Defence Mapping & Hardening
Translate every offensive finding from the M365 attack chain into actionable defensive controls, detection rules, and hardening recommendations. This page maps techniques from all eight phases to the controls that stop them.
🗺 Attack-to-Defence Matrix
Full Attack Chain Defence Coverage
Every major technique from Phases 1–8 mapped to its defensive control, detection method, and the Microsoft product required to implement it.
| Phase | Attack Technique | Severity | Defensive Control | Detection Method | Microsoft Product |
|---|---|---|---|---|---|
| 1 – Recon | User enumeration via GetCredentialType | High | Disable GetCredentialType user enumeration in tenant settings (or accept risk with monitoring) | Monitor for high-volume requests to login.microsoftonline.com/common/GetCredentialType from single IPs | Entra ID |
| 1 – Recon | Domain and subdomain enumeration | Medium | Minimize public DNS records exposing internal service names; remove stale DNS entries | External attack surface monitoring tools; DNS query logging | Defender External Attack Surface Management |
| 1 – Recon | OpenID/OAuth metadata discovery | Low | Accept risk — these are public by design; ensure no sensitive info in metadata endpoints | Monitor for automated scraping of well-known endpoints | Entra ID |
| 1 – Recon | LinkedIn / OSINT employee harvesting | Medium | Train staff on social engineering awareness; avoid publishing email naming conventions publicly | No direct detection; correlate with subsequent spray attacks | Security Awareness Training |
| 1 – Recon | Tenant service enumeration (Teams, SPO, Exchange) | Medium | Disable unnecessary public-facing endpoints; restrict Teams federation to known domains | Monitor external federation connection attempts | Exchange Online + Teams Admin |
| 2 – Initial Access | Device code phishing | Critical | Block device code flow via Conditional Access policy; restrict to compliant devices only | Monitor for deviceCodeCredential sign-ins in sign-in logs; alert on device code flow usage | Entra ID + Conditional Access |
| 2 – Initial Access | Evilginx / AiTM phishing | Critical | Enforce phishing-resistant MFA (FIDO2/Windows Hello for Business); enable token binding; enable Continuous Access Evaluation (CAE) | Monitor for impossible travel detections, anomalous token usage, new device/location sign-ins | Entra ID + Defender for Cloud Apps |
| 2 – Initial Access | Illicit consent grant (OAuth phishing) | Critical | Require admin consent workflow; block user consent for all apps; review existing consented apps | AuditLog: “Consent to application” activity; alert on new high-privilege consent grants | Entra ID |
| 2 – Initial Access | HTML smuggling / macro payload delivery | High | Enable Safe Attachments and Safe Links policies; block macro execution via ASR rules | Defender for Office 365 alert on malicious attachments; endpoint detection on macro execution | Defender for Office 365 + Defender for Endpoint |
| 3 – Credentials | Password spraying | High | Enable smart lockout; configure banned password lists (custom + Microsoft); enforce MFA for all users | Entra ID Protection risky sign-in detection; sign-in log analysis for distributed failed auth | Entra ID Protection |
| 3 – Credentials | MFA fatigue / push bombing | High | Enable number matching in Authenticator (now default); enforce FIDO2 or passwordless for admins | Alert on repeated MFA prompts for the same user within short time window | Entra ID + Microsoft Authenticator |
| 3 – Credentials | Token theft / session hijacking | Critical | Enable token protection (token binding) via Conditional Access; enable CAE; reduce token lifetimes | Detect anomalous token replay — sign-ins from new IPs using existing refresh tokens | Entra ID + Conditional Access |
| 3 – Credentials | Legacy authentication brute force | High | Block legacy authentication protocols (IMAP, POP3, SMTP Auth, EWS Basic) via Conditional Access | Monitor sign-in logs for clientAppUsed == “Exchange ActiveSync”, “Other clients”, “IMAP” | Entra ID + Conditional Access |
| 3 – Credentials | Leaked credential exploitation | High | Enable Entra ID Protection user risk policies; enforce password change on high risk | Entra ID Protection leaked credentials detection (Microsoft processes dark web feeds) | Entra ID Protection (P2) |
| 4 – Enumeration | Over-permissive app consent scopes | High | Regular application consent reviews; enforce admin consent workflow; revoke excessive permissions | Monitor new consent grants via AuditLog; review apps with Mail.Read, Files.ReadWrite.All, etc. | Entra ID |
| 4 – Enumeration | Graph API tenant enumeration | Medium | Restrict user default permissions; disable “Users can read other users” if feasible; restrict group membership visibility | Monitor for high-volume Microsoft Graph API calls from single user/app context | Entra ID + Defender for Cloud Apps |
| 4 – Enumeration | Conditional Access policy enumeration | Medium | Restrict access to CA policy read (limit Directory Readers where possible); use named locations and exclusions carefully | Audit log: “Read conditional access policy” events from unexpected users | Entra ID |
| 4 – Enumeration | AzureHound / BloodHound data collection | High | Restrict user default permissions on directory reads; monitor for bulk Graph API enumeration patterns | Detect high-volume sequential Graph API calls for users, groups, roles, service principals from single session | Defender for Cloud Apps + Sentinel |
| 5 – PrivEsc | Application credential injection (adding secrets to existing apps) | Critical | Monitor app credential changes; restrict Application Administrator and Cloud Application Administrator roles; use PIM with approval | AuditLog: “Update application – Certificates and secrets management”; “Add service principal credentials” | Entra ID + Sentinel |
| 5 – PrivEsc | Abuse of Application Admin / Cloud App Admin role | Critical | Gate these roles behind PIM with multi-party approval; restrict eligible users; conduct quarterly role reviews | Alert on role activation; monitor for credential changes to applications immediately after role activation | Entra ID PIM + Sentinel |
| 5 – PrivEsc | Consent grant escalation (admin consent to malicious app) | Critical | Limit who can grant admin consent; enforce admin consent workflow with approval chain; block broad Graph permissions for new apps | AuditLog: “Grant admin consent” with high-privilege scopes (RoleManagement.ReadWrite.All, etc.) | Entra ID |
| 5 – PrivEsc | Exploiting Exchange Online admin roles for mailbox access | High | Limit Exchange admin role assignment; use PIM; monitor Add-MailboxPermission and Set-Mailbox commands | Exchange admin audit log: Add-MailboxPermission, Add-RecipientPermission, Set-Mailbox -GrantSendOnBehalfTo | Exchange Online + Sentinel |
| 5 – PrivEsc | PIM role activation without approval | High | Require approval for all privileged roles in PIM; enforce MFA on activation; set maximum activation duration | AuditLog: “Add member to role completed (PIM activation)” — alert on unapproved activations | Entra ID PIM (P2) |
| 6 – Lateral | Token scope switching (FOCI family abuse) | High | Enable Continuous Access Evaluation; implement token binding; limit FOCI app usage via CA app filters | Monitor unusual resource access patterns — user accessing new services with existing refresh tokens | Defender for Cloud Apps |
| 6 – Lateral | SharePoint / OneDrive lateral access | High | Restrict external sharing to specific domains; disable “Anyone” links; enforce sensitivity labels on sensitive sites | Monitor SharePoint audit logs for bulk file access, downloads, or permission changes | SharePoint Online + Defender for Cloud Apps |
| 6 – Lateral | Teams message / file access for credential harvesting | Medium | Restrict Teams guest access; monitor for sensitive data in Teams channels; enforce DLP policies | Audit Teams message searches; alert on Graph API access to /teams/messages at scale | Teams Admin + Defender for Cloud Apps |
| 6 – Lateral | Cross-tenant access via B2B collaboration | High | Configure cross-tenant access settings; restrict guest invitations to specific admin roles; enforce MFA for guests | Monitor guest user sign-ins; alert on new guest invitations from non-admin users | Entra ID + Conditional Access |
| 6 – Lateral | Power Automate / Logic App abuse for lateral pivoting | High | Restrict connector usage in Power Platform DLP policies; disable Power Automate for non-required users; block HTTP connector | Monitor Power Automate flow creation events; alert on flows with external connectors (HTTP, SMTP) | Power Platform Admin + Sentinel |
| 7 – Exfiltration | eDiscovery abuse for bulk data access | Critical | Restrict eDiscovery role membership to essential staff only; gate via PIM with approval; enable audit for compliance searches | Audit log: SearchStarted, SearchExported, CaseCreated — alert on unexpected eDiscovery activity | Microsoft Purview Compliance Center |
| 7 – Exfiltration | Inbox rule / mail forwarding to external addresses | High | Block auto-forwarding to external domains at transport rule level; alert on inbox rule creation with forwarding | Transport rule alerting; Exchange audit log: New-InboxRule, Set-InboxRule, Set-Mailbox -ForwardingSmtpAddress | Exchange Online + Defender for Office 365 |
| 7 – Exfiltration | Graph API bulk mail / file download | High | Apply Conditional Access app-enforced restrictions; limit app permissions to least-privilege scopes; enable DLP | Monitor for unusual volume of Graph API /messages or /driveItem calls from a single user or app | Defender for Cloud Apps + Sentinel |
| 7 – Exfiltration | SharePoint bulk download / sync abuse | High | Restrict SharePoint sync to managed devices; block download from unmanaged devices via CA; enable sensitivity labels | SharePoint audit: FileDownloaded events exceeding threshold; alert on mass file downloads | SharePoint Online + Defender for Cloud Apps |
| 7 – Exfiltration | Power Automate flow exfiltration to external service | High | Enforce DLP policies in Power Platform; block external connectors; restrict HTTP and email connectors | Monitor flow creation with external destination connectors; audit Power Automate admin logs | Power Platform Admin + Sentinel |
| 8 – Persistence | Federation backdoor (trusted domain manipulation) | Critical | Monitor federation configuration changes; restrict domain federation permissions to Global Admin only; require approval for federation changes | AuditLog: “Set domain authentication”, “Set federation settings on domain” — immediate alert | Entra ID + Sentinel |
| 8 – Persistence | Rogue application registration with high privileges | Critical | Require admin consent for all app registrations; block user ability to register apps; regularly audit existing app permissions | Monitor new app registrations with high-privilege API permissions (Directory.ReadWrite.All, RoleManagement.ReadWrite.All) | Entra ID |
| 8 – Persistence | Service principal credential persistence | Critical | Set credential expiry policies; monitor for new credentials added to existing service principals; restrict who can manage app credentials | AuditLog: “Add service principal credentials”, “Update application – Certificates and secrets” | Entra ID + Sentinel |
| 8 – Persistence | Mailbox delegate / hidden inbox rules | High | Regularly audit inbox rules across organization; alert on rules with external forwarding or delete actions; block client-side rules via OWA policy | Exchange audit: New-InboxRule with MoveToFolder, ForwardTo, RedirectTo, or DeleteMessage actions | Exchange Online + Defender for Office 365 |
| 8 – Persistence | Conditional Access policy tampering | Critical | Restrict CA policy management to dedicated admins via PIM; enable audit on all CA changes; use named location exclusions sparingly | AuditLog: “Update conditional access policy”, “Delete conditional access policy” — immediate alerting | Entra ID + Sentinel |
| 8 – Persistence | Guest user persistence | Medium | Regular access reviews for guest accounts; enforce guest expiration policies; restrict guest permissions | AuditLog: “Invite external user”; monitor guest sign-in patterns for dormant-then-active accounts | Entra ID + Access Reviews (P2) |
✅ Priority Hardening Checklist
0 / 0 completed
Critical — Implement Immediately
These controls address the most impactful attack techniques. Without them, an attacker can likely compromise admin accounts and maintain persistent access.
High Priority — Implement Within 30 Days
These controls significantly reduce the attack surface and should be prioritised after critical items are addressed.
Medium Priority — Implement Within 90 Days
These controls provide defence-in-depth and mature your security posture against more advanced or niche attack techniques.
🔍 Detection Rules — KQL for Microsoft Sentinel
Detect Password Spraying
Identifies potential password spray attacks by detecting a single IP address generating failed sign-in attempts across multiple distinct user accounts within a short time window.
SigninLogs
| where TimeGenerated > ago(1h)
| where ResultType == "50126" // Invalid username or password
or ResultType == "50053" // Account locked
or ResultType == "50057" // Account disabled
| summarize
TargetCount = dcount(UserPrincipalName),
AttemptCount = count(),
TargetAccounts = make_set(UserPrincipalName, 25),
AppList = make_set(AppDisplayName, 10)
by IPAddress, Location = tostring(LocationDetails.city)
| where TargetCount >= 10 and AttemptCount >= 20
| sort by TargetCount desc
| project
IPAddress,
Location,
DistinctTargets = TargetCount,
TotalAttempts = AttemptCount,
SampleAccounts = TargetAccounts,
AppsTargeted = AppList
TargetCount >= 10 and AttemptCount >= 20 thresholds based on your environment. Large organisations may need higher thresholds to avoid false positives from legitimate failed sign-ins.Detect Suspicious Application Consent
Monitors for new OAuth consent grants, especially those granting high-privilege permissions. This detects both illicit consent grant attacks and overly broad admin consent.
AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName has "Consent to application"
| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingIP = tostring(InitiatedBy.user.ipAddress)
| extend AppName = tostring(TargetResources[0].displayName)
| extend AppId = tostring(TargetResources[0].id)
| extend ConsentType = tostring(
parse_json(tostring(
parse_json(tostring(TargetResources[0].modifiedProperties))[0]
)).newValue)
| project
TimeGenerated,
InitiatingUser,
InitiatingIP,
AppName,
AppId,
ConsentType,
OperationName,
Result
| sort by TimeGenerated desc
Detect Federation Configuration Changes
Alerts on any modification to domain federation settings. This is a critical detection because federation backdoors allow an attacker to generate tokens for any user without needing their password.
AuditLogs
| where TimeGenerated > ago(7d)
| where OperationName has_any (
"Set domain authentication",
"Set federation settings on domain",
"Set DomainFederationSettings",
"Add unverified domain",
"Verify domain"
)
| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingApp = tostring(InitiatedBy.app.displayName)
| extend InitiatingIP = tostring(InitiatedBy.user.ipAddress)
| extend TargetDomain = tostring(TargetResources[0].displayName)
| extend ModifiedProps = parse_json(tostring(TargetResources[0].modifiedProperties))
| project
TimeGenerated,
OperationName,
InitiatingUser,
InitiatingApp,
InitiatingIP,
TargetDomain,
ModifiedProps,
Result
| sort by TimeGenerated desc
Detect Mailbox Forwarding Rules
Detects creation of inbox rules that forward, redirect, or delete mail — common persistence and exfiltration mechanisms used after mailbox compromise.
OfficeActivity
| where TimeGenerated > ago(24h)
| where Operation in ("New-InboxRule", "Set-InboxRule", "Enable-InboxRule")
or (Operation == "Set-Mailbox" and Parameters has_any (
"ForwardingSmtpAddress", "ForwardingAddress", "DeliverToMailboxAndForward"
))
| extend RuleParams = parse_json(Parameters)
| extend ForwardTo = tostring(RuleParams.[0].Value)
| extend RuleName = tostring(RuleParams.[1].Value)
| project
TimeGenerated,
Operation,
UserId,
ClientIP,
RuleName,
ForwardTo,
Parameters
| sort by TimeGenerated desc
// Also check for transport-level forwarding
union (
ExchangeAdmin
| where TimeGenerated > ago(24h)
| where Operation has_any ("New-TransportRule", "Set-TransportRule")
| where Parameters has_any ("RedirectMessageTo", "BlindCopyTo", "CopyTo")
| project TimeGenerated, Operation, UserId, Parameters
)
Detect Bulk Data Access via Graph API
Identifies applications or users making an unusually high volume of Microsoft Graph API requests to mail, files, or user data endpoints — indicative of data exfiltration or automated harvesting.
MicrosoftGraphActivityLogs
| where TimeGenerated > ago(1h)
| where RequestUri has_any ("/messages", "/driveItem", "/drive/root",
"/sites", "/mailFolders", "/attachments")
| summarize
RequestCount = count(),
UniqueEndpoints = dcount(RequestUri),
SampleRequests = make_set(RequestUri, 10)
by UserId = tostring(UserId), AppId, IPAddress
| where RequestCount > 500
| sort by RequestCount desc
| project
UserId,
AppId,
IPAddress,
TotalRequests = RequestCount,
UniqueEndpoints,
SampleRequests
// Alternative if MicrosoftGraphActivityLogs not available:
// Use CloudAppEvents from Defender for Cloud Apps
// CloudAppEvents
// | where ActionType has_any ("FileDownloaded", "FileAccessed")
// | summarize count() by AccountId, Application
// | where count_ > 100
MicrosoftGraphActivityLogs table requires the Microsoft Graph activity logs diagnostic setting to be enabled in Entra ID. If not available, use CloudAppEvents from Defender for Cloud Apps as an alternative data source.Detect Service Principal Credential Addition
Monitors for new credentials (passwords or certificates) being added to existing service principals or application registrations. This is a key privilege escalation and persistence technique.
AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName in (
"Add service principal credentials",
"Update application \u2013 Certificates and secrets management",
"Add application key credential",
"Add application password credential"
)
| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingApp = tostring(InitiatedBy.app.displayName)
| extend InitiatingIP = tostring(InitiatedBy.user.ipAddress)
| extend TargetApp = tostring(TargetResources[0].displayName)
| extend TargetAppId = tostring(TargetResources[0].id)
| extend TargetAppType = tostring(TargetResources[0].type)
| extend ModifiedProps = parse_json(tostring(TargetResources[0].modifiedProperties))
| project
TimeGenerated,
OperationName,
InitiatingUser,
InitiatingApp,
InitiatingIP,
TargetApp,
TargetAppId,
TargetAppType,
ModifiedProps,
Result
| sort by TimeGenerated desc
💳 Recommended Microsoft Licensing
Microsoft 365 E3
The baseline licence for most enterprise organisations. Provides foundational security controls but lacks advanced threat detection and response capabilities.
| Capability | What It Enables | Limitations |
|---|---|---|
| Entra ID P1 (included) | Conditional Access policies, MFA, self-service password reset, dynamic groups | No risk-based policies, no PIM, no access reviews |
| Multi-Factor Authentication | Per-user MFA, security defaults, Authenticator app, phone/SMS | No phishing-resistant enforcement via CA (need to configure manually); no number matching control beyond Authenticator defaults |
| Basic Audit Logs | Standard audit log with 180-day retention (recently extended from 90 days) | No advanced audit events (MailItemsAccessed, SearchQueryInitiated); no long-term retention beyond 180 days |
| Exchange Online Protection | Anti-spam, basic anti-malware, connection filtering | No Safe Links, Safe Attachments, or advanced anti-phishing |
| Conditional Access | Location-based, device-based, client app-based policies; block legacy auth | No sign-in risk or user risk conditions (requires P2) |
Microsoft 365 E5
The full security stack. Includes everything in E3 plus advanced threat protection, identity protection, information governance, and compliance tools.
| Capability | What It Enables | Relevant Attack Phase |
|---|---|---|
| Entra ID P2 (included) | Identity Protection (risk-based CA), PIM, Access Reviews, Entitlement Management | Phase 3 (credential attacks), Phase 5 (privilege escalation) |
| Defender for Office 365 Plan 2 | Safe Links, Safe Attachments, advanced anti-phishing, automated investigation, attack simulation | Phase 2 (initial access), Phase 7 (exfiltration via email) |
| Defender for Cloud Apps | CASB: app discovery, session control, anomaly detection, OAuth app governance | Phase 4 (enumeration), Phase 6 (lateral movement), Phase 7 (exfiltration) |
| Microsoft Purview Advanced Audit | MailItemsAccessed, SearchQueryInitiated, Send events; 1-year retention; bandwidth throttling | Phase 7 (exfiltration), Phase 8 (persistence detection) |
| Microsoft Purview eDiscovery (Premium) | Advanced search, review sets, hold notifications, predictive coding | Phase 7 (eDiscovery abuse detection requires audit of these events) |
| Defender for Identity | On-premises Active Directory threat detection, lateral movement path analysis | Phase 6 (lateral movement from hybrid environments) |
| Information Protection & DLP | Sensitivity labels with auto-labelling, endpoint DLP, Teams/Exchange/SPO DLP | Phase 7 (data exfiltration prevention) |
Entra ID P1 vs P2 Comparison
Understanding the differences between Entra ID P1 (included in E3) and P2 (included in E5) is critical for security control planning.
| Feature | Entra ID P1 (E3) | Entra ID P2 (E5) |
|---|---|---|
| Conditional Access | Location, device, client app, user/group targeting | Everything in P1 + sign-in risk and user risk conditions |
| MFA | Per-user MFA, Conditional Access MFA, security defaults | Same + risk-based MFA triggering |
| Identity Protection | Not available | Risky sign-in/user detection, automated remediation, leaked credentials detection |
| Privileged Identity Management | Not available | Just-in-time role activation, approval workflows, activation alerts, role assignment reviews |
| Access Reviews | Not available | Automated periodic reviews of role assignments, group memberships, and app access |
| Entitlement Management | Not available | Access packages, approval workflows, automatic assignment |
| Workload Identities | Not available | Risk detection for service principals and managed identities (with Workload Identities Premium) |
Microsoft Sentinel (SIEM/SOAR)
Microsoft Sentinel is a cloud-native SIEM and SOAR solution that enables centralised detection, investigation, and automated response. All KQL detection rules in Section 3 are designed for Sentinel.
| Capability | What It Enables |
|---|---|
| Data Connectors | Ingest SigninLogs, AuditLogs, OfficeActivity, CloudAppEvents, MicrosoftGraphActivityLogs, and hundreds more |
| Analytics Rules | Scheduled and NRT detection rules using KQL; built-in templates for M365 threats |
| Playbooks (Logic Apps) | Automated response: disable compromised accounts, revoke sessions, send notifications, create tickets |
| Workbooks | Interactive dashboards for sign-in monitoring, CA policy coverage, and app consent activity |
| UEBA | User and Entity Behavior Analytics for anomaly detection across identity and data access patterns |
| Threat Intelligence | Integrate threat feeds to correlate known malicious IPs, domains, and indicators with sign-in data |
// Verify your Sentinel data connector status
// Run this in your Log Analytics workspace
SigninLogs | take 1 | project TimeGenerated
AuditLogs | take 1 | project TimeGenerated
OfficeActivity | take 1 | project TimeGenerated
Defender for Office 365
Provides the anti-phishing, safe links, and safe attachments capabilities essential for defending against Phase 2 initial access techniques.
| Feature | Plan 1 | Plan 2 (included in E5) |
|---|---|---|
| Safe Attachments | Real-time detonation of attachments in sandboxed environment | Same + Safe Attachments for SharePoint, OneDrive, Teams |
| Safe Links | URL rewriting and time-of-click verification | Same + URL detonation |
| Anti-Phishing | Impersonation protection, mailbox intelligence, spoof intelligence | Same + advanced tuning options |
| Automated Investigation & Response | Not available | Automated investigation of alerts, recommended or automatic remediation actions |
| Attack Simulation Training | Not available | Phishing simulation campaigns, training assignments, reporting |
| Threat Explorer | Real-time detections only | Full Threat Explorer with 30-day historical threat hunting |
Licensing Recommendation Summary
Based on the attack chain coverage in this guide, here is the minimum recommended licensing for effective defence:
MINIMUM VIABLE SECURITY LICENSING FOR M365 DEFENCE
====================================================
ALL USERS:
- Microsoft 365 E3 (baseline) or E5 (recommended)
- Entra ID P2 (included in E5, or add-on for E3)
Required for: PIM, Identity Protection, Access Reviews
ADMIN / PRIVILEGED USERS (at minimum):
- Microsoft 365 E5 Security add-on (if org is on E3)
Required for: Defender for Cloud Apps, advanced audit
SECURITY OPERATIONS:
- Microsoft Sentinel (consumption-based)
Required for: KQL detection rules, SOAR playbooks
- Defender for Office 365 Plan 2 (included in E5)
Required for: anti-phishing, Safe Links, investigation
OPTIONAL BUT RECOMMENDED:
- Defender External Attack Surface Management
Required for: Phase 1 recon surface reduction
- Entra Workload Identities Premium
Required for: service principal risk detection