404-892-1500 info@b2btech.com


Malicious Activity Detector for Microsoft Office 365

Do you have Microsoft 365 secured the way you should?

You probably have antivirus software installed and keep your software patches up to date. Unfortunately, that is not enough.



The average time to catch a breached account was 101 days; losses due to breaches totaled 3.1 billion dollars, according to 2018 industry statistics.

MAD365 or Malicious Activity Detector for Microsoft 365 is a smarter and easier way to protect your environment against breaches. With MAD365, you can thwart common attacks like Business Email Compromise, Spear Phishing, and Social Engineering — techniques used by cyber criminals to bypass static security solutions. People make mistakes.

How MAD365 Works

MAD365 collects the activity log data from Microsoft 365. Potential hacker activities are filtered out and collected by account.

Examples are:

Multiple failed login attempts, or

Mass file downloads.

MAD365 looks for these patterns and applies a MADScore to determine if an account is breached.

Using algorithms, MAD365 identifies hacker behaviors and provides you the ammunition to suspend breached accounts. Or even better, you can let MAD365 auto-suspend accounts. You can prevent disaster, even if you are asleep or on vacation.

Each month, you receive multiple reports

MAD 365 report-1Malicious Activity Detection ReportMADSore: 2500


An effective defense-in-depth strategy involves multiple layers of protection based on email content, user identity, user behavior, and threat insights.


Exchange Online Protection
Block Known Bad Mail
Office 365 Advanced Threat Protection
Protect Unknown Bad Mail


Conditional Access
Block Risky Sign In

Multi-factor Authentication
Azure Identity Protection
Detect Risky Sign In


Microsoft Cloud App Security
Remediate Known Attack

Microsoft Cloud App Security
Challenge Unknown Attack



Threat Intelligence
Investigate Attack

Multi-factor Authentication
Power BI
Correlate Attack Vectors

Trusted User Phishing Attack

A Trusted User Phishing Attack (a.k.a. TU Phish) is an attack initiated by a compromised account from inside of the organization or from another trusted organization. This type of attack is different from spoofing and is particularly difficult to detect and defeat with traditional and even advanced threat protection when it emerges as a highly targeted attack. The best protection is provided by a defense-in-depth strategy that includes policies for known attack signatures and correlates multiple indications of compromise to discover new attack signatures. Risk-based automated remediation also helps to stop attacks that are in progress while minimizing false positives.


  1. Bad actor sends email
  2. Recipient clicks the link and compromises her credentials
  3. Office 365 CAS detects the Known Attack Signature based on the attacker’s behaviors
  4. Flow begins a Threat Assessment and Automatic Remediation based on Risk
  5. Power BI and Threat Intelligence can provide additional profile analysis to find the source of the attack
  6. Once the source has been determined the admin can block the common attack vector (URL or IP
  7. Additional Phishing attempts are then blocked prior to the user being compromised