Catching Collection in M365: Outlook and SharePoint Canary Tokens (<– add to your schedule)
After a stolen token grants access to M365, the next move is predictable: search for value before exfiltration. This talk shows how to detect that collection phase using canary tokens built on native telemetry across Outlook and SharePoint/OneDrive. We cover end-to-end implementation and results from live production deployments, including what produced high-fidelity signal and what created noise.
Ryan O’Donnell:
Ryan O’Donnell is a Senior Security Engineer at Microsoft. Over the last 13+ years, he’s been performing Penetration Tests, Red Team assessments, and Incident Response investigations. Ryan has presented at the followinhttg conferences: Wild West Hackin’ Fest, Saintcon, Hack Space Con, Hack Red Con, BSides Las Vegas, BSides NoVa, and BSides Roanoke. Ryan has a Masters in Cybersecurity from GMU and the following certifications: OSCP, OSEP, GCFA, and GREM.