Monthly Archives: November 2025

Racing Ahead of the AI‑Driven Cyber Arms Race

Posted on by
Reply

Introduction

The cyber-threat landscape is shifting under our feet. Attacker tools powered by artificial intelligence (AI) and generative AI (Gen AI) are accelerating vulnerability discovery and exploitation, outpacing many traditional defence approaches. Organisations that delay adaptation risk being overtaken by adversaries. According to recent reporting, nearly half of organisations identify adversarial Gen AI advances as a top concern. With this blog, I walk through the current threat landscape, spotlight key attack vectors, explore defensive options, examine critical gaps, and propose a roadmap that security leaders should adopt now.

The Landscape: Vulnerabilities, AI Tools, and the Adversary Advantage

Attackers now exploit a converging set of forces: an increasing rate of disclosed vulnerabilities, the wide availability of AI/ML-based tools for crafting attacks, and automation that scales old-school tactics into far greater volume. One report notes 16% of reported incidents involved attackers leveraging AI tools like language or image generation models. Meanwhile, researchers warn that AI-generated threats could make up to 50% of all malware by 2025. Gen AI is now a game-changer for both attackers and defenders.

The sheer pace of vulnerability disclosure also matters. The more pathways available, the more that automation + AI can do damage. Gen AI will be the top driver of cybersecurity in 2024 and beyond—both for malicious actors and defenders.

The baseline for attackers is being elevated. The attacker toolkit is becoming smarter, faster and more scalable. Defenders must keep up — or fall behind.

Specific Threat Vectors to Watch

Deepfakes & Social Engineering

Realistic voice- and video-based deepfakes are no longer novel. They are entering the mainstream of social engineering campaigns. Gen AI enables image and language generation that significantly boosts attacker credibility.

Automated Spear‑Phishing & AI‑Assisted Content Generation

Attackers use Gen AI tools to generate personalised, plausible phishing lures and malicious payloads. LLMs make phishing scalable and more effective, turning what used to take hours into seconds.

Supply Chain & Model/API Exploitation

Third-party AI or ML services introduce new risks—prompt-injection, insecure model APIs, and adversarial data manipulation are all growing threats.

Polymorphic Malware & AI Evasion

AI now drives polymorphic malware capable of real-time mutation, evading traditional static defences. Reports cite that over 75% of phishing campaigns now include this evasion technique.

Defensive Approaches: What’s Working?

AI/ML for Detection and Response

Defenders are deploying AI for behaviour analytics, anomaly detection, and real-time incident response. Some AI systems now exceed 98% detection rates in high-risk environments.

Continuous Monitoring & Automation

Networks, endpoints, cloud workloads, and AI interactions must be continuously monitored. Automation enables rapid response at machine speed.

Threat Intelligence Platforms

These platforms enhance proactive defence by integrating real-time adversary TTPs into detection engines and response workflows.

Bug Bounty & Vulnerability Disclosure Programs

Crowdsourcing vulnerability detection helps organisations close exposure gaps before adversaries exploit them.

Challenges & Gaps in Current Defences

  • Many organisations still cannot respond at Gen AI speed.

  • Defensive postures are often reactive.

  • Legacy tools are untested against polymorphic or AI-powered threats.

  • Severe skills shortages in AI/cybersecurity crossover roles.

  • Data for training defensive models is often biased or incomplete.

  • Lack of governance around AI model usage and security.

Roadmap: How to Get Ahead

  1. Pilot AI/Automation – Start with small, measurable use cases.

  2. Integrate Threat Intelligence – Especially AI-specific adversary techniques.

  3. Model AI/Gen AI Threats – Include prompt injection, model misuse, identity spoofing.

  4. Continuous Improvement – Track detection, response, and incident metrics.

  5. Governance & Skills – Establish AI policy frameworks and upskill the team.

  6. Resilience Planning – Simulate AI-enabled threats to stress-test defences.

Metrics That Matter

  • Time to detect (TTD)

  • Number of AI/Gen AI-involved incidents

  • Mean time to respond (MTTR)

  • Alert automation ratio

  • Dwell time reduction

Conclusion

The cyber-arms race has entered a new era. AI and Gen AI are force multipliers for attackers. But they can also become our most powerful tools—if we invest now. Legacy security models won’t hold the line. Success demands intelligence-driven, AI-enabled, automation-powered defence built on governance and metrics.

The time to adapt isn’t next year. It’s now.

More Information & Help

At MicroSolved, Inc., we help organisations get ahead of emerging threats—especially those involving Gen AI and attacker automation. Our capabilities include:

  • AI/ML security architecture review and optimisation

  • Threat intelligence integration

  • Automated incident response solutions

  • AI supply chain threat modelling

  • Gen AI table-top simulations (e.g., deepfake, polymorphic malware)

  • Security performance metrics and strategy advisory

Contact Us:
🌐 microsolved.com
📧 info@microsolved.com
📞 +1 (614) 423‑8523

References

  1. IBM Cybersecurity Predictions for 2025

  2. Mayer Brown, 2025 Cyber Incident Trends

  3. WEF Global Cybersecurity Outlook 2025

  4. CyberMagazine, Gen AI Tops 2025 Trends

  5. Gartner Cybersecurity Trends 2025

  6. Syracuse University iSchool, AI in Cybersecurity

  7. DeepStrike, Surviving AI Cybersecurity Threats

  8. SentinelOne, Cybersecurity Statistics 2025

  9. Ahi et al., LLM Risks & Roadmaps, arXiv 2506.12088

  10. Lupinacci et al., Agent-based AI Attacks, arXiv 2507.06850

  11. Wikipedia, Prompt Injection

 

* AI tools were used as a research assistant for this content, but human moderation and writing are also included. The included images are AI-generated.

Aligning Cybersecurity with Business Objectives & ROI

Posted on by
Reply

Why the C-Suite must hear more than “We blocked X threats.”

Problem statement

Security teams around the world face a persistent challenge: articulating the value of cybersecurity in business terms—and thereby justifying budget and ROI. Too often the story falls into the “we reduced vulnerabilities” or “we blocked attacks” bucket, which resonates with the technical team—but not with the board, the CFO, or the business units. The result: under‑investment or misalignment of security with business goals.

In an era of tighter budgets and competing priorities, this gap has become urgent. Framing cybersecurity as a cost centre invites cuts; framing it as a business enabler invites investment.

Why business alignment matters

When security operates in a silo—focused purely on threats, alerts, tools—the conversation stays technical. But business leaders speak different language: revenue, growth, brand, customer trust. A recent analysis found that fewer than half of security organisations can tie controls to business impacts.

Misalignment leads to several risks:

  • Security investments that don’t map to the assets or processes that drive business value.

  • Metrics that matter to the security team but not to executives (e.g., number of vulnerabilities patched).

  • A perception of security as an overhead rather than a strategic lever.

  • Vulnerability to budget cuts or being deprioritised when executive attention shifts.

By aligning security with business objectives—whether that’s enabling cloud transformation, protecting key revenue streams, or ensuring operational continuity—security becomes part of the value chain, not just the defence chain.

Translating threat/risk into business impacts

One of the central tasks for today’s security leader is translation. It’s not enough to know that a breach could occur—it’s about articulating “if this happens, here’s what it cost the business.”

  • Determine the business value at risk: downtime, lost revenue, brand damage, regulatory fines.

  • Use financial terms whenever possible. For example: “A two‑week outage in our payments system could cost us $X in lost transactions, plus $Y in remediation, plus $Z in churn.”

  • Link initiatives to business outcomes: for example, “By reducing mean time to recover (MTTR) we reduce revenue downtime by N hours” rather than “we improved MTTR by X %.”

  • Employ frameworks such as the Gordon–Loeb model that help model optimal investment levels (though they require assumptions).

  • Recognise that not all value is in avoided loss; some lies in enabling business growth, winning deals because you have credible security, or supporting new business models.

Metrics and dashboards: shifting from tech to business

A recurring complaint: security dashboards measure what’s easy, not what’s meaningful. For example, counting “number of alerts” or “vulnerabilities remediated” is fine—but it doesn’t always tie to business risk.

More business‑centric metrics include:

  • Cost of breach avoided (or estimated)

  • Time to revenue recovery after an incident

  • Customer churn attributable to a security incident

  • Brand impact or contract losses following a breach or non‑compliance

  • Percentage of revenue protected by controls

  • Time to market or new product enabled because security risk was managed

Dashboards should present these in a language executives expect: dollars, days, revenue impact, strategic enablement. Security leaders who are business‑aligned reportedly are eight times more likely to be confident in reporting their organisation’s state of risk.

Frameworks that support alignment

To bridge the gap between security activity and business outcome, various frameworks and approaches help:

  • Use‑case based strategy: Define concrete security use‑cases (e.g., “we protect the digital sales channel from disruption”) and link them directly to business functions.

  • Enterprise architecture alignment: Map security controls into business processes, so protection of critical business services is visible.

  • Risk‑based approach: Rather than “patch everything,” focus on the assets and threats that, if realised, would damage business.

  • Governance and stakeholder structure: Organisations with a security‑business interface (e.g., a BISO) tend to align better.

  • Metric derivation methodologies: Academic work (e.g., the GQM‑based methodology) shows how to trace business goals to security metrics in context.

Communicating to executives/board

Communication is where many security programmes stumble. Here are key pointers:

  • Speak business language: Avoid security jargon; translate into risk reduction, revenue protection, competitive advantage.

  • Use stories + numbers: A well‑chosen anecdote (“What would happen if our customer billing system went down?”) combined with financial impact earns attention.

  • Show progress and lead‑lag metrics: Not just “we did X,” but “here’s what that means for business today and tomorrow.”

  • Link to business drivers: Highlight how security supports strategic initiatives (digital transformation, customer trust, brand, M&A).

  • Frame security as an enabler: “Our investment in security enables us to go to market faster with product Y” rather than “we need money to buy product Z.”

  • Prepare for the uncomfortable: Be ready to answer “How secure are we?” with confidence, backed by data.

Implementation steps

Here is a practical sequence for moving from alignment theory to execution:

  1. Audit your current metrics
    • Catalogue all current security metrics (technical, operational) and gauge how many map to business outcomes.
    • Identify which metrics executives care about (revenue, brand, competitive risk).

  2. Engage business stakeholders
    • Identify key business functions and owners (CIO, CFO, business units) and ask: what keeps you up at night? What business processes are critical?
    • Jointly map which assets/processes support those business functions, and the security risks associated.

  3. Link security programmes to business outcomes
    • For each major initiative, define the business outcome it supports, the risk it mitigates, and the metric you’ll use to show progress.
    • Prioritise initiatives that support high‑value business functions or high‑risk scenarios.

  4. Build business‑centric dashboards
    • Create a dashboard for executives/board that shows metrics like “% of revenue protected”, “estimated downtime cost if outage X occurs”, “time to recovery”.
    • Supplement with strategic commentary (what’s changing, what decisions are required).

  5. Embed continuous feedback and iteration
    • Periodically (quarterly or more) revisit alignment: Are business priorities shifting? Are new threats emerging?
    • Adjust metrics and initiatives accordingly to maintain alignment.

  6. Communicate outcomes, not just activity
    • Present progress in business terms: “Because of our work we reduced our estimated exposure by $X over Y months,” or “We enabled the rollout of product Z with acceptable risk and no delay.”
    • Use these facts to support budget discussions, not just ask for funds.

Conclusion

In today’s constrained environment, simply having a solid firewall or endpoint solution isn’t enough. For security to earn its seat at the table, it must speak the language of business: risk, cost, revenue, growth.
When security teams shift from being defenders of the perimeter to enablers of the enterprise, they unlock greater trust, stronger budgets, and a role that transcends compliance.

If you’re leading a security function today, ask yourself: “When the CFO asks what we achieved last quarter, can I answer in dollars and days, or just number of patches and alerts?” The answer will determine whether you’re seen as a cost centre—or a strategic partner.

More Information & Help

If your organization is struggling to align cybersecurity initiatives with business objectives—or if you need to translate risk into financial impact—MicroSolved, Inc. can help.

For over 30 years, we’ve worked with CISOs, risk teams, boards, and executive leadership to:

  • Design and implement risk-centric, business-aligned cybersecurity strategies

  • Develop security KPIs and dashboards that communicate effectively at the executive level

  • Assess existing security programs for gaps in business alignment and ROI

  • Provide CISO-as-a-Service engagements that focus on strategic enablement, not just compliance

  • Facilitate security-business stakeholder engagement sessions to unify priorities

Whether you need a workshop, a second opinion, or a comprehensive security-business alignment initiative, we’re ready to partner with you.

To start a conversation, contact us at:
📧 info@microsolved.com
🌐 https://www.microsolved.com
📞 +1-614-351-1237

Let’s move security from overhead to overachiever—together.

References

  1. Global Cyber Alliance. “Facing the Challenge: Aligning Cybersecurity and Business.” https://gca.isa.org

  2. Transformative CIO. “Cybersecurity ROI: How to Align Protection and Performance.” https://transformative.cio.com

  3. CDG. “How to Build and Justify Your Cybersecurity Budget.” https://www.cdg.io

  4. Wikipedia. “Gordon–Loeb Model.” https://en.wikipedia.org/wiki/Gordon–Loeb_model

  5. Impact. “Maximizing ROI Through Cybersecurity Strategy.” https://www.impactmybiz.com

  6. SecurityScorecard. “How to Justify Your Cybersecurity Budget.” https://securityscorecard.com

  7. PwC. “Elevating Business Alignment in Cybersecurity Strategies.” https://www.pwc.com

  8. Rivial Security. “Maximizing ROI With a Risk-Based Cybersecurity Program.” https://www.rivialsecurity.com

  9. Arxiv. “Deriving Cybersecurity Metrics From Business Goals.” https://arxiv.org/abs/1910.05263

  10. TechTarget. “Cybersecurity Budget Justification: A Guide for CISOs.” https://www.techtarget.com

 

* AI tools were used as a research assistant for this content, but human moderation and writing are also included. The included images are AI-generated.

Methodology: MailItemsAccessed-Based Investigation for BEC in Microsoft 365

Posted on by
Reply

When your organization faces a business-email compromise (BEC) incident, one of the hardest questions is: “What did the attacker actually read or export?” Conventional logs often show only sign-ins or outbound sends, but not the depth of mailbox item access. The MailItemsAccessed audit event in Microsoft 365 Unified Audit Log (UAL) brings far more visibility — if configured correctly. This article outlines a repeatable, defensible process for investigation using that event, from readiness verification to scoping and reporting.

Objective

Provide a repeatable, defensible process to identify, scope, and validate email exposure in BEC investigations using the MailItemsAccessed audit event.

Phase 1 — Readiness Verification (Pre-Incident)

Before an incident hits, you must validate your logging and audit posture. These steps ensure you’ll have usable data.

1. Confirm Licensing

  • Verify your tenant’s audit plan under Microsoft Purview Audit (Standard or Premium).

    • Audit (Standard): default retention 180 days (previously 90).

    • Audit (Premium): longer retention (e.g., 365 days or more), enriched logs.

  • Confirm that your license level supports the MailItemsAccessed event. Many sources state this requires Audit Premium or an E5-level compliance add-on.

2. Validate Coverage

  • Confirm mailbox auditing is on by default for user mailboxes. Microsoft states this for Exchange Online.

  • Confirm that MailItemsAccessed is part of the default audit set (or if custom audit sets exist, that it’s included). According to Microsoft documentation: the MailItemsAccessed action “covers all mail protocols … and is enabled by default for users assigned an Office 365 E3/E5 or Microsoft 365 E3/E5 licence.”

  • For tenants with customised audit sets, ensure the Microsoft defaults are re-applied so that MailItemsAccessedisn’t inadvertently removed.

3. Retention & Baseline

  • Record what your current audit-log retention policy is (e.g., 180 days vs 365 days) so you know how far back you can search.

  • Establish a baseline volume of MailItemsAccessed events—how many are generated from normal activity. That helps define thresholds for abnormal behaviour during investigation.

Phase 2 — Investigation Workflow (During Incident)

Once an incident is underway and you have suspected mailboxes, follow structured investigation steps.

1. Identify Affected Accounts

From your alarm sources (e.g., anomalous sign-in alerts, inbound or outbound rule creation, unusual inbox rules, compromised credentials) compile a list of mailboxes that might have been accessed.

2. Extract Evidence

In the Purview portal → Audit → filter for Activity = MailItemsAccessed, specifying the time range that covers suspected attacker dwell time.
Export the results to CSV via the Unified Audit Log.

3. Correlate Access Sessions

Group the MailItemsAccessed results by key session indicators:

  • ClientIP

  • SessionId

  • UserAgent / ClientInfoString

Flag sessions that show:

  • Unknown or non-corporate IP addresses (e.g., external ASN)

  • Legacy protocols (IMAP, POP, ActiveSync) or bulk-sync behaviour

  • User agents indicating automated tooling or scripting

4. Quantify Exposure

  • Count distinct ItemIds and FolderPaths to determine how many items and which folders were accessed.

  • Look for throttling indicators (for example more than ~1,000 MailItemsAccessed events in 24 h for a single user may indicate scripted or bulk access).

  • Use the example KQL queries below (see Section “KQL Example Snippets”).

5. Cross-Correlate with Other Events

  • Overlay these results with Send audit events and InboxRule/New-InboxRule events to detect lateral-phish, rule-based fraud or data-staging behaviour.

  • For example, access events followed by mass sends indicate attacker may have read and then exfiltrated or used the account for fraud.

6. Validate Exfil Path

  • Check the client protocol used by the session. If the client is REST API, bulk sync or legacy protocol, that may indicate the attacker is exfiltrating rather than simply reading.

  • If MailItemsAccessed shows items accessed using a legacy IMAP/POP or ActiveSync session — that is a red flag for mass download.

Phase 3 — Analysis & Scoping

Once raw data is collected, move into analysis to scope the incident.

1. Establish Attack Session Timeline

  • Combine sign-in logs (from Microsoft Entra ID Sign‑in Logs) with MailItemsAccessed events to reconstruct dwell time and sequence.

  • Determine when attacker first gained access, how long they stayed, and when they left.

2. Define Affected Items

  • Deliver an itemised summary (folder path, count of items, timestamps) of mailbox items accessed.

  • Limit exposure claims to the items you have logged evidence for — do not assume access of the entire mailbox unless logs show it (or you have other forensic evidence).

3. Corroborate with Throttling and Send Events

  • If you see unusual high-volume access plus spike in Send events or inbox rule changes, you can conclude automated or bulk access occurred.

  • Document IOCs (client IPs, session IDs, user-agent strings) tied to the malicious session.

Phase 4 — Reporting & Validation

After investigation you report findings and validate control-gaps.

1. Evidence Summary

Your report should document:

  • Tenant license type and retention (Audit Standard vs Premium)

  • Audit coverage verification (mailbox auditing enabled, MailItemsAccessed present)

  • Affected item count, folder paths, session data (IPs, protocol, timeframe)

  • Indicators of compromise (IOCs) and signs of mass or scripted access

2. Limitations

Be transparent about limitations:

  • Upgrading to Audit Premium mid-incident will not backfill missing MailItemsAccessed data for the earlier period. Sources note this gap.

  • If mailbox auditing or default audit-sets were customised (and MailItemsAccessed omitted), you may lack full visibility. Example commentary notes this risk.

3. Recommendations

  • Maintain Audit Premium licensing for at-risk tenants (e.g., high-value executive mailboxes or those handling sensitive data).

  • Pre-stage KQL dashboards to detect anomalies (e.g., bursts of MailItemsAccessed, high counts per hour or per day) so you don’t rely solely on ad-hoc searches.

  • Include audit-configuration verification (licensing, mail-audit audit-set, retention) in your regular vCISO or governance audit cadence.

KQL Example Snippets

 
// Detect burst read activity per IP/user
AuditLogs
| where Operation == "MailItemsAccessed"
| summarize Count = count() by UserId, ClientIP, bin(TimeGenerated, 1h)
| where Count > 100

// Detect throttling patterns (scripted or bulk reads)
AuditLogs
| where Operation == "MailItemsAccessed"
| summarize TotalReads = count() by UserId, bin(TimeGenerated, 24h)
| where TotalReads > 1000

MITRE ATT&CK Mapping

Tactic Technique ID
Collection Email Collection T1114.002
Exfiltration Exfiltration Over Web Services T1567.002
Discovery Cloud Service Discovery T1087.004
Defense Evasion Valid Accounts (Cloud) T1078.004

These mappings illustrate how MailItemsAccessed visibility ties directly into attacker-behaviour frameworks in cloud email contexts.

Minimal Control Checklist

  •  Verify Purview Audit plan and retention

  •  Validate MailItemsAccessed events present/searchable for a sample of users

  •  Ensure mailbox auditing defaults (default audit-set) restored and active

  •  Pre-stage anomaly detection queries / dashboards for mailbox-access bursts

Conclusion

When investigating a BEC incident, possession of high-fidelity audit data like MailItemsAccessed transforms your investigation from guesswork into evidence-driven clarity. The key is readiness: licence appropriately, validate your coverage, establish baselines, and when a breach occurs follow a structured workflow from extraction to scoping to reporting. Without that groundwork your post-incident forensics may hit blind spots. But with it you increase your odds of confidently quantifying exposure, attributing access and closing the loop.

Prepare, detect, dissect—repeatably.

References

  1. Microsoft Learn: Manage mailbox auditing – “Mailbox audit logging is turned on by default in all organizations.”

  2. Microsoft Learn: Use MailItemsAccessed to investigate compromised accounts – “The MailItemsAccessed action … is enabled by default for users that are assigned an Office 365 E3/E5 or Microsoft 365 E3/E5 license.”

  3. Microsoft Learn: Auditing solutions in Microsoft Purview – licensing and search prerequisites.

  4. Office365ITPros: Enable MailItemsAccessed event for Exchange Online – “Purview Audit Premium is included in Office 365 E5 and … Audit (Standard) is available to E3 customers.”

  5. TrustedSec blog: MailItemsAccessed woes – “According to Microsoft, this event is only accessible if you have the Microsoft Purview Audit (Premium) functionality.”

  6. Practical365: Microsoft’s slow delivery of MailItemsAccessed audit event – retention commentary.

  7. O365Info: Manage audit log retention policies – up to 10 years for Premium.

  8. Office365ITPros: Mailbox audit event ingestion issues for E3 users.

  9. RedCanary blog: Entra ID service principals and BEC – “MailItemsAccessed is a very high volume record …”

 

* AI tools were used as a research assistant for this content, but human moderation and writing are also included. The included images are AI-generated.