Providing Access to a Unauthorized Third Party

The subject intentionally weakens or bypasses network security controls for a third party, such as providing credentials or disabling security controls.

The subject intentionally weakens or bypasses physical security controls for a third party, such as allowing them to piggyback into a secure area, leaving a door unlocked for them, or providing them with a security pass.

The subject grants unauthorized access to organizational collaboration platforms, such as Slack, Microsoft Teams, Confluence, or equivalent tools, thereby exposing them to internal information, workflows, or discussions outside their clearance or role-based access. This behavior may occur by inviting a guest account, elevating access permissions for an existing contact, or bypassing formal onboarding channels to enable out-of-policy access.

Such unauthorized collaboration introduces a high-risk vector for information leakage, intellectual property exposure, and unmonitored data sharing. In many cases, these platforms contain embedded files, chat histories, integration logs, and operational metadata that extend beyond what the subject may intend to share. Even when performed under the guise of productivity or convenience, this behavior constitutes a clear infringement of acceptable use policies and undermines formal access governance structures.

The action is often difficult to detect retrospectively if audit logging for guest access is not enabled or if collaboration platforms lack integration with centralized identity providers. Investigators should consider whether the access was temporary or persistent, and whether the subject demonstrated awareness of the policy violation (e.g., through attempts to obscure or justify the behavior).

Mandatory security awareness training for employees can help them to recognize a range of cyber attacks that they can play a part in preventing or detecting. This can include topics such as phishing, social engineering, and data classification, amongst others.

An Acceptable Use Policy (AUP) is a set of rules outlining acceptable and unacceptable uses of an organization's computer systems and network resources. It acts as a deterrent to prevent employees from conducting illegitimate activities by clearly defining expectations, reinforcing legal and ethical standards, establishing accountability, specifying consequences for violations, and promoting education and awareness about security risks.

Background checks should be conducted to ensure whether the information provided by the candidate during the interview process is truthful. This could include employment and educational reference checks, and a criminal background check. Background checks can highlight specific risks, such as a potential for extortion.

The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role.

Custom or pre-built detection logic can be used to determine if a user account has authenticated from two geographic locations in a period of time that is not feasible for legitimate travel between the locations.

Within the Microsoft Entra admin center, the Resource audit can be reviewed to identify PIM elevations for users, including key information such as the requestor user, subject user, action, domain, and primary target (role assigned/removed). This can aid investigators by providing an audit trail for PIM elevations and the duration for which an eligible role was attached to a user account.

The following URL can be used to view this activity log, provided the investigator's account has the Privileged Role Administrator role assigned, or a role with higher privileges: https://entra.microsoft.com/#view/Microsoft_Azure_PIMCommon/ResourceMenuBlade/~/Audit/resourceId//resourceType/tenant/provider/aadroles

Network Intrusion Detection Systems (NIDS) can alert on abnormal, suspicious, or malicious patterns of network behavior.