Exchange Online Monitoring
Premium roomLearn about attacks leveraging Exchange Online and how to detect them in a SOC.
medium
To access material, start machines and answer questions login.
Email is a critical communication channel in any organisation, which makes it a prime target for attackers. Once a mailbox is compromised, attackers can read emails, exfiltrate sensitive data, and even weaponise the account to launch different campaigns. This room will explore how attackers abuse Microsoft Exchange Online post-compromise and how analysts can detect these attacks using .
Learning Objectives
- Understand how Exchange Online generates logs and where to find them
- Identify suspicious mailbox rules creation and email forwarding
- Detect campaigns launched from compromised mailboxes
- Use message trace and audit logs to scope an incident
- Investigate a real-world Exchange Online compromise
Prerequisites
Lab Access
Start the lab by clicking the Start Machine button below. You will then have access to the Web Interface. Please wait 4-5 minutes for the instance to launch. To access , please wait for the to start and follow this link:
The tasks that require working in have their own index and log datasets, so ensure you filter for the correct index and task number to answer the questions properly. The indices are given at the end of each practical task.
Set up your virtual environment
I am ready to start!
Ready to learn Cyber Security?
The Exchange Online Monitoring room is only available for premium users. Signup now to access more than 500 free rooms and learn cyber security through a fun, interactive learning environment.
Already have an account? Log in