This page includes:
About Microsoft 365 - ATO detection
If you have integrated FortiMail Workspace Security with Microsoft 365 [Inline or API], you can enhance your protection by enabling the FortiMail Workspace Security-Microsoft 365 ATO [account takeover] detection functionality. This functionality monitors user activity in your Microsoft 365 accounts to detect possible ATO attempts. The detection is based significantly on monitoring anomalies in user behavior. It is recommended that you activate the Microsoft 365 ATO detection functionality in your organization.
|
Note: The ATO detection functionality is not available for Google Workspace, Microsoft Exchange, and "Other" integrations. |
To activate the Microsoft 365 ATO detection functionality, mailbox auditing must be enabled in your Microsoft 365 account. FortiMail Workspace Security analyzes the Microsoft 365 audit log, and uses various algorithms to detect suspicious user activity. Suspicious user activity includes behavior such as:
-
creating suspicious mailbox rules [for example, forwarding, redirecting, moving, or deleting emails]
-
performing suspicious login attempts, such as too-fast-to-travel logins. In addition, FortiMail Workspace Security tries to identify unusual login patterns and login attempts from unfamiliar locations or devices.
Suspicious ATO activity appears as entries in the Account Takeover page. For details about these cases, see Account Takeover.
|
IMPORTANT: After you activate ATO detection, we recommend that you also enable alerts for suspected ATO attempts. For details, see Alerts. |
-
You can activate Microsoft 365 ATO only if the FortiMail Workspace Security-Microsoft 365 integration [Inline or API] is already enabled in your organization. For details, see Integration with Microsoft 365.
|
Auto alerts |
If FortiMail Workspace Security detects a possible account takeover in your organization, FortiMail Workspace Security will send an email alert with a subject similar to "URGENT - Possible Account Take Over". The email will include details of the suspected account takeover. The email will be sent to the recipients that are specified in the "Alert via email on malicious cases" setting. If this setting is not enabled, email alerts will not be sent. [See Configuring alerts] Work together with the FortiMail Workspace Security IR Team to investigate and resolve the issue. |
|
Manual alerts |
The FortiMail Workspace Security IR Team monitors and reviews the cases that are added by FortiMail Workspace Security. The FortiMail Workspace Security IR Team may investigate any of the cases in more detail [typically High severity cases] and send an additional email alert with more details about the case.
|
More about ATO alerts
|
Licensing: |
There are no additional licensing requirements for enabling the ATO functionality. |
|
Note: |
ATO can't be enabled in bulk for multiple organizations; to activate ATO, it is necessary to perform the procedure below individually for each organization. |
|
Disclaimer: |
After you perform the procedures below to activate the ATO detection functionality, FortiMail Workspace Security will attempt to detect ATO attempts in all the email accounts in your organization. It is not possible to limit the ATO detection functionality to protect only specified domains, groups of users, or users. Please consider the associated privacy issues before implementing the ATO functionality. |
Configuring Microsoft 365 - ATO detection
|
|
See the available Perform the following steps to configure the Microsoft 365 - ATO detection functionality.
Step 1. Enabling auditing in Microsoft 365 
This step enables mailbox auditing in Microsoft 365. If you have a Microsoft 365 E5 subscription, mailbox auditing may already be enabled for your organization. For more information about auditing, see the official Microsoft documentation 
.
-
Open the Microsoft 365 Compliance Center at https://security.microsoft.com/auditlogsearch [Solutions > Audit].
-
Click "Start recording user and admin activity" near the top of the page.
Note:
-
Clicking the "Start recording user and admin activity" button enables mailbox auditing in Microsoft 365.
-
If this button doesn't appear, then mailbox auditing is probably already enabled for your organization - and you can continue with Step 2 below.
-
Step 2. Activating ATO detection in FortiMail Workspace Security
This step activates the ATO detection functionality in FortiMail Workspace Security. It must be performed by an admin user with the Admin role.
|
Note: Make sure to perform Step 2 in the [child] organization in which scans are performed - not in the parent organization. |
-
In FortiMail Workspace Security, in the left navigation menu, select Settings > Bundles and Channels.
-
Under Enabled Channels, locate Email Service > Microsoft 365.
-
Under Email Service > Microsoft 365, locate Account Takeover (ATO) detection.
Note: If you don't see Account Takeover (ATO) detection, contact FortiMail Workspace Security Support.
-
Click Activate - on the right of Account Takeover (ATO) detection.
You'll be redirected to sign-in to your Microsoft account.
-
Sign-in to your Microsoft account as a global admin.
You'll see a list of the permissions that are required.
-
Click Accept.
Microsoft 365 > Account Takeover (ATO) detection should now appear as Active in FortiMail Workspace Security.
IMPORTANT: After you activate ATO detection, we recommend that you also enable alerts for suspected ATO attempts - using the "Alert via email on malicious cases" setting. For details, see Configuring alerts.
From now on, FortiMail Workspace Security will try to detect ATO attempts in the Microsoft 365 email accounts in your organization. It is not necessary to inform FortiMail Workspace Security Support that ATO is activated.
Important: After you have completed this step, it may take up to 24 hours before audit data begins to be received by FortiMail Workspace Security. To ensure that the ATO detection functionality is correctly configured, after 24 hours, check that there are some ATO-detection related events in the Events page. Look for events such as UserLoggedIn, New-InboxRule, and Set-InboxRule. For further details, see Events.
If you don't see any ATO-related events after 24 hours, contact FortiMail Workspace Security Support [support@perception-point.io] for assistance.
Monitoring ATO detections
You can use both the Account Takeover page and the Events page to monitor suspected ATO attempts - the Account Takeover page is the recommended location.
Monitoring in the Account Takeover page
In the Account Takeover page, you can monitor suspected ATO attempts in your organization.
For details about the Account Takeover page, see Account Takeover.
Monitoring in the Events page
In the Events page, you can monitor suspected ATO attempts in your organization. Each suspected ATO attempt is assigned a High severity in the Events page. The type of the event is:
-
For mailbox rule issues:
-
New-InboxRule
-
Remove-InboxRule
-
Set-InboxRule
-
Set-Mailbox
-
-
For login issues:
-
UserLoggedIn
-
UserLoginFailed
-
|
Note: There may be ATO-related entries in the Events page, and no corresponding entries in the Account Takeover page. This is because a case will be added only if the required set of factors are detected, not necessarily just a single entry in the Events page. |
For details about the Events page, see Events.
A bit more about enabling ATO detection
|
|
See also:
