User Profile
Brok3NSpear
Brass Contributor
Joined 4 years ago
User Widgets
Recent Discussions
Inaccurate Reporting for Installed Apps in Defender
Hi, This morning (UK) we noticed that Defender (All users are E5 and we have MDE P2) is showing very inaccurate reporting for various apps installed on users machines. Example, Chrome is showing as only installed on 180 machines, where it is actually installed on over 1.4K end user machines, including mine which shows in Defender as not an installed app. There is nothing showing at the moment in Service Health for this issue. I have also completed the 'Report Inaccuracy' in Defender as well. This was working perfectly fine as of yesterday Other apps I have noticed as showing inaccurate results for are old Teams installs Note that this may have been a short termed glitch as figures are slowly going back to what we would expectRe: Company Portal Attempting To Connect To Unknown Site
ajon88 Unfortunately I never received anything official back from Microsoft for this, but would appreciate an official reply to better understand this so we can at least document it. It's blocked currently from our side until we do get a good response from MS. Here though is what I can get from ChatGPT: (changed formatting as it doesn't translate that well when pasted across to this chat) -------------------------------------------------- The connection attempt by CompanyPortal.exe to hxxps://powerlift-frontdesk.acompli[.]net is likely related to Microsoft's Intune and Office 365 infrastructure, specifically around mobile device management (MDM), conditional access, or email security services. Here's a detailed breakdown of why this connection might be occurring: 1. What is CompanyPortal.exe? - CompanyPortal.exe is an application associated with Microsoft Intune, a cloud-based service for managing mobile devices, apps, and computers. Intune allows organizations to manage access to corporate resources like emails, documents, and other applications on company-owned or personal devices while enforcing security policies. - The Company Portal app is commonly used on devices to provide users with access to apps, company resources, and security policies that are managed through Intune. 2. What is powerlift-frontdesk.acompli[.]net? - The domain acompli[.]net is linked to Acompli, the original name of the email app Microsoft acquired in 2014, which was later rebranded into Outlook Mobile. The Acompli service handles backend services related to mobile email, such as synchronization, email retrieval, and push notifications. It's also associated with the infrastructure that manages mobile email security and conditional access through Intune. - The specific subdomain `powerlift-frontdesk.acompli[.]net` seems to be related to internal Microsoft services for managing mobile and conditional access policies in real-time. "Powerlift" is often an internal codename or service within Microsoft related to monitoring, troubleshooting, and enforcing conditional access policies for mobile devices. 3. Why is CompanyPortal.exe trying to connect to `powerlift-frontdesk.acompli[.]net`? - Mobile Device Management (MDM): If your organization uses Intune for mobile device management, the CompanyPortal.exe would likely need to communicate with Microsoft's infrastructure to check for updates to policies, manage device compliance, and handle any conditional access rules (e.g., ensuring the device meets security requirements before granting access to corporate emails or apps). - Conditional Access Policies: The powerlift-frontdesk.acompli[.]net endpoint could be used to enforce conditional access policies that allow or deny access to corporate resources based on device health, location, or other factors. This might include verifying the device’s compliance with policies (such as encryption status, malware protection, etc.). - Email Security and Syncing: Given Acompli’s legacy as an email app and the continued use of acompli[.]net domains in Microsoft's infrastructure, this connection might also support email-related functions, such as syncing emails to the mobile app or monitoring the device’s security posture to allow access to Exchange Online or Outlook. - User and Device Authentication: This connection might be part of an authentication process where the Company Portal app communicates with Microsoft's cloud infrastructure to validate the device or user and enforce identity-based security policies. 4. What to Do About These Connections If these connection attempts are flagged by a security tool, it’s important to determine if they are expected in your environment. Here are some considerations: - Expected Behavior: If your organization uses Intune or Office 365 with mobile device management or conditional access policies, these connection attempts are likely expected and legitimate. - Whitelisting: If this is a common connection related to Microsoft services, you may need to whitelist the domain to avoid unnecessary alerts. - Suspicious Activity: If your organization does not use Microsoft Intune or does not expect this connection, further investigation is warranted to ensure there isn’t any rogue software attempting unauthorized connections. 5. Next Steps - Verify with IT: Confirm with your IT department or security team if Intune or conditional access policies are in place for your organization's devices. If they are, this connection is likely routine. - Check Microsoft Documentation: Review Microsoft documentation on Intune, conditional access, and Office 365 to better understand the infrastructure and any expected network traffic. - Monitoring: If this connection appears abnormal, you could monitor the outbound traffic and logs for further details, like the frequency and timing of these connection attempts, to identify any patterns or anomalies. Conclusion The outbound connection from CompanyPortal.exe to `hxxps://powerlift-frontdesk.acompli[.]net` is almost certainly related to Microsoft Intune and conditional access services for managing mobile devices and enforcing security policies. This is likely a legitimate and necessary part of Microsoft's infrastructure, particularly if your organization uses Intune or Office 365 services. --------------------------------------------------------- As I said though, something official from Microsoft would be appreciated.Re: ASR Rule Blocking ms-teams.exe
raphael1974 They added a notification in the Message Centre on Issue ID: DZ809811 yesterday at 16:48hrs GMT (UK time) Root Cause: A recent service update introduced a faulty signature code change that caused the ASR rules to block various actions in the Outlook desktop client.ASR Rule Blocking ms-teams.exe
Hi, We have seen the ASR Rule for, 'Block Office communication application from creating child processes' start to block ms-teams.exe, this morning which is causing quite a lot of issues in the estate. The current workaround is to set the ASR Rule of, 'Block Office communication application from creating child processes', to Audit Mode instead of Block Mode. This has also been mentioned by a couple of people now on Twitter, so is MS aware of this issue and do you know when a fix may be in place for this, so I can safely move the ASR Rule back to Block ModeFIDO2 Key Audit Logs
Hi, Does anyone have any KQL Queries that will give me a list of users that have used FIDO2 Keys as their method of authentication, or any audit logs that I can look up for all users to validate that these keys are being used as opposed to being available to be used. We have FIDO2 Keys set as available to users in the estate and I know that they are being used where required, but in the users Sign-in logs, it isn't very clear as to where it proves that the user used FIDO2 as the authentication method. When looking at a user that is using FIDO2 Key for their authentication, it doesn't show in the Basic Info tab in Entra Sign-in logs that FIDO Key use was used specifically? I have a Conditional Access Policy set as Report Only to also help test this which enforces Authentication Strength for Phishing Resistant MFA, and the users I am looking at that I know use FIDO2 for authentication, would have successfully passed that CAP should it be enabled; so I know that it's working fine. I just need to be able to prove this in the audit logs for multiple users.Re: Advanced Hunting Opens Briefly, then goes blank
DMBisME As of this morning (07:40hrs UK time) this seems to now open without issue. MS did not get in contact on the ticket, so this wasn't a support fix. I am guessing that they have had engineers start to look in to this as it now opens fine. I have 10 or so tabs open, and since closed them all out and re-opened the page again to check. Hope yours gets resolved shortly as well. Am keeping the ticket open for 24hrs just to make sure that it doesn't revert and will then close out with them.Re: Advanced Hunting Opens Briefly, then goes blank
DMBisME Still nothing back from support I'm afraid, but I have also noticed the latest Intel Report is also showing up as blank as well. All other previous reports are fine. Was trying to read the Vulnerability Profile: CVE-2024-30051 - Desktop Window Manager EoP vulnerability via Threat Intelligence>Threat Analytics Adding to the post as it may be related, or just a MS issueAdvanced Hunting Opens Briefly, then goes blank
Hi, I have an issue in Advanced Hunting where the portal will open up briefly, but then go blank. This has been happening since Wednesday for me and raised a ticket (#2405090050000419) with Microsoft for this on Thursday AM, but have yet to get a response and just sits at, 'A support agent is being assigned to your request'. I have tried accessing the AH area in Private Mode, via Chrome (Edge is my main browser) and clearing cache, but still no joy. I also disabled Dark Mode to see if that was the issue, as I know that Dark Mode does cause visibility issues in the XDR portal (especially when attempting to preview emails when investigating emails) This has also been noted by a user on Twitter This isn't affecting other users in my tenant (based in UK) as they are still able to access the AH area without issue. We also haven't yet enabled the Unified SIEM/XDR as yet, so that isn't the issue. If if it was, the issue is still only affecting my account, and no one else who has access to that area. Should be noted that they rarely use AH, so wouldn't have as many previously open AH tabs as I normally always do. I believe that I had approx. 10 or so tabs open for various queries I was looking up or creating. I am still able to access the Custom Detection Rules section which sits underneath that link without issue. This means that I am completely unable to run any AH queries currently, which is an issue.Sent from Outlook for iOS links Being Quarantined in Defender
Hi, Microsoft seem to be falsely flagging their own shortening URL for hxxps://aka.ms/o0ukef as High Confidence Phishing This is the link that is created in emails when a user sends an email from Outlook for iOS This is causing a lot of emails to be blocked and sent to the Quarantine queue. Can someone at MS take a look and get this addressed.Blocking Access To Github
Hi, We have been asked to block access to Github for all users (some departments will still have access via a Scoped policy) via MCAS. This is very simple to action from our side, but concerned about what may break when this is done. Does anyone know what the implications for this may be in regards to various KQL queries that rely on external lookups to Github, or any other MS tooling that uses Github for various activities. Blocking users from being able to access this via the browser is fine, but I need to be sure that no security tooling from Microsoft will be impacted for this? Does anyone have any experience with this and did you notice any impacts to be aware of that may go unnoticed?Re: Create a Policy Alert for any Upload Seen to Gmail
Keith_Fleming Keith_Fleming wrote: Brok3NSpear this is actually the expected behavior. When you look at discovery policies, these are regarding data coming from endpoints or appliances. Activities are based on the data coming from app connectors. In this case it sounds like what you would like to see is a way to get the audit activities from apps that aren't connected or that are just being accessed via the browser? Correct, is there an audit process available for this that I can use? I have been trying to find a way to do this via KQL, but no joy from my limited use of KQL. Apologies for the late response as well.Create a Policy Alert for any Upload Seen to Gmail
Hi, I would like to create a policy in MCAS so that any upload that is seen to Gmail immediately raises an alert. We have Gmail tagged as Unsanctioned and blocked to all users but I can also see that some users still have access to this, so I wat to create a policy that can find any activity for this and alert me until the gap can be closed completely. The one below is close (as well as the Unsanctioned tag on Gmail, I have also added the tag 'Gmail') however, I can find a way to create a policy that looks for any Upload to Gmail (I can't find a policy that has the App Tag option as well as the Activity Type option for Upload and then set my threshold) of any size that is seen in our estate. This should be a rare occurrence if at all, but I need to make sure that I have alerting in place should this ever happen and they weren't blocked by the Unsantioned app rule. If this isn't possible in MCAS itself, does anyone have a KQL query for this that I can use in Advanced Hunting and create a rule from that to create alerts?Dark Mode in Defender and Email Preview Issues in Explorer
Hi, When you are investigating an email for Phishing or for another reason, via Email & Collaboration>Explorer and you then select the email to investigate and use the Email Preview option, you are unable to clearly look at the email itself due to Dark Mode making the text really hard to read. Is this something that can be fixed, but without the end use having to disable Dark Mode?Company Portal Attempting To Connect To Unknown Site
Hi, We keep seeing CompanyPortal.exe attempting (Outbound Connection) to access hxxps://powerlift-frontdesk.acompli[.]net When looking up this site in VirusTotal I can see it connects to 52.162.107[.]40 which is owned by Microsoft. Here is a Graph in VirusTotal showing all other resolutions for this IP address. When accessing that site via a Sandbox, it just says: 'Alchemy-Mantis-FrontDesk is Up & Running! Try ~/swagger to checkout the API's.' Does anyone have any information as to what this site is and why the Company Portal keeps attempting to reach out to it? The site is currently blocked via Indicators by us.A vulnerability assessment solution should be enabled on your virtual machines
Hi, I have an action to take in Defender for Cloud, where a vulnerability solution needs to be installed on multiple VMs. Does any one know if I action this, that this may cause the machines in scope for the issue to restart, or am I OK to use the Quick Fix option that if available, to apply a Vuln Solution to all the machines in scope for this recommendation? We have Defender for Servers P2 on all known servers in the estateDefender quarantining all emails as High Confident Phishing
Hi, Defender has started to quarantine all emails now as High Confidence Phishing even though the emails are perfectly fine. Seems like all URLs are being found to be phishing links. However, this is not the case and there are 1000's of email affected by this and now seems to be flagging every email sent to our users. Seems to have started at around 16:39hrs GMT (UK time) today. The policy that is the same from all the emails I can see, is the Standard Preset Security Policy (Anti-Phishing policy) located in Email & Collaboration>Policies & rules>Threat policies>Anti-phishing When looking at the emails, it's URL detonation reputation that states the URLs are malicious. No changes have been made to this policy for at least 3 months This is also triggering multiple High alerts in Defender for, 'A potentially malicious URL click was detected'. Again, when checking these emails, they are all benign Anyone else seeing a large influx of quarantined emails in Defender? [Edit] We use Mimecast as our gateway, so all emails sent from outside the org have to go through Mimecast first. Mimecast doesn't see any issues with them, and looking at the headers for the emails, I see no issues. Just that Microsoft is flagging every emails that contains links as High Confidence Phishing. Normally we would expect to see approx 10 or so a day for HCP emails, but never to this extent. I know that Mimecast is set to do URL Re-Write protection and have always wondered if MS can read through the URL re-writing that Mimecast sets for links, but it has never quarantined them based on the fact that the URL have been re-written by Mimecast. The only URLs that Microsoft is flagging as High Confidence Phishing are the one that have been re-written by Mimecast. That is the case on all the emails that I have been through now. Have also raised a Support ticket via the portal for this on ticket #2401080050005168 and asked to get this escalated as there is no way to set the priority when raising a ticket initially. [Update] This is now resolved. The issue was that Mimecast have just changed the URL re-writing format from: https://protect.mimecast-offshore.com/***************** To https://url.jer.m.mimecastprotect.com/***************** starred out the rest for obvious reasons. Not sure if this is just a UK thing, but this change only occurred this afternoon for our tenant.New Email Response Actions in Microsoft Defender XDR
Hi, Can Microsoft please allow the use of punctuation when adding a new Rule Name or in the description for this functionality. Example below is when adding a new rule name, but using a hyphen (so that on first look, a user can see that the rule was created for a manual action) In the description, it doesn't allow you to use any commas, or any full stops (periods)
