M365 DLL Hijacking Activity

Triggers

• An account that may not download DLLs typically has been observed downloading a DLL file under conditions that highlight the risk of DLL hijacking, such as both a non-DLL and DLL file being downloaded from the same directory in a short time frame.

Possible Root Causes

• An attacker has abused the way applications search for DLLs by placing a malicious DLL file into a shared directory with the intention of compromising any endpoint that loads the malicious DLL file rather than the intended application DLL file.
• In some cases, developers collaborating from a cloud hosted repository could intentionally download and access DLLs this way.

Business Impact

• DLL Hijacking may result in the complete compromise of a targeted system, and associated accounts and data.
• Endpoints compromised through DLL Hijacking give an attacker an additional foothold in the environment and an opportunity for additional lateral movement, increasing the risk of impact to enterprise systems, users, and data.

Steps to Verify

• Investigate the user associated with this action, and verify if this user would be downloading DLL files as part of their expected workflows.
• Investigate presence of additional files accessed as part of this detection, and assess if this is indicative of an authorize remote application, used for legitimate business purposes.