TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Huntress MDR for Microsoft 365 Update | Huntress

2023-12-06 · Read original ↗

ATT&CK techniques detected

9 predictions
T1114.003Email Forwarding Rule
76%
“tactic exploited by threat actors is manipulating mail delivery using inbox rules and mail forwarding techniques. after an unwanted login occurs, these shadow workflows are often leveraged to exfiltrate sensitive data and to obfuscate emails from the intended recipient by moving …”
T1078.004Cloud Accounts
73%
“functionality. integrating a microsoft 365 tenant now takes less than 90 seconds. as a result of these improvements, over 90 % of onboarding processes are now completed without any issues. we know that isn ’ t 100 % yet, but when issues do arise, we solve them in less than 48 hou…”
T1078Valid Accounts
67%
“- weekly cadence of reports for users with compromised credentials, detected as successful username / password, new and suspect location, with or without vpn, but failed mfa. higher risk detections will still be actioned and reported on immediately. - proactive communication to p…”
T1078.004Cloud Accounts
59%
“- weekly cadence of reports for users with compromised credentials, detected as successful username / password, new and suspect location, with or without vpn, but failed mfa. higher risk detections will still be actioned and reported on immediately. - proactive communication to p…”
T1566.002Spearphishing Link
56%
“a result, we invested significant research into fully understanding this technique and the massive number of offensive sub - techniques that can lead to an unwanted login. our tech behind this capability starts by parsing microsoft 365 audit logs and enriching these events with i…”
T1078.004Cloud Accounts
48%
“and the azure sdk. each approach varies greatly in observability, and similar shady actions produce different indicators based on the access method. recently released offensive security frameworks like graphrunner show the power of these alternative access methods. we have priori…”
T1564.008Email Hiding Rules
45%
“tactic exploited by threat actors is manipulating mail delivery using inbox rules and mail forwarding techniques. after an unwanted login occurs, these shadow workflows are often leveraged to exfiltrate sensitive data and to obfuscate emails from the intended recipient by moving …”
T1111Multi-Factor Authentication Interception
33%
“a result, we invested significant research into fully understanding this technique and the massive number of offensive sub - techniques that can lead to an unwanted login. our tech behind this capability starts by parsing microsoft 365 audit logs and enriching these events with i…”
T1586.002Email Accounts
33%
“tactic exploited by threat actors is manipulating mail delivery using inbox rules and mail forwarding techniques. after an unwanted login occurs, these shadow workflows are often leveraged to exfiltrate sensitive data and to obfuscate emails from the intended recipient by moving …”

Summary

An update on our MDR for Microsoft 365 product, some recent improvements, and what fixes and features are coming soon.