>_AYSOLI SECURITY HUB
THREAT AREA

M365 Collaboration Security

Tools like SharePoint, Teams, and OneDrive are the heart of modern collaboration. Without clear governance, however, they inevitably lead to uncontrolled "oversharing" of sensitive company data.

Your Strategy

Shift the focus from pure network security to protecting the individual document (data-centric security). Use Microsoft Purview sensitivity labels to automatically classify data and control access based on confidentiality.

Best Practices

  • Labels: Enforce classification of documents upon creation or upload.
  • External Sharing: Limit content sharing to "Specific People" and disable "Anyone with the link".
  • Teams Hygiene: Use lifecycle policies for Teams to automatically archive orphaned workspaces.

STRIDE-LM Design Risks

SpoofingS-01

Identity Spoofing

Attacker impersonates a legitimate user or partner.

TamperingT-01

Data Tampering

Unauthorized modification of shared data or configurations.

RepudiationR-01

Audit Log Manipulation

Deleting or altering traces of an action.

Information DisclosureI-WKP-01

Oversharing in Collaboration Tools

Overly broad sharing of documents with externals.

Denial of ServiceD-01

Resource Exhaustion

Overloading systems through massive requests or resource hogging.

Elevation of PrivilegeE-01

Privilege Escalation

Gaining privileges beyond what is intended.

Lateral MovementL-01

Lateral Movement

Accessing further internal systems after initial login.

Monitoring GapsM-01

Insufficient Logging

Missing or inadequate recording of security-relevant events.

MITRE ATT&CK® Techniques

Initial Access
T1566

Phishing

ATT&CK

Delivering malicious content via electronic communication.

Mitigated by
Adaptive MFA (Risk-based)Extended ProtectionLow
CIS: 6.5NIST: PR.AC-7
Output Content FilteringBaseline ProtectionLow
NIST: AI-1.2OWASP: LLM02
T1078

Valid Accounts

ATT&CK

Exploiting existing credentials for access.

Mitigated by
Unified Audit Log (UAL)Baseline ProtectionLow
CIS: 8.2NIST: PR.PT-1
Guest Invitation GovernanceBaseline ProtectionLow
CIS: 6.2NIST: PR.AC-1
Regular Access ReviewsBaseline ProtectionLow
CIS: 6.6NIST: PR.AC-1OWASP: A01:2021
Adaptive MFA (Risk-based)Extended ProtectionLow
CIS: 6.5NIST: PR.AC-7
Execution
T1137

Office Application Startup

ATT&CK

Exploitation of Office startup processes for code execution.

Mitigated by
Restricted App ConsentBaseline ProtectionLow
CIS: 16.1NIST: PR.AC-1
Unified Audit Log (UAL)Baseline ProtectionLow
CIS: 8.2NIST: PR.PT-1
Persistence
T1098

Account Manipulation

ATT&CK

Changing permissions or creating new accounts.

Mitigated by
Collaboration GovernanceBaseline ProtectionLow
CIS: 13.3NIST: PR.DS-1
External Sharing GovernanceBaseline ProtectionLow
CIS: 13.3NIST: PR.AC-3
Restricted App ConsentBaseline ProtectionLow
CIS: 16.1NIST: PR.AC-1
Unified Audit Log (UAL)Baseline ProtectionLow
CIS: 8.2NIST: PR.PT-1
Guest Invitation GovernanceBaseline ProtectionLow
CIS: 6.2NIST: PR.AC-1
Regular Access ReviewsBaseline ProtectionLow
CIS: 6.6NIST: PR.AC-1OWASP: A01:2021
Credential Access
T1552

Credentials from Password Stores

ATT&CK

Extracting passwords from web browsers or password managers.

Mitigated by
Output Content FilteringBaseline ProtectionLow
NIST: AI-1.2OWASP: LLM02
Collection
T1213

Data from Information Repositories

ATT&CK

Accessing data from knowledge bases (SharePoint, Confluence).

Mitigated by
Sensitivity Labels (Purview)Extended ProtectionHigh
CIS: 13.2NIST: PR.DS-1
Collaboration GovernanceBaseline ProtectionLow
CIS: 13.3NIST: PR.DS-1
Data Loss Prevention (DLP)Baseline ProtectionMedium
CIS: 13.3NIST: PR.DS-1
Tenant RestrictionsExtended ProtectionMedium
CIS: 6.1NIST: PR.AC-3
External Sharing GovernanceBaseline ProtectionLow
CIS: 13.3NIST: PR.AC-3
Unified Audit Log (UAL)Baseline ProtectionLow
CIS: 8.2NIST: PR.PT-1
T1114-003

Email Forwarding Rule

ATT&CK

Automated exfiltration through inbox rules.

Mitigated by
Unified Audit Log (UAL)Baseline ProtectionLow
CIS: 8.2NIST: PR.PT-1
T1530

Data from Cloud Storage Object

ATT&CK

Accessing data from cloud storage (S3, Blobs).

Mitigated by
Sensitivity Labels (Purview)Extended ProtectionHigh
CIS: 13.2NIST: PR.DS-1
Collaboration GovernanceBaseline ProtectionLow
CIS: 13.3NIST: PR.DS-1
Data Loss Prevention (DLP)Baseline ProtectionMedium
CIS: 13.3NIST: PR.DS-1
Tenant RestrictionsExtended ProtectionMedium
CIS: 6.1NIST: PR.AC-3
External Sharing GovernanceBaseline ProtectionLow
CIS: 13.3NIST: PR.AC-3
Exfiltration
T1567

Exfiltration Over Web Service

ATT&CK

Data leakage via legitimate web interfaces.

Mitigated by
Sensitivity Labels (Purview)Extended ProtectionHigh
CIS: 13.2NIST: PR.DS-1
Collaboration GovernanceBaseline ProtectionLow
CIS: 13.3NIST: PR.DS-1
Data Loss Prevention (DLP)Baseline ProtectionMedium
CIS: 13.3NIST: PR.DS-1
Tenant RestrictionsExtended ProtectionMedium
CIS: 6.1NIST: PR.AC-3
SIEM IntegrationExtended ProtectionHigh
CIS: 8.5NIST: DE.AE-3NIST: DE.CM-1OWASP: A09:2021
External Sharing GovernanceBaseline ProtectionLow
CIS: 13.3NIST: PR.AC-3
T1020

Automated Exfiltration

ATT&CK

Automated exfiltration of data via interfaces.

Mitigated by
Sensitivity Labels (Purview)Extended ProtectionHigh
CIS: 13.2NIST: PR.DS-1
Output Content FilteringBaseline ProtectionLow
NIST: AI-1.2OWASP: LLM02

Is your scenario more complex?

AYSOLI experts support you in implementing your specific security requirements.

Free consultation