Microsoft 365 has become a cornerstone of enterprise productivity — and a growing target for sophisticated cyber threats. In this talk, we’ll explore how Swisscom’s B2B CSIRT has optimised the incident response process for Microsoft 365 through automation and expert-driven detection logic.

We’ll introduce Swisscom’s Next-Gen IR automation framework, which enables rapid, secure collection of forensic logs by registering a dedicated application in the customer’s tenant with appropriate permissions. This automation significantly accelerates the start of investigations and ensures comprehensive visibility across M365 workloads.

Once data is collected, it’s analysed through a set of continuously updated detection rules, crafted and maintained by Swisscom’s B2B CSIRT analysts. These rules identify key threat patterns — from account takeovers to malicious app registrations — enabling faster triage and more accurate investigations.

To bring this to life, we’ll walk through a real-world case of a Microsoft 365 compromise, showcasing how the automation and detection rules were used to quickly uncover the attacker’s activity, reconstruct the timeline, and guide the customer through targeted remediation.

Whether you’re defending Microsoft 365 environments today or preparing for tomorrow’s threats, this session offers a real-world view into modern, efficient, and intelligent cloud incident response.

About the speaker

Angelo Violetti

B2B CSIRT Analyst at Swisscom

Angelo Violetti is a cybersecurity professional with over 5 years of experience in digital forensics and incident response. His technical skills primarily focus on ransomware threats, Azure/M365 investigations, and tracking adversary infrastructure. He has spoken at BTV Defcon, SANS Ransomware Summit, Swiss Cyber Storm and contributes to The DFIR Report. Angelo holds certifications like GCFA, CRTO, and others in malware analysis and cloud security.
Read more …