IR-013identityv1.0.0

SaaS Account Compromise (M365, Google Workspace, Slack)

⚠️ high⚠️ critical

⏱ Est. Time50m

📋 Steps10 steps

🔧 Tools6 required

🔗 Integrations5 platforms

📊 Avg Resolution80m

★ View on GitHub

🎯 MITRE ATT&CK

T1078.004 T1556.006 T1114.002 T1114.003 T1550.001 T1098.003 T1136.003 T1530

🔧 Tools Required

microsoft 365 defendergoogle workspace adminidentity providersiemcasbthreat intelligence platform

⚡ Triggers

impossible_travel_alertnew_mfa_device_registeredsuspicious_mail_forwarding_ruleoauth_app_admin_consentmass_download_sharepointsaas_risky_signin_alertidentity_protection_alertuser_reported_account_takeover

🔌 Integrations

req

microsoft 365 defender

Primary detection for M365 — Unified audit log, Identity Protection, Defender for Cloud Apps

opt

google workspace admin

Admin SDK audit logs and security center for Workspace investigations

opt

okta

Identity threat protection, session management, and risk-based authentication

opt

microsoft entra id

Azure AD Conditional Access, sign-in logs, and Identity Protection risk signals

opt

microsoft defender for cloud apps

CASB for OAuth app governance, anomalous activity detection, and session controls

Click each step to expand the full procedure, automation hints, and expected outputs.

Review the triggering alert and confirm account compromise indicators: impossible travel (login from two distant IPs within an unrealistic timeframe), login from an atypical country or high-risk IP, new MFA device registration not initiated by the user, or user-reported unauthorized access. Identify all affected accounts, the compromise timeline, and the attacker's source IPs. Determine if the incident is isolated to one user or is part of a broader campaign targeting multiple accounts.

⚡ Automation Hint

M365: Search-UnifiedAuditLog -UserIds <user> -Operations UserLoggedIn,UserLoginFailed -StartDate <date> Azure AD sign-in logs: GET https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=userPrincipalName eq '<user>' Google Workspace: GET https://admin.googleapis.com/admin/reports/v1/activity/users/<user>/applications/login PowerShell: Get-MgAuditLogSignIn -Filter "userPrincipalName eq '<user>'" | Select-Object CreatedDateTime, IpAddress, Location, RiskLevelDuringSignIn

📤 Outputs

confirmed_compromised_accountsattacker_source_ipscompromise_start_timeattack_campaign_scope