious activities across your different applications. Those policies are enabled by default and after an initial learning period, Cloud App Security will start alerting you when suspicious actions like activity from anonymous IP addresses, infrequent country, suspicious IP addresses, impossible travel, ransomware activity, suspicious inbox forwarding configuration or unusual file download are detected. In this lab, we will perform some malicious actions that Cloud App Security will detect. As some detections require learning about your users’ behavior, we will focus on the ones you can simulate during this lab.
To simulate user access from anonymous IPs, we will use TOR browser. Go to the TOR project website to download the Windows version and install it. You should find the shortcut on your desktop:
⚠️ This tools is for research purposes only. Microsoft does not own this tool nor can it guarantee its behavior. This tools should only be run in a test lab environment.
| Portal | Username | Password |
|---|---|---|
| https://portal.cloudappsecurity.com | viewer@emslab.tech | EventP@ssword |
- Office 365: https://portal.office.com
- Cloud App Security: https://portal.cloudappsecurity.com
- Windows Defender ATP: https://securitycenter.windows.com
| User | Username | Password |
|---|---|---|
| Admin | admin@xyztenant.onmicrosoft.com | * |
| Amy Albers | amy@xyztenant.onmicrosoft.com | * |
| Eric Gruber | eric@xyztenant.onmicrosoft.com | * |
- Anonymous access: 🕙 5 min
- Impossible travel: 🕙 5 min
- Activity from infrequent country: 🕙 5 min
- Malware detection: 🕙 5 min
- Email exfiltration using suspicious inbox forwarding: 🕙 5 min
- Ransomware activity: 🕙 5 min
- Suspicious application consent: 🕙 5 min
This detection identifies that users were active from an IP address that has been identified as an anonymous proxy IP address. These proxies are used by people who want to hide their device’s IP address, and may be used for malicious intent. This detection uses a machine learning algorithm that reduces "false positives", such as mis-tagged IP addresses that are widely used by users in the organization.
-
On your Windows 10 lab VM, open TOR browser:
-
Open Office 365 web mail by going to https://outlook.office.com and enter Eric Gruber credentials.
-
Go to the Contoso Team Site and download some documents.
As your authentication during the previous steps came from an anonymous IP address, it will be detected as suspicious by Cloud App Security.
-
Go back to the Cloud App Security portal and review the alerts.
You will see an alert similar to this one:
-
Click on the alert to open it. You see in this page more information on the alert and the related activities:
-
Click on the activities to get more information on the specific activity, the user and the IP address:
-
You can go further in your investigation by looking at the related actions performed during that session by clicking on the “investigate in activity log" button:
-
You will then be redirected to the activity log where you will be able to investigate on the actions performed during that session, like configuration changes or data exfiltration.
This detection identifies two user activities (is a single or multiple sessions) originating from geographically distant locations within a time period shorter than the time it would have taken the user to travel from the first location to the second, indicating that a different user is using the same credentials. This detection uses a machine learning algorithm that ignores obvious "false positives" contributing to the impossible travel condition, such as VPNs and locations regularly used by other users in the organization. The detection has an initial learning period of seven days during which it learns a new user’s activity pattern.
-
In your Windows 10 lab VM, open Office 365 web mail by going to https://outlook.office.com and enter Amy Albers credentials. This authentication will come from an Azure IP address, where your client is hosted.
-
On your host PC, go to https://outlook.office.com and authenticate again as Amy Albers.
As the first and the second authentication came from distinct locations, Cloud App Security will detect that those time to travel between those two locations was to short and will then alert you.
-
Go back to the Cloud App Security portal and review the alerts.
You will see an alert similar to this one:
-
The investigation steps are similar to the anonymous access but by looking at the IP address details and the ISP, you will be able to determine the possible risk:
This detection considers past activity locations to determine new and infrequent locations. The anomaly detection engine stores information about previous locations used by users in the organization. An alert is triggered when an activity occurs from a location that wasn't recently or never visited by any user in the organization.
After an initial learning period, Cloud App Security will detect that this location was not used before by your user or other people within the organization and will then alert you.
-
Go back to the Cloud App Security portal and review the alerts.
You will see an alert similar to this one:
-
The investigation steps are similar to the anonymous access but by looking at the IP address details and the ISP, you will be able to determine the possible risk. In this specific example, we see it’s coming from a TOR IP, so this authentication is suspicious:
This detection identifies malicious files in your cloud storage, whether they're from your Microsoft apps or third-party apps. Microsoft Cloud App Security uses Microsoft's threat intelligence to recognize whether certain files are associated with known malware attacks and are potentially malicious. This built-in policy is disabled by default. Not every file is scanned, but heuristics are used to look for files that are potentially risky. After files are detected, you can then see a list of Infected files. Click on the malware file name in the file drawer to open a malware report that provides you with information about that type of malware the file is infected with.
-
In your Windows 10 lab VM, create a new text file test-malware.txt with the following content:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
INFO: The file we just created is an EICAR test file usually used to test anti-viruses.
-
This file will normally trigger an antivirus alert and quarantine the file. If this is the case, go to the Windows Security Center and restore it:
-
Go to https://portal.office.com and enter Amy Albers credentials. Go to OneDrive for Business:
-
Upload the test-malware.txt file you created in OneDrive:
-
After a few minutes, the file will be detected as a malware and an alert will be triggered in Cloud App Security:
-
Go back to the Cloud App Security portal and review the alerts.
You will see an alert similar to this one:
-
Click on the alert to open it. You see in this page more information on the alert and the related activities:
-
In the alert, you have more information on the file and its location, but also the malware that we identified:
-
Click on the malware type link to have access to the Microsoft Threat Intelligence report regarding this file:
-
Back in the alert, you can scroll down to the related activities. There, you will have more information on how the file was uploaded to OneDrive and possibly who downloaded it:
This detection looks for suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.
-
On your Windows 10 lab VM, open TOR browser.
-
Open Office 365 web mail by going to https://outlook.office.com and enter Eric Gruber credentials.
-
Click on the “People” icon:
-
Create a new contact and save it:
First name Last Name Email Display as . . badguy@xyz.com . 
-
Now go to the Mail settings:
-
Go to Inbox and sweep rules and create a new forwarding rule:
-
Create this rule and select the contact you created before as the recipient:
Apply to all messages Select the contact you created Click OK to save 
As the rules redirects your user’s emails to a suspicious external address, Cloud App Security will detect this rule creation and will then alert you.
-
Go back to the Cloud App Security portal and review the alerts.
You will see an alert similar to this one:
-
Click on the alert to open it. You see in this page more information on the alert, like the destination address and the related activities:
-
With this information, you can now go back to the user to remove this rule but also investigate in Exchange trace logs which emails were sent to that destination address.
Cloud App Security extended its ransomware detection capabilities with anomaly detection to ensure a more comprehensive coverage against sophisticated Ransomware attacks. Using our security research expertise to identify behavioral patterns that reflect ransomware activity, Cloud App Security ensures holistic and robust protection. If Cloud App Security identifies, for example, a high rate of file uploads or file deletion activities it may represent an adverse encryption process. This data is collected in the logs received from connected APIs and is then combined with learned behavioral patterns and threat intelligence, for example, known ransomware extensions. For more information about how Cloud App Security detects ransomware, see Protecting your organization against ransomware.
📝NOTE: For security reasons, we will note detail in this lab how to simulate ransomware attacks
As the rules redirects your user’s emails to a suspicious external address, Cloud App Security will detect this rule creation and will then alert you.
-
Go back to the Cloud App Security portal and review the alerts.
You will see an alert similar to this one:
-
Click on the alert to open it. You see in this page more information on the impacted user, the number of encrypted files, the location of the files and the related activities:
-
Now that we’ve seen the alert, let’s go back to the policies:
-
Search for the “Ransomware activity” policy and open it:
-
At the bottom of the policy, review the possible alerts and governance actions:
Many third-party productivity apps that might be installed by business users in your organization request permission to access user information and data and sign in on behalf of the user in other cloud apps, such as Office 365, G Suite and Salesforce. When users install these apps, they often click accept without closely reviewing the details in the prompt, including granting permissions to the app. This problem is compounded by the fact that IT may not have enough insight to weigh the security risk of an application against the productivity benefit that it provides. Because accepting third-party app permissions is a potential security risk to your organization, monitoring the app permissions your users grant gives you the necessary visibility and control to protect your users and your applications. The Microsoft Cloud App Security app permissions enable you to see which user-installed applications have access to Office 365 data, G Suite data and Salesforce data, what permissions the apps have, and which users granted these apps access to their Office 365, G Suite and Salesforce accounts.
Here is an example of such user consent:
-
Without even creating policies, Cloud App Security shows you the applications that received permissions from your users:
-
From this page, you can easily see who granted permissions to those apps, if they are commonly used or their permissions level:
-
If you detect that an application should not be granted access to your environment, you can revoke the app access.
IMPORTANT: This operation will apply to the entire organization:
-
When investigating, you can search for apps rarely used in Office 365 which were granted high privileges and create a policy to be automatically alerted when such action is performed:
-
After clicking on the “New policy from search” button, you can see that your filter will be used to create a new policy:
-
Go down on that page and review the possible alerts and governance automatic actions that you can configure:
-
To go further in your investigation, let’s now pivot to the “Activity log”:
-
In the activity log, search for "Consent to application" activities:
-
You will then be able to investigate on who, when and from where your users granted access to applications:
Now that we reviewed some of the default detection capabilities of Cloud App Security, you should start creating your own policies. Cloud App Security provides by default many policies templates to start creating your custom policies.
-
To create your policies, go to “Policies”:
-
Click on “Create policy” and select the type of policy you want to create:
-
In the policy screen, choose the policy template you want to use:
-
Apply the template:
-
Cloud App Security will then populate the different properties of the policy:
-
Review those properties and customize them if needed.
-
Explore other types of policies and review the proposed templates.
To go further in your Cloud App Security journey, join our tech community !