Thursday, May 8, 2025
HomeCyber Security NewsCISA Releases Free Azure, Microsoft 365 Malicious Activity Detection Tool

CISA Releases Free Azure, Microsoft 365 Malicious Activity Detection Tool

Published on

SIEM as a Service

Follow Us on Google News

The Cybersecurity and Infrastructure Security Agency (CISA) has created a free tool to identify unusual activity that could have potentially malicious repercussions that could threaten users and applications in an Azure/Microsoft O365 environment. 

This tool, Sparrow.ps1 has been developed with the intention for use by incident responders and is highly focused on activities that are specifically related to the recent authentication-based attacks that have been running riot in several sectors.

AWS certifications are the perfect way for you to validate your cloud expertise and highlight your in-demand skills. Organizations today need effective and innovative professionals who can take on cloud initiatives. Thankfully, AWS offers a wide range of certifications based on specialty and roles that have been designed to empower you to meet your goals. The role-based certifications are for those in Cloud Practitioner, Developer, Operations, and Architect roles and specialty certifications are for specific technical areas. These certifications can help you build credibility and confidence by validating your expertise. It is a globally recognized credential that helps organizations identify skilled professionals.

- Advertisement - Google News

How does the tool work?

CISA’s Cloud Forensics team’s brainchild, Sparrow.ps1, helps to identify suspected compromised accounts and applications in the Azure/Microsoft O365 environment.

The main intention is to narrow a large set of data and focus on the available investigation modules and telemetry to those accounts that have targeted in the recent attacks.

Sparrow.ps1 will check and install the required PowerShell modules on the analysis machine, check the unified audit log in Azure/Microsoft O365 for certain indicators of compromise (IoC’s), list Azure AD domains, and check Azure service principals and their Microsoft Graph API permissions to identify potential malicious activity. The tool then outputs the data into multiple CSV files in a default directory.

System Requirement

A few AzureAD/m365 permissions are required to run Sparrow.ps1, and provide it read-only access to the Tenant.

  • Azure Active Directory:
    • Security Reader
  • Security and Compliance Center:
    • Compliance Adminstrator
  • Exchange Online Admin Center: Utilize a custom group for these specific permissions:
    • Mail Recipients
    • Security Group Creation and Membership
    • User options
    • View-Only Audit log
    • View-Only Configuration
    • View-Only Recipients

To check for the MailItemsAccessed Operation, your tenant organization requires an Office 365 or Microsoft 365 E5/G5 license.

Installation

The function, Check-PSModules, will check to see if the three required PowerShell modules are installed on the system and if not, it will use the default PowerShell repository on the system to reach out and install. If the modules are present but not imported, the script will also import the missing modules so that they are ready for use.

Conclusion

It is highly recommended that all Azure and Microsoft O365 admins are aware of the recent attacks at Microsoft and learn how to spot any suspicious and potentially malicious behavior in their tenants.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...