This is Part 5 of our six-part series on phishing attacks and defences. Part 1 provided an overview of the series, Part 2 explored various phishing attack types, Part 3 examined advanced phishing frameworks, our bonus content delved into post-exploitation techniques, and Part 4 covered comprehensive protection strategies.

Despite our best preventative efforts, sophisticated phishing attacks will occasionally succeed. When prevention fails, rapid detection becomes critical to limiting the impact of a compromise. Microsoft Sentinel and the new Unified Security Operations Platform provide powerful capabilities for identifying potentially phished users and orchestrating swift responses to contain and remediate threats.

In this fifth instalment, we'll explore how to leverage Microsoft Sentinel within the Unified SOC to detect and respond to phishing attacks, with a special focus on detecting modern attack techniques like OAuth abuse, token theft, and Adversary-in-the-Middle (AiTM) attacks.

The Unified Security Operations Platform

As of March 2025, Microsoft has introduced the Unified Security Operations Platform (Unified SOC), which brings together Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Security Copilot to create a cohesive security operations experience. The Unified SOC provides:

• A streamlined incident management experience with a unified incidents queue
• Enhanced visibility across the security landscape
• Integrated response capabilities
• AI-assisted investigation through Security Copilot integration
• Simplified navigation between SIEM and XDR capabilities

This integration enhances the detection and response capabilities we'll discuss throughout this article.

Microsoft Sentinel Overview

Microsoft Sentinel remains the foundation of advanced detection and serves as the cloud-native security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution within the Unified SOC. It provides a single solution for alert detection, threat visibility, proactive hunting, and threat response.

SIEM Capabilities

As a SIEM, Microsoft Sentinel excels at collecting and normalising security data from diverse sources, which is essential for building a comprehensive picture of potential phishing threats. It correlates events across different systems and services, allowing security teams to see connections that might otherwise remain hidden. Through its powerful analytics engine, Sentinel applies detection rules to identify suspicious patterns that could indicate phishing attacks in progress. The platform provides rich visualisation tools for security monitoring that help analysts quickly understand complex security situations. Moreover, it enables proactive threat hunting across collected data, allowing security teams to search for indicators of compromise before alerts are triggered.

SOAR Capabilities for Phishing Response

Sentinel's SOAR functionality delivers orchestrated incident response workflows that guide security teams through consistent remediation processes. When threats are detected, automated actions can be triggered based on predefined criteria, speeding up initial response and containment. The platform includes robust case management for security incidents, ensuring all relevant information is gathered in one place. Integration with ticketing and notification systems keeps relevant stakeholders informed throughout the incident lifecycle. Perhaps most importantly, Sentinel supports playbooks for consistent and efficient response, ensuring that even complex phishing scenarios are handled according to best practices.

Critical Data Sources for Effective Phishing Detection

Effective phishing detection requires visibility across multiple data sources in your digital environment. Modern security teams need integrated monitoring capabilities to identify and respond to these sophisticated threats before they cause significant damage.

Identity Monitoring

Microsoft Entra ID serves as the cornerstone of identity security, providing essential visibility into authentication activities. Sign-in logs reveal unusual patterns from unfamiliar locations or devices that often indicate credential theft following successful phishing. Audit logs complement this by tracking security-relevant changes to user accounts and permissions, potentially revealing lateral movement tactics. As attackers increasingly leverage OAuth techniques, Graph activity logs have become indispensable for detecting token abuse through abnormal API access patterns.

Email Security

Email remains the primary vector for phishing attacks, making comprehensive monitoring essential for early detection. Microsoft Defender for Office 365 captures detailed information about attempted phishing, enabling security teams to understand attack patterns. The platform's URL tracking documents user interactions with suspicious links, often revealing the initial compromise point, while attachment analysis provides critical insights into potential malware behavior attempting to enter your environment.

Endpoint Telemetry

Visibility extends beyond initial access points to endpoint activities, where Microsoft Defender monitors for post-compromise behaviors. Process execution telemetry reveals malware activation following successful phishing, while network connection data exposes command and control communications established by threat actors. File system and browser activity tracking completes the picture, connecting email-based lures to subsequent endpoint compromises.

Unified Security Monitoring

The true power emerges when these data sources converge in the Microsoft Unified Portal, enabling cross-source correlation that reveals complete attack sequences. This integration supports advanced analytics that detect patterns invisible in isolated data and facilitates comprehensive threat hunting across the digital estate. Security teams gain visibility from initial phishing attempt through compromise and subsequent attacker activities, dramatically improving detection and response capabilities.

By implementing this holistic monitoring approach focused on identity systems, email communications, and endpoint behaviours, organisations position themselves to effectively counter the persistent threat of phishing attacks in today's complex security landscape.

Optimising Authentication Data Analysis with UnifiedSignInLogs

When crafting effective detection rules, security professionals often face the challenge of handling disparate authentication log formats. To overcome this obstacle, I've implemented a custom function called UnifiedSignInLogs that seamlessly integrates both interactive and non-interactive authentication events into a cohesive data stream. This approach, originally conceptualised in Fabian Bader's blog post a couple of years ago, has proven invaluable in my workflow. Over time, I've expanded upon Fabian's foundation, enhancing the function with additional capabilities to meet evolving security needs.

union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs
// Rename all columns named _dynamic to normalize the column names
| extend ConditionalAccessPolicies = iff(isempty( ConditionalAccessPolicies_dynamic ), todynamic(ConditionalAccessPolicies_string), ConditionalAccessPolicies_dynamic)
| extend Status = iff(isempty( Status_dynamic ), todynamic(Status_string), Status_dynamic)
| extend MfaDetail = iff(isempty( MfaDetail_dynamic ), todynamic(MfaDetail_string), MfaDetail_dynamic)
| extend DeviceDetail = iff(isempty( DeviceDetail_dynamic ), todynamic(DeviceDetail_string), DeviceDetail_dynamic)
| extend LocationDetails = iff(isempty( LocationDetails_dynamic ), todynamic(LocationDetails_string), LocationDetails_dynamic)
| extend TokenProtection = iff(isempty(TokenProtectionStatusDetails_dynamic),todynamic(TokenProtectionStatusDetails_string),TokenProtectionStatusDetails_dynamic)
// Remove duplicated columns
| project-away *_dynamic, *_string

This function unifies both interactive (SigninLogs) and non-interactive (AADNonInteractiveUserSignInLogs) authentication events into a single dataset while normalising field formats. This approach offers several advantages for phishing detection.

Alternatively, organisations could implement the Advanced Security Information Model (ASIM) framework instead of this custom function. ASIM provides comprehensive standardisation across multiple security data sources, including authentication events. For organisations already leveraging ASIM, its normalised schema can achieve similar outcomes through existing ASIM parsers without requiring this specific function. ASIM offers the same benefits of normalised field formats and unified visibility, whilst also providing consistency with other security data types beyond authentication events.

Advanced Detection Rules for Modern Phishing Techniques