Skip to content
    April 2, 2024

    Security Detection Update - 2024-4-2

    Welcome to our weekly security detection and report update. Our Incident Detection Engineering (IDE) Team is constantly hard at work. Creating, testing, and writing detections for you! This week, we've made several important updates to improve your security posture and enhance the functionality of our detections. As you might know, monthly, we also release an overview of the entirety of what was changed in the product. However in these updates we'll focus on the net new content that IDE provides on an ongoing basis, musings from our team, and maybe the occasional horoscope if you're lucky.

    Introduction and Overview

    This week was all about you! Yes, you!

    We currently have dedicated customer detection sprints that focus on bugs and requested detections. Sometimes those detections can turn into great detections for all! One practice we like to follow is to consistently strive to turn any custom detection creation into something that can benefit all Blumira customers that have a certain piece of technology. You'll see examples of these below.


    New Detections

    This update introduces several new detections, including:

    Top Secret

    If you know, you know. You were one of the completed custom detections.

    Google Workspace: Domain Data Export Initiated

    These events can be a part of a normal business operation to migrate to another Workspace tenant or cloud service like Microsoft 365. However, it has also been seen leveraged by Threat Actors in attempts to exfiltrate data from Workspace.

    • Status: Enabled
    • Log type requirement: Google Workspace/Gsuite

    Microsoft 365: Hidden Privileged Role Assignment

    The roles of "Directory Synchronization Accounts", "Partner Tier 1 Support" and "Partner Tier 2 Support," while not Global Administrators, are extremely powerful.

    • Directory Synchronization Accounts — Can add new owners and credentials to all service principals
    • Partner Tier 1 Support — Can add new owners/credentials to all app registrations and add owners/members to all non-role eligible security groups
    • Partner Tier 2 Support (The main topic of the referenced article)

    Microsoft does not recommend their use in most scenarios. Directory Synchronization Accounts can be used by accounts that are involved with Azure AD Sync (AKA: Entra ID Connect), for normal business operations. For more information, click here.

    • Status: Enabled
    • Log type requirement: Microsoft 365 Azure AD

    Mimecast: User Released a Phishing Message from Quarantine

    When users release potential phishing messages, this can be the beginning of a long line of malicious actions from an attacker. Many times these phishing messages include links to spoofed websites that attempt to capture users credentials, trick users into running unwanted programs, or create elaborate fraud scenarios. This detection relies on Mimecast to flag the message as fishing and log when a user has successfully released it from quarantine into their inbox.

    • Status: Enabled
    • Log type requirement: Mimecast Release


    IDE Content

    Of course we're going to sneak some of our other content into detection updates!

    The Hedgehog Defense #2: Defend Against Automatically Mounted Disk Images

    A great article written by our one and only Jake Ouellette about the ways to defend against automatic disk mounting.

    Amanda Berlin

    Amanda Berlin is Lead Incident Detection Engineer at Blumira, bringing nearly two decades of experience to her position. At Blumira she leads a team of incident detection engineers who are responsible for creating new detections based on threat intelligence and research for the Blumira platform. An accomplished...

    More from the blog

    View All Posts