Applying Neural Topic Modeling to Detect Anomalous Permission Requests in Microsoft 365 Applications

Microsoft 365 is a comprehensive suite of productivity tools that offers users a variety of services over the cloud. A significant advantage of Microsoft 365 is its ability to generate private cloud environments for organizations, called tenants or directories, where users have their own identities, can access their data, and collaborate with each other in a controlled environment. Applications are a key component for improving productivity and enhancing collaboration within tenants. They can request a set of permissions theoretically required to perform their intended functionalities. These permissions allow the applications to get read or write access to various tenant’s resources such as user information, calendars, files, mailbox, and more. Consequently, the misuse of these permissions may represent a potential entry point for attackers who may compromise an existing application with excessive permissions or develop a malicious application to access sensitive data or perform unauthorized actions. This research aims to intersect the applications’ intents with the permissions they request to identify potentially anomalous applications. For instance, a calendar manager application requesting permissions to access users’ files or mailboxes could be considered anomalous. We first put significant efforts into collecting a dataset of applications with required permissions and their descriptions. Indeed, a major challenge in this context was the limited availability of data and labelled samples due to the restricted and fragmented nature of Microsoft 365 environments. Once the dataset was collected, we leveraged Neural Topic Modelling techniques to extract the intents of applications from their descriptions and clustering them based on the identified topics. At the end, a mixed unsupervised-supervised approach is proposed to build a model capable of identifying applications with potentially anomalous permission requests within the same topic.