This alert indicates the detection of rare and potentially high-risk Office 365 operations within your environment. Such operations are uncommon and may suggest malicious activity, such as privilege escalation, account compromise, or malicious automation. The previous alert about rare subscription-level operations further underscores unusual activity at the tenant or subscription level, increasing suspicion.
Assessment:
1. **Investigate the specific Office operations:**
- Use the `OfficeActivity` table to identify the exact operations flagged as rare/high-risk.
- Check for unusual patterns, such as mass file access, sharing, or administrative actions.
2. **Examine sign-in activity:**
- Use the `SigninLogs` table to identify suspicious sign-ins associated with the user accounts involved, especially from unfamiliar locations or devices.
3. **Verify account integrity:**
- Confirm whether the accounts involved have MFA enabled and check for recent password resets or suspicious changes.
4. **Assess related Azure activity:**
- Review recent subscription-level operations and resource modifications to identify further anomalies.
5. **Isolate and remediate:**
- If malicious activity is confirmed, disable or reset affected accounts, revoke suspicious permissions, and apply necessary patches or mitigations related to CVE-2025-47733.
- **Detect (D1):** Implement monitoring for Office macro execution and document access.
- **Disrupt (D4):** Disable macros or scripting in Office applications where not needed.
- **Prevent (P1):** Enforce application whitelisting and restrict Office operations to trusted sources.
- **Deceive (D2):** Use decoy documents to detect malicious macro activity.
- **Recover (R1):** Ensure backups of critical documents are available for restoration if needed.