Clankerusecase
Microsoft 365 detection coverage
 ← Back to main site
Home/ Targets/ Microsoft 365

📧Microsoft 365 detections

Clankerusecase tracks 42 detection use cases covering the Microsoft 365 attack surface across 45 MITRE ATT&CK techniques.

Detections targeting Microsoft 365 — Exchange / SharePoint / Teams / OfficeActivity.

Open Detection Library → View on the matrix
42Use cases
45Techniques
60Articles
5Kill-chain phases

Top techniques on Microsoft 365 (25)

T1566.002Spearphishing Link15T1566.001Spearphishing Attachment6T1204.001Malicious Link6T1567Exfiltration Over Web Service6T1656T16566T1204.002Malicious File5T1583.001Domains4T1195.002Compromise Software Supply Chain4T1114.003Email Forwarding Rule3T1530Data from Cloud Storage3T1566.003Spearphishing via Service3T1566Phishing2T1550.001Application Access Token2T1078.004Cloud Accounts2T1102.002Bidirectional Communication2T1098Account Manipulation1T1098.002Additional Email Delegate Permissions1T1556Modify Authentication Process1T1059.001PowerShell1T1566.004Spearphishing Voice1T1528Steal Application Access Token1T1098.001Additional Cloud Credentials1T1098.005Device Registration1T1539Steal Web Session Cookie1T1199Trusted Relationship1

Delivery (23)

Email attachment opened from external sender Internal delivery · hunting DSP Phishing-link click correlated to endpoint execution Internal delivery · alerting DSP User clicked through a Safe Links warning page Internal delivery · alerting DS Click on URL whose host doesn't match the sender domain Internal delivery · hunting DS Microsoft Teams external-tenant chat from unverified IT-helpdesk impersonator Internal delivery · hunting DSP [LLM] Phishing email click landing on Sniper Dz infrastructure (URL/click correlation) Bespoke delivery · alerting DSPDD [LLM] Inbound or outbound email involving AudiA6 mule-recruitment domains Bespoke delivery · alerting DSP [LLM] External MS Teams chat invite from IT-impersonating unmanaged or federated tenant Bespoke delivery · hunting DSPDD [LLM] Activity involving ommicrosoft.com Cloaked-Ursa Teams typosquat Bespoke delivery · alerting DSΣPDDCS [LLM] ChatGPT Plus payment-update phishing emails (display-name + subject lure) Bespoke delivery · alerting DSΣP [LLM] Claude 'Appeal Request' phishing email with PDF attachment lure Bespoke delivery · alerting DSΣP [LLM] BTMOB Android RAT APK SHA256 sighting in file or email telemetry Bespoke delivery · hunting DSΣPDDCS [LLM] Screening Serpens recruitment lure — Hiring Portal.zip + job requisition PDFs Bespoke delivery · alerting DSΣPDDCS [LLM] Mail-borne click to fake FIFA World Cup 2026 phishing domain Bespoke delivery · alerting DSΣPDDCS [LLM] Mailcow quarantine XSS via EICAR + HTML in attachment filename (GHSA-2xjc-rg88-jvpp) Bespoke delivery · alerting DSΣPDD [LLM] Silver Fox Japan tax-season lure: inbound email with Japanese HR/ESOP subject + gofile.io URL or RAR/ZIP Bespoke delivery · alerting DS [LLM] PlugX phishing lure — 'Meeting Invitation' email linking to gesecole.net ZIP Bespoke delivery · hunting DSΣPDD [LLM] User-targeted SvelteSpill exploit URL delivered or clicked (CVE-2026-27118) Bespoke delivery · alerting DSΣPDD [LLM] Phishing email impersonating npm support from typosquatted npmjs.help domain Bespoke delivery · alerting DSΣP [LLM] Aikido npm phishing: inbound email containing jsDelivr link to flockiali/opresc/prndn/oprnm/operni Bespoke delivery · alerting DSΣPDD [LLM] Inbound email with HTML attachment linking to unpkg.com Beamglea package Bespoke delivery · alerting DSP [LLM] Inbound phishing email from npmjs.help maintainer-takeover domain Bespoke delivery · alerting DSΣPDD [LLM] npm registry typosquat npnjs.com — DNS / URL click (eslint-config-prettier maintainer phishing kit) Bespoke delivery · alerting DSΣPDDCS

Exploitation (1)

[LLM] MFA approval within minutes of inbound external Microsoft Teams chat Bespoke exploit · alerting DSPDDCS

Installation (4)

M365 admin role assigned to user Internal install · alerting DD M365 mailbox delegation granted Internal install · alerting DD M365 MFA disabled for a user Internal install · alerting DD [LLM] Execution / write of ESET APT Q2-Q3 2025 known-bad SHA256 payload Bespoke install · hunting DSΣPDDCS

Command & Control (3)

[WEEKLY] OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay Internal c2 · alerting DSPDD [LLM] Outbound mail to or domain lookup of business-data-leaks[.]com (UNC3753 extortion infrastructure) Bespoke c2 · alerting DSΣPDDCS [LLM] Suspicious draft email manipulation against barrantaya.1010@outlook.com (BoxOfFriends Graph API C2) Bespoke c2 · hunting DSPDDCS

Actions on Objectives (11)

M365 mail-forwarding rule created Internal actions · alerting DD [WEEKLY] Vendor / Third-Party OAuth App or SP Sign-in From Unbaselined Egress Followed by Bulk SaaS Object Read Internal actions · alerting DSPDD O365 Exfiltration via File Access ESCU actions · hunting P O365 SharePoint Allowed Domains Policy Changed ESCU actions · alerting P O365 SharePoint Suspicious Search Behavior ESCU actions · hunting P Windows InstallUtil Uninstall Option ESCU actions · alerting P [LLM] AI-agent-driven mailbox auto-forwards messages to first-time-seen external recipient Bespoke actions · alerting DSPDD [LLM] Public GitHub repo creation matching Miasma 'adjective-creature-N' exfil pattern Bespoke actions · hunting DSPDD [LLM] Worm-injected .github/setup.js commit with 'chore: update dependencies [skip ci]' message Bespoke actions · alerting DSΣPDD [LLM] postmark-mcp BCC exfil to giftshop.club Bespoke actions · alerting DSΣPDDCS [LLM] Outbound email BCC'd to giftshop.club exfil domain (postmark-mcp backdoor) Bespoke actions · alerting DSΣPDD

Recent articles citing Microsoft 365-targeted detections

high FBI disrupts massive AI-powered phishing service using a million URLs
med New Agentjacking Attack Hijacks Your AI Coding Agent to Run Code From a Hacker’s Server
crit Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication
crit Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered
high Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit
high Google Sues Chinese Smishing Network Accused of Using Gemini AI in Phishing
crit China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade
med Hackers Abuse Legitimate NinjaOne RMM Software to Bypass Traditional Malware Detection
high Over 400 Arch Linux packages compromised to push rootkit, infostealer
high Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code
crit Rethinking MDR as Attackers and Defenders Embrace AI
crit LangGraph Flaw Chain Exposes Self-Hosted AI Agents to Remote Code Execution
high INTERPOL Operation Takes Down Sniper Dz Phishing Platform, Arrests Administrator
high Europol Disrupts AudiA6 Crypto Laundering Service Used by Ransomware Gangs
crit ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities
high New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secrets
crit New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files
crit The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm
high npm v12 delivers one of the biggest security improvements in years
crit Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories
high AI Broke Vulnerability Management. That's Why CISOs Are Moving Budget to BAS.
crit OceanLotus Hits Vietnam Investors With SPECTRALVIPER in FireAnt Attack
high GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks
crit China-Linked JDY Botnet Expands to 1,500+ Devices for Cyber Reconnaissance
crit Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities
crit Langflow Vulnerability CVE-2026-5027 Exploited for Unauthenticated RCE
crit Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs
crit Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows
high Blinding the Watchmen: Abusing Cloud Logging Services for Defense Evasion and Visibility
high Pythagora-io/gpt-pilot Compromised on GitHub - Shai-Hulud Credential Stealer Blocked by Python Linter
crit Miasma Worm Hits Microsoft Again: Azure Functions Action and 72 Other Repositories Disabled After Supply Chain Attack Targeting AI Coding Ag
high Meta to Use Off-Site Business Data for Feed and AI Personalization
crit Microsoft Restores Some GitHub Repos, Keeps Others Offline as Miasma Probe Continues
crit WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine
crit Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models
crit New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timing
high Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer
crit LiteLLM Flaw CVE-2026-42271 Exploited in the Wild, Chains to Unauthenticated RCE
high When “Hi, This Is IT” Comes Through Microsoft Teams
crit One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public
crit Meta Blocks NSO Group's New WhatsApp Phishing Attack, Files Contempt Order
crit AI brands as bait: How threat actors are using the AI hype in social engineering
crit AI Phishing Is Crushing SOCs with Alert Volume: How to Reduce Tier 1 Overload
crit VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances
crit UNC3753 Used Vishing and Physical Intrusions in U.S. Data Theft Extortion Campaign
high Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI
high Securing CI/CD in an agentic world: Claude Code Github action case
high Reporting from Vegas: Networking, AI, and good boys
crit Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp
high Node-gyp Supply Chain Compromise: A Self-Propagating npm Worm That Hides in binding.gyp
crit Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign
crit The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2)
high Multiple redhat-cloud-services npm Packages compromised
crit Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor
crit Malicious npm packages abuse dependency confusion to profile developer environments
crit [GHSA / CRITICAL] CVE-2026-47392: PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subpro
high Typosquatted npm packages used to steal cloud and CI/CD secrets
high What MDM can't protect on developer machines (and what to do about it)
crit 2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface
crit ESET APT Activity Report Q4 2025–Q1 2026