MTP Advanced Hunting – Public free E-Mail services

Today I received an e-mail from a customer explaining to me that at times they have false positives with e-mail Impersonation. Depending on your configuration the e-mail will end up being moved to the user’s junk folder or into quarantine. When releasing such a message and have safety tips turned on, you might see the following message at the top of the message. Reading Tip: Protect yourself from phishing schemes and other forms of online Read More …

Hunting for Local Group Membership changes

Hello there, A couple of days ago, someone in a forum asked whether it would be possible to detect changes to the local administrator’s group using Microsoft Defender Advanced Threat protection. Before I continue why would you want to monitor such changes? Well here is what comes to my mind: An attacker tries to maintain persistence, creates an account, and adds it to the local administrator’s group. T1136.001 – Create Account: Local Account A user Read More …

Microsoft Threat Protection – Using advanced hunting to see what’s going on with your mail

Last December Microsoft introduced Microsoft Threat Protection (MTP) including advanced hunting that allows us to run queries across multiple data sources i.e. Microsoft Defender ATP and Office 365 ATP. If you haven’t heard yet about MTP I recommend reading Christian Müller’s blog post Microsoft Threat Protection – unified hunting Now while the primary purpose of the unified hunting capability is to find information about indicators and entities, we can also use it to get an Read More …