TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

One MSP, Three Microsoft 365 Compromises, 72 Hours | Huntress

2023-06-27 · Read original ↗

ATT&CK techniques detected

11 predictions
T1586.002Email Accounts
58%
"firm - building contractor - retail store and distributor this series of back - to - back incidents highlights the widespread and frequent nature of microsoft 365 compromises that msps are facing today. the common theme : inbox rule manipulation adversaries abuse email inbox rule…"
T1078.004Cloud Accounts
53%
"one msp, three microsoft 365 compromises, 72 hours | huntress huntress has been hunting malicious actors across 50, 000 + user accounts for 1, 500 + small businesses enrolled in our managed identity threat detection and response ( itdr ) product. as itdr for microsoft 365 moves i…"
T1114.003Email Forwarding Rule
52%
"noteworthy as the law firm specializes in automobile - related cases. prior to the inbox rule that redirected emails into the rss feeds folder, huntress identified the following activity : - the law firm employee logged in from both michigan and new york in quick succession - the…"
T1098.002Additional Email Delegate Permissions
50%
"to the rss feeds folder for this user. digging deeper into the data, we can see that the user consistently signs in from the same places, with the us state of virginia being an anomalous location. when filtering on user actions taken from virgina, we quickly correlate the anomalo…"
T1534Internal Spearphishing
43%
"firm - building contractor - retail store and distributor this series of back - to - back incidents highlights the widespread and frequent nature of microsoft 365 compromises that msps are facing today. the common theme : inbox rule manipulation adversaries abuse email inbox rule…"
T1564.008Email Hiding Rules
39%
"noteworthy as the law firm specializes in automobile - related cases. prior to the inbox rule that redirected emails into the rss feeds folder, huntress identified the following activity : - the law firm employee logged in from both michigan and new york in quick succession - the…"
T1114.003Email Forwarding Rule
37%
"firm - building contractor - retail store and distributor this series of back - to - back incidents highlights the widespread and frequent nature of microsoft 365 compromises that msps are facing today. the common theme : inbox rule manipulation adversaries abuse email inbox rule…"
T1586.002Email Accounts
37%
"noteworthy as the law firm specializes in automobile - related cases. prior to the inbox rule that redirected emails into the rss feeds folder, huntress identified the following activity : - the law firm employee logged in from both michigan and new york in quick succession - the…"
T1586.002Email Accounts
34%
"to the rss feeds folder for this user. digging deeper into the data, we can see that the user consistently signs in from the same places, with the us state of virginia being an anomalous location. when filtering on user actions taken from virgina, we quickly correlate the anomalo…"
T1564.008Email Hiding Rules
32%
"firm - building contractor - retail store and distributor this series of back - to - back incidents highlights the widespread and frequent nature of microsoft 365 compromises that msps are facing today. the common theme : inbox rule manipulation adversaries abuse email inbox rule…"
T1586.002Email Accounts
31%
"one msp, three microsoft 365 compromises, 72 hours | huntress huntress has been hunting malicious actors across 50, 000 + user accounts for 1, 500 + small businesses enrolled in our managed identity threat detection and response ( itdr ) product. as itdr for microsoft 365 moves i…"

Summary

Discover how Huntress Managed Identity Threat Detection and Response identified three business email compromise (BEC) attacks within 72 hours of each other.