Shadow Workflows
Rich Mozeleski
The Shadow Workflows capability will provide detection and response of the most common post-compromise malicious activities. These activities include:
- Malicious inbox rule creation (we are completely revamping how we detect malicious inbox rules as part of this effort)
- Malicious phishing campaigns: At a minimum, we will detect and generate an incident report when a mailbox is responsible for a malicious phishing campaign.
- Data exfiltration: At a minimum, we will detect malicious file downloads from the Microsoft ecosystem.
Rich Mozeleski
Merged in a post:
Office 365 Rules - Can't tell if they were enabled or not when Huntress found them
D
Daniel Stevens
When we get alerted to dangerous mailbox rules in 365, the alert makes it impossible to tell whether or not the rule was ALREADY disabled when Huntress encountered it.
This is a huge problem when onboarding a new client. If the rule is found to be already disabled, then the breach was likely already remediated. If it was enabled, then it's probably an active breach.
The alert should include this critical information.
As it is now, I have to contact tech support and ask them.
C
Cameron Granger
open
Rich Mozeleski
Merged in a post:
Microsoft Expanded Cloud Log Implementation Playbook
S
Scott Brewster
CISA released its playbook for Microsoft expanded log collection. Please update ITDR to be able to ingest the logs. You can find this playbook here:
Rich Mozeleski
in progress