Forum Discussion

DefenderAdmin's avatar
DefenderAdmin
Brass Contributor
Nov 30, 2022

Honeytoken alerts FP

Hi!   We do have a lot of "Honeytoken activity" since 23.11.2022 starting in the evening (MET timezone). Normally, in the past this kind of alert only appeared during planed penetration tests and ...
Alexander Bunk's avatar
Alexander Bunk
Copper Contributor
Dec 30, 2022
We have the same experience. Any updates on this?
  • Jacampbell's avatar
    Jacampbell
    Icon for Microsoft rankMicrosoft
    Jan 27, 2023
    Hey - have you opened a support ticket
    • DefenderAdmin's avatar
      DefenderAdmin
      Brass Contributor
      Jan 27, 2023
      no, i didn't open a support ticket yet. i was hoping that an agent update will solve the issue, which didn't happened yet. But to be honest, i don't have the time or nerve right now for handling a Microsoft ticket case with some indian MS supporter...
      • Jacampbell's avatar
        Jacampbell
        Icon for Microsoft rankMicrosoft
        Jan 27, 2023

        DefenderAdmin 

         

        So LDAP and SAMR detections were added to the Honeytoken tagged entities. 
         
        Points to note with this:
        1. There will never be a false positive scenario for the honey token despite that being an option under the manage alert drop down in M365.
        2. We cannot exclude the device for this Honeytoken activity 
        Please review EVERY tool that is associated with LDAP and SAMR and queries users. If any tool or service queries a Honeytoken tagged account, it will create and activity. So based on the frequency of your activity, you should be able to narrow down what service/tool is querying the users on these trusted domains. Does any service/tool come to mind?

Resources