Forum Discussion

cllee's avatar
cllee
Brass Contributor
Jun 19, 2020

"O365 Suite EX" and "Office365 Shell WCSS-Client" Compromised

Hi,   I noticed the following Sign-in events originating from Nigeria, which is not the user location. Seems like something is compromised.   Can I know what is the "O365 Suite UX" and "Of...
Azure Active Directory (AAD)
VasilMichev's avatar
VasilMichev
MVP
Jun 19, 2020

Unless the user connected via some sort of VPN solution, I'd wager his account has been compromised. Those events correspond to browser logins to the O365 portal/landing page.

cllee's avatar
cllee
Brass Contributor
Jun 21, 2020

VasilMichev 

Is there anyway to trace or run audit for whatever action or activities that has been run by that IP address? Thanks.

  • engoelhamy's avatar
    engoelhamy
    Copper Contributor
    Aug 18, 2020

    cllee using Microsoft cloud app security 

  • VasilMichev's avatar
    VasilMichev
    MVP
    Jun 21, 2020

    Not directly, but you can export the Unified audit log events and filter them against this IP. If you are using Cloud App Security, you can do it directly in the UI there.

     

    Not all events generate IP address information though.

Resources