Saturday, June 22, 2024

CISA Releases Free Azure, Microsoft 365 Malicious Activity Detection Tool

The Cybersecurity and Infrastructure Security Agency (CISA) has created a free tool to identify unusual activity that could have potentially malicious repercussions that could threaten users and applications in an Azure/Microsoft O365 environment. 

This tool, Sparrow.ps1 has been developed with the intention for use by incident responders and is highly focused on activities that are specifically related to the recent authentication-based attacks that have been running riot in several sectors.

AWS certifications are the perfect way for you to validate your cloud expertise and highlight your in-demand skills. Organizations today need effective and innovative professionals who can take on cloud initiatives. Thankfully, AWS offers a wide range of certifications based on specialty and roles that have been designed to empower you to meet your goals. The role-based certifications are for those in Cloud Practitioner, Developer, Operations, and Architect roles and specialty certifications are for specific technical areas. These certifications can help you build credibility and confidence by validating your expertise. It is a globally recognized credential that helps organizations identify skilled professionals.

How does the tool work?

CISA’s Cloud Forensics team’s brainchild, Sparrow.ps1, helps to identify suspected compromised accounts and applications in the Azure/Microsoft O365 environment.

The main intention is to narrow a large set of data and focus on the available investigation modules and telemetry to those accounts that have targeted in the recent attacks.

Sparrow.ps1 will check and install the required PowerShell modules on the analysis machine, check the unified audit log in Azure/Microsoft O365 for certain indicators of compromise (IoC’s), list Azure AD domains, and check Azure service principals and their Microsoft Graph API permissions to identify potential malicious activity. The tool then outputs the data into multiple CSV files in a default directory.

System Requirement

A few AzureAD/m365 permissions are required to run Sparrow.ps1, and provide it read-only access to the Tenant.

  • Azure Active Directory:
    • Security Reader
  • Security and Compliance Center:
    • Compliance Adminstrator
  • Exchange Online Admin Center: Utilize a custom group for these specific permissions:
    • Mail Recipients
    • Security Group Creation and Membership
    • User options
    • View-Only Audit log
    • View-Only Configuration
    • View-Only Recipients

To check for the MailItemsAccessed Operation, your tenant organization requires an Office 365 or Microsoft 365 E5/G5 license.


The function, Check-PSModules, will check to see if the three required PowerShell modules are installed on the system and if not, it will use the default PowerShell repository on the system to reach out and install. If the modules are present but not imported, the script will also import the missing modules so that they are ready for use.


It is highly recommended that all Azure and Microsoft O365 admins are aware of the recent attacks at Microsoft and learn how to spot any suspicious and potentially malicious behavior in their tenants.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.


Latest articles

PrestaShop Website Under Injection Attack Via Facebook Module

A critical vulnerability has been discovered in the "Facebook" module (pkfacebook) from for...

Beware Of Illegal OTT Platforms That Exposes Sensitive Personal Information

A recent rise in data breaches from illegal Chinese OTT platforms exposes that user...

Beware Of Zergeca Botnet with Advanced Scanning & Persistence Features

A new botnet named Zergeca has emerged, showcasing advanced capabilities that set it apart...

Mailcow Mail Server Vulnerability Let Attackers Execute Remote Code

Two critical vulnerabilities (CVE-2024-31204 and CVE-2024-30270) affecting Mailcow versions before 2024-04 allow attackers to...

Hackers Attacking Vaults, Buckets, And Secrets To Steal Data

Hackers target vaults, buckets, and secrets to access some of the most classified and...

Hackers Weaponizing Windows Shortcut Files for Phishing

LNK files, a shortcut file type in Windows OS, provide easy access to programs,...

New Highly Evasive SquidLoader Attacking Employees Mimic As Word Document

Researchers discovered a new malware loader named SquidLoader targeting Chinese organizations, which arrives as...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles