Back to BlogNew Detections for Microsoft 365 & Windows
Keeping up with the constantly evolving threat landscape is difficult, especially if you’re on a small IT or security team. Blumira’s incident detection engineering (IDE) team helps you stay ahead by doing all of the heavy lifting for you:
- Creating, testing and releasing new detection rules into our platform every two weeks
- Tuning rules to reduce noisy false positives, focusing on critical findings
- Keeping up with the latest threat research and observed attack patterns
- Prioritizing and surfacing meaningful, relevant data in every finding
- Providing guided workflows with each finding to help IT teams respond faster
Some of our latest detection rules include ones to detect insecure user activity, potentially malicious logins, security misconfigurations and more in Microsoft 365 and Windows.
New Microsoft 365 Security Detections
Microsoft 365 – Excessive Number of MFA Enrollment Skips
In this finding, Blumira notifies you when one of your Microsoft 365 users has been skipping multi-factor authentication (MFA) enrollment more than 10 times in the past week. MFA is an important security measure that protects against identity-based attacks targeting usernames and passwords, such as password spraying, phishing, brute-force attacks, and more. If your users are skipping enrollment in setting up a secondary form of authentication, that could make their accounts (and access to your organization’s data) more vulnerable to these types of attacks.
Microsoft 365 – Login From Tor Exit Node
Blumira tracks and notifies you when a user authenticates into Microsoft 365, originating from an IP address that is known to be part of the Tor anonymity network, a free and open-source anonymous browser and network. While Tor is used by journalists, whistleblowers, activists and many others, it can also be used in malicious attacks by threat actors performing intrusions to hide their location.
Microsoft 365 – Update of Application Consent Policy
This finding alerts you whenever your Microsoft 365’s Application Consent Policy has been modified to a less secure setting. Microsoft recommends only allowing users to consent for applications that have been published by a verified publisher. This reduces the risk of malicious applications attempting to trick users into granting them access to your organization’s data.
New Windows Security Detections
Possible CVE-2022-30190 msdt.exe Follina Execution
This detection is related to a recent remote code execution (RCE) vulnerability discovered in Microsoft Support Diagnostic Tool (MSDT), used to troubleshoot and collect diagnostic data, as well as in Microsoft Office. It uses Word’s external link to load the HTML and then uses ‘ms-msdt’ to execute PowerShell code on a system. In this finding, Blumira has spotted an instance of a process executing code that matches CVE-2022-30190 (also named Follina).
Tor Browser Usage
Tor is a network that proxies traffic for users to mask their identity and may be used to avoid network controls and has been observed being used for malware command and control as well. In this finding, Blumira identified traffic to the Tor network from a host and specific process run by a user.
Endpoint Tor Traffic
Blumira alerts you to outbound Tor traffic that may indicate a potential policy violation or C2 malware, as our detection observed traffic to the Tor network from a certain host, process and user originating from your environment.
Microsoft Security Made Easy
Get easy, effective security your small teams can actually use to defend against breaches and ransomware, while meeting compliance and cyber insurance requirements. Blumira’s all-in-one SIEM combines logging with automated detection and response for better security outcomes.
How do we do things differently?
- Faster time to security – We send you real-time alerts in under a minute of initially detecting suspicious activity, helping you respond to critical threats faster than ever to help prevent a breach.
- Automate tasks for your team – We do all the heavy lifting for your small team to save them time – parsing logs, developing third-party integrations, and updating our platform with new detection rules to protect against the latest threats.
- Focus on critical threats – Our unique identifies real attacker behavioral patterns to alert you to threats other security tools may miss. We test and tune our detection rules to reduce noisy alerts and narrow your small team’s focus on the most critical threats.
- Easily meet compliance – Your small team can help meet compliance and cyber insurance renewal requirements for data retention and logging easily with Blumira’s solution that can be deployed in minutes to hours (up to 5x faster than other SIEMs that can take weeks or months).
Meet compliance controls, save time on security tasks, focus on real threats and protect against a breach faster than ever with Blumira.
Start Protecting Microsoft 365 Today
With Blumira, we’ve made it fast and easy to achieve advanced visibility, detection, response and reporting capabilities across your Microsoft 365 environment — at no cost.
Our free edition easily integrates with your Microsoft 365 environment to detect threats such as identity-based attacks, suspicious activity, and more. Get your account for free, without a credit card or a sales conversation.
