Because of the growing popularity and adoption of cloud computing including software-as-a-service (SaaS) applications amongst consumers and organizations, there has been an increasing number of attacks involving microsoft Office 365 and the azure Active Directory environment, stemming from phishing attacks, business email compromise, supply-chain attacks and more.
In January 2021, the Department of Homeland Security’s cybersecurity and Infrastructure Security Agency (CISA) released an alert, warning the public that the advanced persistent threat (APT) actors behind the SolarWinds attack are leveraging attack vectors such as credential stuffing, brute-force attacks and more to gain access to organizations’ cloud resources.
To this effect, CISA has developed a free tool — Sparrow — which can be used to detect malicious activities in an Azure/Microsoft Office 365 environment.
What is Sparrow.ps1?
Sparrow is a PowerShell tool developed by CISA’s Cloud Forensics team to detect malicious activities such as possibly compromised accounts and applications in the Azure or Microsoft Office 365 environment. The tool was developed due to the increased number of identity and authentication-based attacks on Azure and Microsoft Office 365 detected in multiple sectors recently.