Suspicious Microsoft Entra activity indicating external user invitation
Description
AlphaSOC detected an invitation sent to an external user to join the Microsoft
Entra ID tenant via the Invite external user audit action. Guest invitations
allow external identities to access organizational resources including
SharePoint, Teams, and Microsoft 365 applications. Attackers who compromise an
account with sufficient privileges may invite attacker-controlled external
accounts to establish persistent access to the organization's environment.
Impact
An unauthorized guest invitation may allow an external attacker-controlled identity to access shared resources within the tenant. Depending on the organization's guest access policies, the invited account could browse SharePoint sites, participate in Teams channels, access shared files, or interact with other collaborative resources.
Severity
| Severity | Condition |
|---|---|
Informational | External user invited with one unexpected property |
Low | External user invited with two unexpected properties |
Medium | External user invited with three unexpected properties |
Investigation and Remediation
Review Entra audit logs for the Invite external user event. Identify the
inviting user, the external email domain, and the resources the guest was
granted access to. Verify whether the invitation was authorized and aligned with
business needs. If unauthorized, revoke the guest invitation or disable the
guest account and review the inviting account for signs of compromise.
Known False Positives
- Authorized collaboration with external partners, contractors, or vendors