Email Threat Hunting

0 views
Skip to first unread message

Evelio Olivo

unread,
Aug 3, 2024, 5:01:33 PM8/3/24
to bolimouwor

If the curl command leaves a unique and obvious user agent behind, are there other (malicious) tools that leave a unique user agent, in a Microsoft 365 context, that are indicative of malevolence?

Installed across more than 2 million endpoints, and monitoring 50,000+ email accounts across 1,500 small businesses, the Huntress SOC squad is spoiled for choice when it comes to telemetry. Quite literally, think of what you want to find and diving into our data lake you will find it. And similar to the archer, to ultimately propel our weapons forward to engage our adversarial target, we must first draw backward and prepare ourselves; what are we trying to accomplish here?

In our Huntress telemetry, we filter for this with the following search: [.highlight]user_agent.original.text: "Azsdk"[.highlight], and we identify some rather interesting territories associated with this user agent.

From there, we dug deeper into what tool this user agent came from (no points for guessing a Python package). The user agent comes from the Microsoft-blessed Python library here and has been associated with malicious activity reported by Alice Klimovitsky in May 2023.

For example, take our "Sales" friend, who consistently authenticated from Belgium only to then anomalously authenticate with the [.highlight]Azsdk-python[.highlight] user agent from Korea.

Or our dear friend "Po" whose [.highlight]Azsdk-python[.highlight] authentication was associated with an Indonesian public IPv4 with a penchant for attempting to sign in as a myriad of accounts.

This also demonstrates the benefit of collecting and storing raw traversable telemetry. Once we identified that these particular IPv4 are malicious, we can then pivot and start to look at what else they have been up to, and if they have had successful authentications elsewhere, and all because we have held onto the telemetry.

From this one hypothesis-driven threat hunt, we issued a number of true positive reports advising our community members of business email compromise, and a suite of remediation strategies to evict the adversary, restore trust to the account, and prevent future compromise.

And the community rewards our investigation with engagement. Below, we have included a testimonial from the recipient of one of the above reports, which demonstrates that Huntress MDR for Microsoft 365 pays security dividends when driven and contextualized by the handsome experts of the Huntress SOC.

The threat hunting cycle, as my colleague Anthony Smith has advised in the past, should close the loop between that which we manually found that was yet to be detected, and how to go on to automate detecting those findings in the future.

[.highlight]event.action: UserLoggedIn AND user_agent.original.text:"azsdk-python"[.highlight]
[.highlight]# Filter for successful authentications only[.highlight]
[.highlight]# And essentially wildcard for any user agent containing the above string[.highlight]

I leave it to the reader to decide the priority for this detection. Environments vary in what their baseline is for normal, and far be it for me to tell you whether this should be a high- or low-priority detection.

Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms here.

Microsoft 365 organizations that have Microsoft Defender for Office 365 included in their subscription or purchased as an add-on have Explorer (also known as Threat Explorer) or Real-time detections. These features are powerful, near real-time tools to help Security Operations (SecOps) teams investigate and respond to threats. For more information, see About Threat Explorer and Real-time detections in Microsoft Defender for Office 365.

If you're hunting for attacks based on malicious URLs embedded within QR codes, the URL Source filter value QR code in the All email, Malware, and Phish views in Threat Explorer or Real-time detections allows you to search for email message with URLs extracted from QR codes.

For example, you can retrace the steps you took to find a threat by recording your decisions like this: To find the issue in Threat Explorer, I used the Malware view and used a Recipient filter focus.

When you see a suspicious email message, click on the Subject value of an entry in the table. The details flyout that opens contains Open email entity at the top of the flyout.

The Email entity page pulls together everything you need to know about the message and its contents so you can determine whether the message is a threat. For more information, see Email entity page overview.

Selecting Take action opens the Take action wizard in a flyout. The available actions in the Take action wizard in Defender for Office 365 Plan 2 and Defender for Office 365 Plan 1 are listed in the following table:

This action requires the Search and Purge role in Email & collaboration permissions. By default, this role is assigned only to the Data Investigator and Organization Management role groups. You can add users to those role groups, or you can create a new role group with the Search and Purge role assigned, and add the users to the custom role group.

By default, some actions are unavailable/grayed out based on the Latest delivery location value of the message. To show all available response actions, slide the toggle to On.

Move back to Sent Items folder: If the message was sent by an internal sender and the message was soft deleted (moved to the Recoverable Items\Deletions folder), selecting this option tries to move the message back to the Sent Items folder. This option is an undo action if you previously selected Move to mailbox folder > Soft deleted items and also selected Delete sender's copy on a message.

For messages with the value Quarantine for the Latest delivery location property, selecting Inbox releases the message from quarantine, so the following options are also available:

Soft deleted items: Move the message to the Recoverable Items\Deletions folder, which is equivalent to deleting the message from the Deleted items folder. The message is recoverable by the user and admins.

Hard deleted items: Purge the deleted message. Admins can recover hard deleted items using single-item recovery. For more information about hard deleted and soft deleted items, see Soft-deleted and hard-deleted items.

I've confirmed it's a threat: Select this value if you're sure that the item is malicious, and then select one of the following values in the Choose a category section that appears:

After you select one of those values, a Select entities to block flyout opens where you can select one or more entities associated with the message (sender address, sender domain, URLs, or file attachments) to add as block entries to the Tenant Allow/Block list.

Add to existing: Use this value to apply actions to this email message from an existing remediation. In the Submit email to the following remediations box, select the existing remediation.

Threat Explorer or Real-time detections helps your security operations team investigate and respond to threats efficiently. The following subsections explain how Threat Explorer and Real-time detections can help you find threats.

In the email details flyout that opens when you click on a Subject value from one of the entries, the Alert ID link is available in the Email details section of the flyout. Selecting the Alert ID link opens the View alerts page at with the alert selected and the details flyout open for the alert.

In Defender for Office 365 Plan 2, if you use user tags to mark high value targets accounts (for example, the Priority account tag) you can use those tags as filters. This method shows phishing attempts directed at high value target accounts during a specific time period. For more information about user tags, see User tags.

In the Delivery details section, the Detection technology property shows the detection technology that identified the threat. Detection technology is also available as a chart pivot or a column in the details table for many views in Threat Explorer and Real-time detections.

Verdict analysis might not necessarily be tied to entities. The filters evaluate content and other details of an email message before assigning a verdict. For example, an email message might be classified as phishing or spam, but no URLs in the message are stamped with a phishing or spam verdict.

Select Open email entity at the top of the flyout to see exhaustive details about the email message. For more information, see The Email entity page in Microsoft Defender for Office 365.

For the permissions required to search for mail flow rules by name in Threat Explorer, see Permissions and licensing for Threat Explorer and Real-time detections. No special permissions are required to see rule names in email details flyouts, details tables, and exported results.

To find messages that were affected by inbound connectors, you can use the Connector filterable property to search for connectors by name in the All email, Malware, and Phish views in Threat Explorer (not in Real-time detections). You enter a partial text value for the name of the connector. For more information, see the following links:

c80f0f1006
Reply all
Reply to author
Forward
0 new messages