Keeping up with the constantly evolving threat landscape is difficult, especially if you’re on a small IT or security team. Blumira’s incident detection engineering (IDE) team helps you stay ahead by doing all of the heavy lifting for you:
Some of our latest detection rules include ones to detect insecure user activity, potentially malicious logins, security misconfigurations and more in Microsoft 365 and Windows.
Microsoft 365 – Excessive Number of MFA Enrollment Skips
In this finding, Blumira notifies you when one of your Microsoft 365 users has been skipping multi-factor authentication (MFA) enrollment more than 10 times in the past week. MFA is an important security measure that protects against identity-based attacks targeting usernames and passwords, such as password spraying, phishing, brute-force attacks, and more. If your users are skipping enrollment in setting up a secondary form of authentication, that could make their accounts (and access to your organization’s data) more vulnerable to these types of attacks.
Microsoft 365 – Login From Tor Exit Node
Blumira tracks and notifies you when a user authenticates into Microsoft 365, originating from an IP address that is known to be part of the Tor anonymity network, a free and open-source anonymous browser and network. While Tor is used by journalists, whistleblowers, activists and many others, it can also be used in malicious attacks by threat actors performing intrusions to hide their location.
Microsoft 365 – Update of Application Consent Policy
This finding alerts you whenever your Microsoft 365’s Application Consent Policy has been modified to a less secure setting. Microsoft recommends only allowing users to consent for applications that have been published by a verified publisher. This reduces the risk of malicious applications attempting to trick users into granting them access to your organization’s data.
Possible CVE-2022-30190 msdt.exe Follina Execution
This detection is related to a recent remote code execution (RCE) vulnerability discovered in Microsoft Support Diagnostic Tool (MSDT), used to troubleshoot and collect diagnostic data, as well as in Microsoft Office. It uses Word’s external link to load the HTML and then uses ‘ms-msdt’ to execute PowerShell code on a system. In this finding, Blumira has spotted an instance of a process executing code that matches CVE-2022-30190 (also named Follina).
Tor Browser Usage
Tor is a network that proxies traffic for users to mask their identity and may be used to avoid network controls and has been observed being used for malware command and control as well. In this finding, Blumira identified traffic to the Tor network from a host and specific process run by a user.
Endpoint Tor Traffic
Blumira alerts you to outbound Tor traffic that may indicate a potential policy violation or C2 malware, as our detection observed traffic to the Tor network from a certain host, process and user originating from your environment.
Get easy, effective security your small teams can actually use to defend against breaches and ransomware, while meeting compliance and cyber insurance requirements. Blumira’s all-in-one SIEM combines logging with automated detection and response for better security outcomes.
How do we do things differently?
Meet compliance controls, save time on security tasks, focus on real threats and protect against a breach faster than ever with Blumira.
With Blumira, we’ve made it fast and easy to achieve advanced visibility, detection, response and reporting capabilities across your Microsoft 365 environment — at no cost.
Our free edition easily integrates with your Microsoft 365 environment to detect threats such as identity-based attacks, suspicious activity, and more. Get your account for free, without a credit card or a sales conversation.