Welcome to our weekly security detection and report update. Our Incident Detection Engineering (IDE) Team is constantly hard at work. Creating, testing, and writing detections for you! This week, we've made several important updates to improve your security posture and enhance the functionality of our detections. As you might know, monthly, we also release an overview of the entirety of what was changed in the product. However in these updates we'll focus on the net new content that IDE provides on an ongoing basis, musings from our team, and maybe the occasional horoscope if you're lucky.
This week was all about you! Yes, you!
We currently have dedicated customer detection sprints that focus on bugs and requested detections. Sometimes those detections can turn into great detections for all! One practice we like to follow is to consistently strive to turn any custom detection creation into something that can benefit all Blumira customers that have a certain piece of technology. You'll see examples of these below.
This update introduces several new detections, including:
If you know, you know. You were one of the completed custom detections.
These events can be a part of a normal business operation to migrate to another Workspace tenant or cloud service like Microsoft 365. However, it has also been seen leveraged by Threat Actors in attempts to exfiltrate data from Workspace.
The roles of "Directory Synchronization Accounts", "Partner Tier 1 Support" and "Partner Tier 2 Support," while not Global Administrators, are extremely powerful.
Microsoft does not recommend their use in most scenarios. Directory Synchronization Accounts can be used by accounts that are involved with Azure AD Sync (AKA: Entra ID Connect), for normal business operations. For more information, click here.
When users release potential phishing messages, this can be the beginning of a long line of malicious actions from an attacker. Many times these phishing messages include links to spoofed websites that attempt to capture users credentials, trick users into running unwanted programs, or create elaborate fraud scenarios. This detection relies on Mimecast to flag the message as fishing and log when a user has successfully released it from quarantine into their inbox.
Of course we're going to sneak some of our other content into detection updates!
A great article written by our one and only Jake Ouellette about the ways to defend against automatic disk mounting.