Ninja Cat Giveaway: Episode 5 | Mobile Threat Defense
For this episode, your opportunity to win a plush ninja cat is the following - Reply to this thread with: After assessing this discussion with Yuji, tell us what are at least 3 common attack vectors on mobile devices? This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14 th , 2023, or until supplies are exhausted and is not redeemable for cash. Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.
Boost your Security Posture with a New Password Spray Detection Alert in Microsoft 365 Defender
Microsoft Defender alert policies are crucial for organizations to monitor and detect suspicious activities that may lead to cyber-attacks and data loss. These prebuilt policies help forensic investigators, security teams, and IT admins to detect and respond to potential threats promptly in their organization. What’s new? Microsoft has introduced a new alert to detect ‘Password spray attack originating from single ISP’. This new alert is absolutely a game-changer in cybersecurity, providing an additional layer of security to defend against such attacks. By identifying possible indicators of password spray attacks, organizations can take proactive measures to prevent potential breaches. Check out the blog to know more about how to identify the possible indicators of password spray attacks and the remediation actions. https://blog.admindroid.com/password-spray-attack-detection-with-new-microsoft-365-defender-alert/
Recieving increasing number of phishing attempts mimicking Microsoft MFA QR Codes
Even though we are MS 365 defender customers for all our users (EMS + E3) we are receiving an increasing number of phishing attempts based on good looking MFA connection requests. Furthermore these are based on QR Codes, which can be used on a smartphone where the security rules will be helpless against such attacks. And these attempts are absolutely not filtered.
Defender Confirm User Compromised
Triggering the "Confirm User Compromised" selection on Defender XDR after an Alert and Investigation has limited guidance. Can someone help point me at the documentation of what is triggered, how can I change what is triggered, what automations can I link with that, and is that even possible? I would like to see an alert, review, and once the action is taken the user is notified, and the user's listed next in higher direct report, with the incident information and the ability to add important information. Reset password, force 2FA, Log off of all open sessions, and any other remediations that could be added.THE VIRTUAL NINJA SHOW SEASON 4 RECAP
Did you miss any of the Ninja Show this season? Not to worry! We have assembled a synopsis of each episode highlighting the central focus points established in our discussions. (However, reading the main points are never as good as the real thing... Watch any episode on demand here!) Overview: Episodes 1-5 of this season were part of our first mini-series! Focused on incident response cases, experts from several teams across the Microsoft 365 Defender suite shared their knowledge regarding incident investigations as well as the critical tools and capabilities available to help improve defense in any organization. Episodes 6-8 shifted gears and included content about Microsoft Defender for Cloud Apps, Near real-time custom detection rules in M365D, and new Microsoft Teams protections! Ep 1: Oren Saban kicked off our Incident Response series by sharing IR investigation capabilities in Microsoft 365 Defender. We introduce how to best use the attack story view in the Defender portal, dive into the benefits of alert insights, and provide a guided walkthrough of a specific incident investigation that demonstrates how to pivot on affected entities to confirm nothing is being missed – with a special segment unveiling the updated File Content page (coming soon)! Ep 2: Michael Melone shifts us into an IR investigation of malware. Here we learn the ABC’s (and D!) of IR – a simplistic approach to manage malware incidents effectively. Through Michael’s demo you will also find updated advanced hunting capabilities in Microsoft 365 Defender and get to know the process of connecting alerts to primary incidents, creating a comprehensive view of an attack. Ep 3: Pawel Partyka unveils the impacts of business email compromise incidents (cyberattacks with financial fraud motivation) through an in-depth attack investigation. Takeaways we found critical were: Understanding the complexities of AiTM (adversary in the middle) phishing and Identifying the various connections of an attack story through the threat factors uncovered in Microsoft 365 Defender portal Recommended actions tab in Microsoft 365 Defender to help prevent damage to your assets Pawel’s demo walks through each step of the process extremely diligently. Ep 4 & 5: Corina Feuerstein wraps up our IR focus with a two-part investigation of a ransomware incident. Part 1 defines human-operated ransomware and the numerous phases of impact on an organization. Using a multi-stage incident generated by Microsoft 365 Defender, she shares how attackers use automation and exhibits how automated attack disruption defends at an even faster speed - enabling isolation tactics that prevent them from gaining a larger foothold within the enterprise. We also follow a ransomware playbook to assist during the containment and incident response phase of the attack, showing how to investigate step-by-step, verifying the attack is disrupted and prevent future risks. Part 2 continues our ransomware investigation using advanced hunting KQL queries. We dig into the behaviors and processes of the attack, learn the benefit of adding indicator markers, and make note of the tagging capability to review and connect future incidents. Key takeaways also include learning about remediation procedures, prevention tactics, and professional recommendations to improve security posture. Ep 6: Keith Fleming brings us out of incident investigations and explains the latest updates in Microsoft Defender for Cloud Apps! He first shares the 4 simple steps to deploy this product in your environment to confidently secure your applications and protect your data. Then, our conversation leads into a demonstration of: Connecting SaaS applications to Defender for Cloud Apps and receiving additional insights from these connections Explaining the Activity Log where you can take part in advanced hunting without KQL expertise! Enabling Defender for Endpoint connection and gain rich insights without the use of a proxy. There are so many more valuable resources shared throughout this episode, only matching the constant progress happening in the Defender for Cloud Apps world. Ep 7: Microsoft 365 Defender launched near real-time (NRT) custom detection rules and Christos Ventouris expertly dives into the benefits of this public preview feature. Watch this episode to learn: What custom detection rules are How you can create and modify them to your needs using advanced hunting queries And recognize the positive impact these near real-time rulesets make when it comes to mitigating threats in your organization as quickly as possible Ep 8: Closing out our fourth season are Senior Product Managers Malvika Balaraj and Daniel Mozes! They unveil an added layer of security within the Defender for Office suite, the collaboration and security within Microsoft Teams. Topics of focus are the new features Defender for Office 365 brings to Microsoft Teams. We learn how Microsoft 365 Defender blocks and removes malicious links or files from Teams or SharePoint and the self-reporting capability of files that may be a security risk - allowing a more proactive approach to prevent phishing attacks by educating users on basic security measures. Et voilà! The end of another great season We are extremely grateful to have the opportunity to help minimize learning gaps in the Microsoft Security community through the Virtual Ninja Show – but please help us keep it relevant to your needs! Add a comment including any topics you would like to see us bring forth next season so we can deliver what is helpful to you. Until next time, ninjas!
How do I investigate data exfiltration alerts?
Hi all, I regularly get alerts in Microsoft Defender (not Sentinel) for data exfiltration to an app that has not been sanctioned. In the alert get a date, the local IP address, the place the data ended up (as in AWS, or Azure Blob Storage etc), and the username. The most recent alert was for data exfiltration to Facebook. The end user said she was hungover Instagram surfing on her mobile phone, which doesn’t explain the activity being on her laptop. Previously, it seems that long Teams calls may have been the culprit (if the end user is to be believed!). However, I would like to know WHAT was uploaded, WHERE from, HOW it was uploaded (e.g., using Teams, OneDrive, etc.) and HOW MUCH data was uploaded. Does anyone have any ideas on the best way to do this? I am looking at a KQL query that maybe ties together DeviceNetworkEvents and DeviceEvents. Does that sound right? I tried looking at the device timeline for the end user’s laptop and I can find the RemoteIP but I can’t clearly see what the upload activity was. Or would I be better using the Cloud Apps search queries?
Help with CVE-2022-3602 OpenSSL
Dear all, Microsoft Defender displays a notification for one device, see attachment. As I am no IT-specialist I checked all available information what to do. But so far I could not find any understandable information, how to detemine, where are changes to make or updates necessary. Can anyone help?Defender 365 - SmartAlerts: User exfiltrating sensitive information via Removable Media
Hi, In the past few days we have started seeing incidents/alerts for "SmartAlerts: User exfiltrating sensitive information via Removable Media". We do not believe we have enabled any features or created policies which would start generating these incidents/alerts. Is this something new from Microsoft as I cannot find any information on it? Anyone able to help please? Regards MikeMicrosoft 365 Defender - Incidents status code 400 error
Anyone ever seen this? Just started happening, I think, yesterday. Noticed this after someone did an email blast of about 200, and their email was flagged as compromised. Screen attached below for review. Reads: Something went wrong We have encountered an error loading this page, please try again later: Error: Request failed with status code 400
