“email. then, messages were marked as read and moved to deleted items. once that was in place, the threat actor went through the step of adding another app to manage email. this time it was newsletter software supermailer, another legitimate app that ’ s great for sending mass amo…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1078.004Cloud Accounts
54%
“legitimate apps as traitorware for persistent microsoft | huntress the idea of “ persistence ” in a cloud environment is not a well - studied topic. at most, you hear instances of the attacker creating backup logins to maintain their long - term presence in a cloud environment. t…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
49%
“factor authentication, this would have made our threat actor ’ s job much more difficult. - normal users should not be allowed to add new apps. this is like allowing any user to install any application on their pc — you never know what they will install. in microsoft 365, this is…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
31%
“with the “ openid ” scope and gives the app access to the user ’ s primary email address. - “ openid ” - this indicated the app signed in by using openid connect. it allows the app to get a unique identifier for the user ( a sub - claim ), which can then be used to acquire identi…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Dive into how Huntress caught a threat actor adding several legitimate email apps to maintain persistent access to a compromised Microsoft 365 environment.