Releases: LETHAL-FORENSICS/Microsoft-Analyzer-Suite
Microsoft-Analyzer-Suite v1.6.1
Microsoft-Analyzer-Suite v1.6.0
[1.6.0] - 2025-07-24
Added
- EntraSignInLogs-Analyzer: UniqueTokenIdentifier
- EntraSignInLogs-Analyzer: IncomingTokenType
- EntraSignInLogs-Analyzer: SignInTokenProtectionStatus
- EntraSignInLogs-Analyzer: SignInTokenProtectionStatus (Stats)
- EntraSignInLogs-Analyzer: Suspicious Sign-Ins via Visual Studio Code
- EntraSignInLogs-Analyzer: Suspicious ADRS Token Request(s) by Microsoft Authentication Broker
- EntraAuditLogs-Analyzer: Suspicious Cloud Device Registration
- UAL-Analyzer: ActorInfoString
- UAL-Analyzer: ActorInfoString (Stats)
- Config.ps1 → Config.json
Fig 1: OAuth Phishing via Visual Studio Code Client (Emulation)
Fig 2: Visual Studio Code Phishing (Abusing Legitimate Microsoft Workflow)
Fig 3: Suspicious Sign-Ins via Visual Studio Code Client found
Fig 4: EntraSignInLogs-Analyzer (1)
Fig 5: EntraSignInLogs-Analyzer (2)
Fig 6: Suspicious Cloud Device Registration detected [T1098.005]
Fixed
- Minor fixes and improvements
References
https://www.elastic.co/security-labs/entra-id-oauth-phishing-detection
https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/
Microsoft-Analyzer-Suite v1.5.1
[1.5.1] - 2025-06-03
Added
- RiskyDetections-Analyzer: ASN-Blacklist.csv
- RiskyDetections-Analyzer: Country-Blacklist.csv
- RiskyDetections-Analyzer: UserAgent-Blacklist.csv
- RiskyDetections-Analyzer: Check for Microsoft Entra ID Premium P2 license
- RiskyDetections-Analyzer: IP Enrichment w/ IPinfo
Fig 1: IP Enrichment w/ IPinfo
Fig 2: ASN-Blacklist, Country-Blacklist, and UserAgent-Blacklist help you to find evil
Fixed
- EntraSignInLogs-Analyzer: CreatedDateTime
- EntraAuditLogs-Analyzer: ActivityDateTime
Microsoft-Analyzer-Suite v1.5.0
[1.5.0] - 2025-05-15
Added
- EntraSignInLogs-Analyzer: OriginalTransferMethod
- EntraSignInLogs-Analyzer: OriginalTransferMethod (Stats)
- EntraSignInLogs-Analyzer: UserAgent-Blacklist.csv
- EntraSignInLogs-Analyzer: CrossTenantAccessType
- EntraSignInLogs-Analyzer: Hunting for Suspicious Sign-In Activity (20 Rules)
- MTL-Analyzer: Detection of Inbound and Outbound Messages sent by eM Client
- UAL-Analyzer: Detection of Inbound and Outbound Messages sent by eM Client
- UAL-Analyzer: UpdateInboxRules + Create
- UAL-Analyzer: UpdateInboxRules + Update
- UAL-Analyzer: UpdateInboxRules + Delete
- UAL-Analyzer: 'Update' Mailbox-Auditing Actions View
Fixed
- Minor fixes and improvements
Fig 1: Improved detections of Device Code Flow Abuse → OriginalTransferMethod and TrustedNamedLocation added
Fig 2: OriginalTransferMethod (Stats)
Fig 3: Detections for UpdateInboxRules operation (Create, Update and Delete) added
Fig 4: Detection of suspicious inbox rules created by eM Client
Fig 5: MTL-Analyzer: Detection of Inbound and Outbound Messages sent by eM Client → Prefix: <em
Fig 6: UAL-Analyzer: Detection of Inbound and Outbound Messages sent by eM Client → MailItemsAccessed (Hunt View)
Microsoft-Analyzer-Suite v1.4.0
[1.4.0] - 2025-02-24
Added
- UAL-Analyzer: Detection of suspicious Inbox Rules via RegEx (incl. Conditional Formatting)
- UAL-Analyzer: MoveToFolder-Blacklist.csv
- UAL-Analyzer: UniqueTokenId and IssuedAtTime added to Hunt View → correlate with SignInLogs
- UAL-Analyzer: RecordType / Id (Stats)
- UAL-Analyzer: Line Charts - SharePoint (Workload), OneDrive (Workload), and FileDownloaded (SharePoint and OneDrive)
- OAuthPermissions-Analyzer: Microsoft Graph Edition
- OAuthPermissions-Analyzer: Detection of suspicious OAuth Apps (Anomalous ReplyUrls, Common Naming Patterns)
Fixed
- Minor fixes and improvements
Fig 1: OAuthPermissions-Analyzer → Find suspicious M365 OAuth applications
Fig 2: OAuthPermissions-Analyzer → Detect blacklisted M365 OAuth applications (Traitorware)
Fig 3: OAuthPermissions-Analyzer → 'AppOwnerOrganizationId' helps to identify the 'ApplicationType'
Fig 4: OAuthPermissions-Analyzer → OAuthPermissions (Hunt View)
Fig 5: OAuthPermissions-Analyzer → Anomalous ReplyUrls (Hunt View)
Microsoft-Analyzer-Suite v1.3.0
[1.3.0] - 2025-01-27
Added
- UAL-Analyzer: UserAgent-Blacklist.csv
- UAL-Analyzer: MailItemsAccessed → AppId-AppDisplayName (Stats)
- UAL-Analyzer: ClientInfoString and Mailbox Synchronization detection of eM Client (Traitorware)
- EntraAuditLogs-Analyzer: UserAgent-Blacklist.csv
- EntraAuditLogs-Analyzer: Activity (Line Chart)
- EntraSignInLogs-Analyzer: UserAgent-Blacklist.csv
- EntraSignInLogs-Analyzer: SignInEventTypes (Stats)
Fixed
- ReadTheDocs links of the Microsoft-Extractor-Suite documentation updated
- Multiple minor fixes and improvements
Fig 1: ClientInfoString (Stats) → 'Client=OWA;Action=ViaProxy' and 'Client=WebServices;eM Client'
Fig 2: Investigating Mailbox Synchronization (MailItemsAcessed by ApplicationId → Count by InternetMessageId)
Microsoft-Analyzer-Suite v1.2.0
[1.2.0] - 2025-01-20
Added
- ADAuditLogsGraph-Analyzer → EntraAuditLogs-Analyzer
- ADSignInLogsGraph-Analyzer → EntraSignInLogs-Analyzer
- EntraSignInLogs-Analyzer: Intune Bypass / Device Compliance Bypass
- MailboxAuditStatus-Analyzer*
- MailboxPermissions-Analyzer*
- Devices-Analyzer*
- Helper-Script: Updater v0.3
- SECURITY.md
Note
The three new scripts require Microsoft-Extractor-Suite v3.0.0 , which will be released very soon. Stay tuned! 🚀
Tip
Check out the testing branch of the Microsoft-Extractor-Suite for early testing! 😉
Microsoft-Analyzer-Suite v1.1.0
[1.1.0] - 2024-12-17
Added
- Performance Improvement: Inefficient addition operator for arrays → Generic lists
- ASN-Blacklist updated
- Helper-Script: Get-AssignedRoles.ps1
Microsoft-Analyzer-Suite v1.0.1
[1.0.1] - 2024-11-21
Fixed
- MFA-Analyzer: Input Filename Change (User Registration Details). Reported by @DoubtfulTurnip
Microsoft-Analyzer-Suite v1.0.0
[1.0.0] - 2024-11-20
Added
- UAL-Analyzer: UserLoginFailed.xlsx
- UAL-Analyzer: Device Code Authentication failed (CmsiInterrupt)
- IPinfo.io Subscription Check added to all PowerShell scripts
- All PowerShell scripts are now digitally signed with a valid code signing certificate
Changed
- CHANGELOG.md