TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Combating Emerging Microsoft 365 Tradecraft: Initial Access | Huntress

2023-12-27 · Read original ↗

ATT&CK techniques detected

11 predictions
T1556.006Multi-Factor Authentication
91%
“but require multi - factor authentication for any attempted logins that come from outside of the headquarters. the building blocks for these rules are simple if - then statements ; “ if a user wants access, then this must occur first. ” there are tons of rules that you can implem…”
T1556.006Multi-Factor Authentication
80%
“logonerror field. let ’ s think about this for a moment : a user tried to log in, entered their first factor of authentication correctly, but was then stopped by a conditional access policy. in most cases, authentication follows the standard “ username and password - > mfa ( if e…”
T1090.003Multi-hop Proxy
59%
“the trade : vpns, proxies, and anonymizers according to reports from our soc, about 75 % of observed account takeovers and nefarious hacker shadiness originate from vpns and proxies. vpns and proxies are different technologies but are similar in how they impact our partners. vpns…”
T1078.004Cloud Accounts
57%
“and the user identity has been observed enough to identify a pattern of life … - … and the blocked login is coming from somewhere besides their usual location! ” while not foolproof, this is a major evolution from how we combat initial access. this is a signal derived from the no…”
T1090.002External Proxy
53%
“static ip address. we use the data provided by spur to see if the ip addresses attached to user activity have any attributes of interest. for example, we now can see if this ip comes from a vpn provider, tor node, known botnet, or cloud service provider. we can also tell if the i…”
T1078Valid Accounts
51%
“that the action film superstar is a threat actor and they are on their way to take over your account. if they get a hold of your email, they can intercept and reroute invoices, steal money, and generally wreak havoc and mayhem on unsuspecting business owners. at huntress, it ’ s …”
T1090.002External Proxy
45%
“the trade : vpns, proxies, and anonymizers according to reports from our soc, about 75 % of observed account takeovers and nefarious hacker shadiness originate from vpns and proxies. vpns and proxies are different technologies but are similar in how they impact our partners. vpns…”
T1078Valid Accounts
45%
“close to the start of the attack as possible. i ’ m excited to share some of the challenges and advancements we ’ ve made recently to help us detect and deter shady hackers early in their campaigns. i also want to share the way forward and the work that remains to be done. the tl…”
T1078.004Cloud Accounts
39%
“combating emerging microsoft 365 tradecraft : initial access | huntress at huntress, we wake up every morning, pour our caffeinated or decaffeinated beverage of choice, sit down at our desks, and ask the same question : “ how can we turn cybercriminals into examples today? ” my n…”
T1078.001Default Accounts
36%
“are all closely related in terms of impact to our partners and worth our scrutiny. here ’ s a small sample of anonymous vpn and proxy activity from our logs : our assumption here is that while you can ’ t say with certainty that vpn, proxy, or anonymizer usage is a sure sign of h…”
T1078.004Cloud Accounts
35%
“what you ’ re actually solving for is malicious initial access. but impossible travel, with all of its nuance and complexity, can still signal that evil is afoot. so it is our next mountain to climb. our solution is in the works. more to come on this topic soon! wrap up at the st…”

Summary

Threats evolve, and so does Huntress. Let’s talk about evolving our approach to hitting the hackers where it hurts on Microsoft 365.