Does it monitor OAuth application grants?

Yes, it identifies when users or admins grant consent to suspicious third-party applications, which is a common method for maintaining persistent access.

What permissions are required for this skill?

You need an Azure AD app registration with AuditLog.Read.All, MailboxSettings.Read, and Mail.Read application permissions, along with a Global Reader or Security Reader role.

Can this skill detect Business Email Compromise (BEC)?

Yes, it is specifically designed to identify common BEC indicators like hidden forwarding rules, suspicious inbox delegation, and unauthorized mail flow changes.

Does it support automated reporting?

Yes, the skill generates a structured JSON report including risk scores, affected mailboxes, and a chronological timeline of suspicious audit events.

How does it interact with Microsoft 365?

It uses the Microsoft Authentication Library (MSAL) for Python to authenticate via client credentials and queries the Unified Audit Log through the Microsoft Graph API.

Office 365 Compromise Analysis

Name: Office 365 Compromise Analysis
Author: micsapp

bymicsapp

0•

セキュリティとテスト

Detects indicators of Business Email Compromise (BEC) by parsing Microsoft Office 365 Unified Audit Logs via the Graph API.

This skill empowers security teams and SOC analysts to automate the investigation of potential Microsoft Office 365 account takeovers. By leveraging the Microsoft Graph API, it systematically scans Unified Audit Logs for high-risk activities such as suspicious inbox forwarding rules, unauthorized mailbox delegation changes, and malicious OAuth application grants. It provides a structured, automated approach to identifying lateral movement and data exfiltration attempts, producing a comprehensive JSON-based compromise indicator report with a clear incident timeline for rapid response.

主な機能

010 GitHub stars

02Generates structured risk reports with chronological activity timelines

03Identifies suspicious OAuth application consent grants

04Detects unauthorized email forwarding and hidden inbox rules

05Monitors mailbox delegation and permission changes (Add-MailboxPermission)

06Analyzes sign-in patterns and audit events for compromise indicators

ユースケース

01Investigating Business Email Compromise (BEC) and account takeover incidents

02Proactive threat hunting for persistent access in cloud environments

03Automating security compliance audits for Microsoft 365 tenants

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add micsapp/micstec-skills analyzing-office365-audit-logs-for-compromise

For use in Claude.ai and ChatGPT

主な機能

010 GitHub stars

02Generates structured risk reports with chronological activity timelines

03Identifies suspicious OAuth application consent grants

04Detects unauthorized email forwarding and hidden inbox rules

05Monitors mailbox delegation and permission changes (Add-MailboxPermission)

06Analyzes sign-in patterns and audit events for compromise indicators

ユースケース

01Investigating Business Email Compromise (BEC) and account takeover incidents

02Proactive threat hunting for persistent access in cloud environments

03Automating security compliance audits for Microsoft 365 tenants

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add micsapp/micstec-skills analyzing-office365-audit-logs-for-compromise

For use in Claude.ai and ChatGPT