Sparrow, the hacking tool developed by the US Govt. to scan Office 365 & Azure environments

In a recently released report, the Cybersecurity and Infrastructure Security Agency (CISA) revealed a PowerShell-based tool that might help detect potentially compromised applications and accounts in Microsoft 365 and Azure implementations. This was possible after Microsoft detailed how stolen credentials and access tokens are being used by hacking groups to compromise Azure users worldwide.

The Agency’s report mentions that this is a free tool capable to detect malicious activity threatening users in the vulnerable environments: “We intended to adapt to complex incident response scenarios by focusing on activity that is endemic to the recent identity-based attacks”.

CISA’s Cloud Forensics team dubbed this tool as “Sparrow” and it can be used to narrow down larger sets of investigation modules and telemetry to those specific to recent attacks on federated identity The tool also checks the unified Azure/M365 audit log for indicators of compromise, lists Azure AD domains and checks Azure service principals and their Microsoft Graph API permissions to detect potentially malicious behavior on the target systems.

  • Search for changes to domain and federation settings in a tenant’s domain
  • Search for credential modifications in an application
  • Searching for PowerShell logins in mailboxes
  • Lookup the known AppID for Exchange Online PowerShell
  • Known AppID Lookups for PowerShell
  • AppID lookup to check if email items have been accessed

CISA is not the only organization to have developed such tools. Recently, cybersecurity firm CrowdStrike released a similar tool, developed after investigating an unsuccessful cyberattack targeting multiple Azure implementations. This tool was even used during the investigation of the massive hack at SolarWinds, but CrowdStrike confirmed that there was no evidence of impact in the supply chain. The full report and the tool are available on CISA’s official platforms and in its GitHub repository.