KQL Search

Query Details

HomeAI ToolsDevice Query

Detect Copilot Exfiltration Arises From Ai TM Token Theft

Query

// Detect Copilot Exfiltration arises from AiTM Token Theft
// https://www.linkedin.com/posts/activity-7217887769744793601-JUeb/

// Identify token theft through AiTM phishing attacks, where stolen tokens are exploited for Copilot activities involving data summarization and extraction from a "non-malicious" IP. Leverage Sentinel Behavior Analytics to detect initial logins from new ISP with investigation score set (potentially threat actors) and correlate this IP data with Copilot activities from CloudAppEvents. This KQL is primarily targeted at threat actors using clean IP to perform Copilot exfiltration.

let FirstTimeUserConnectedISPIP =
BehaviorAnalytics
| where TimeGenerated > ago(7d)
// Behaviour Analytics detecting user first time connected to a new ISP
| where tostring(ActivityInsights.FirstTimeUserConnectedViaISP) == "True"
| where ActivityType == "LogOn"
| where SourceDevice == ""     // Non-corporate endpoint
| where InvestigationPriority > 0  // Suspicious Session
| project SourceIPAddress;
CloudAppEvents
| where ActionType == "CopilotInteraction"
// Correlating copilot activities from the new ISP IP
| where IPAddress has_any(FirstTimeUserConnectedISPIP)

Explanation

This KQL query is designed to detect potential data exfiltration activities involving Microsoft's Copilot feature, which may arise from token theft through AiTM (Adversary-in-the-Middle) phishing attacks. Here's a simplified breakdown:

  1. Identify Suspicious Logins:

    • The query first looks at user behavior analytics data from the past 7 days.
    • It filters for users who have connected to a new Internet Service Provider (ISP) for the first time.
    • It further narrows down to logins that are marked as suspicious (with a non-zero investigation priority) and originate from non-corporate devices.

  2. Extract IP Addresses:

    • The IP addresses associated with these suspicious logins are extracted.

  3. Correlate with Copilot Activities:

    • The query then checks for any Copilot interactions (such as data summarization and extraction) that originate from these suspicious IP addresses.

In essence, this query aims to detect if threat actors are using stolen tokens to perform unauthorized Copilot activities from seemingly clean IP addresses.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

BehaviorAnalyticsCloudAppEvents

Keywords

ThreatActorsCopilotExfiltrationTokenTheftAiTMPhishingAttacksDataSummarizationDataExtractionIPSentinelBehaviorAnalyticsLoginsISPInvestigationScoreCloudAppEvents

Operators

let|>ago()tostring()==>projecthas_any()

Actions