Team: Huntress Managed Identity Threat Detection and Response (ITDR)
Environment: Huntress Platform
Summary: This article describes how identity isolation is determined by our system, how to create UPN (User Principal Name) or organization-level exclusions, and how to manually isolate a Microsoft 365 UPN.
Contents
Core Purpose
Huntress Managed ITDR Identity Isolation is a critical, Huntress-managed response action that automatically contains compromised Microsoft 365 identities.
All Huntress accounts are opted into this feature by default.
Benefits
- It's necessary to prevent further compromise and loss from attacks like Business Email Compromise (BEC) and sensitive data exfiltration.
- You can rely on Huntress's 24 x 7 SOC to disable compromised identities even when your IT staff are not online to respond.
- These immediate response actions buy your organization invaluable time for determining and implementing remediation actions.
Isolation Triggers and Actions
The Huntress Security Operation Center (SOC) executes identity isolation when an "isolation-worthy" incident is detected, typically indicative of hands-on threat actor activity within a partner's Microsoft 365 environment.
Example Isolation Triggers:
- Login from a known bad IP address.
- Malicious email forwarding rule set up.
Isolation occurs immediately upon the SOC Analyst sending the incident report. When this happens:
- The compromised user session will be revoked (logged out).
- The identity (UPN) will be disabled, preventing any future logins.
- Suspicious email forwarding or inbox rules will be disabled to stop malicious activity.
Resolution and Re-Enablement
The identity will be automatically re-enabled (un-isolated) when the associated incident report is Resolved.
Account Admins can also manually re-enable the identity at any time via the Huntress Portal.
Note: Disabled inbox rules must be manually re-enabled by admins, even if the incident report is rejected or resolved.
How Isolation Works (Technical)
Huntress uses the Microsoft Graph API to programmatically interact with a partner's Microsoft 365 environment. This allows us to perform the necessary actions via API calls:
- Revoke user sessions.
- Disable UPNs (Identities).
- Delete malicious inbox rules.
Identity Isolation Example Scenario
This scenario demonstrates the sequence of events when the Huntress SOC detects and responds to a compromised Microsoft 365 user identity.
What actions does Huntress take?
1. Huntress identifies a strange login from a suspicious IP address.
2. A SOC Analyst correlates this alert with additional telemetry indicative of new email forwarding rules, which mark all inbound emails as read and move them to the Deleted email folder.
3. The Huntress Analyst handcrafts an incident report to communicate the impact and severity of the events.
4. The report is sent ASAP, and the identity (Microsoft UPN) is isolated when sent.
Resolving the Incident & Re-Enabling the Microsoft UPN
1. Account Admins can resolve the incident manually or leverage Huntress Assisted Remediations to resolve the incident.
2. When the incident report is Resolved, the identity (Microsoft UPN) will automatically be re-enabled.
Hybrid Environments
For hybrid environments where identities are based in an on-premises directory and sync to the cloud (Azure AD/Microsoft 365), isolation depends on your Active Directory (AD) server's setup:
Full Disablement: Hybrid environments where partners have the corresponding on-premises Active Directory server running at least Huntress Agent 0.14.22 are able to have identities disabled during incidents.
Limited Action (No Disablement): If the AD server is either not running Huntress or is running a version older than 0.14.22, attempts to disable identities on the cloud side are quickly overwritten by sync. In this case, the SOC can still revoke existing sessions/log out these identities when sending our incident reports, but cannot disable the account.
Identity Isolation Exclusion Settings
Huntress Managed ITDR Identity Isolation is a critical security feature and is opted in by default for all accounts. Account administrators have two primary methods for managing this feature in Account Settings (Settings > Managed Response):
Turning the Feature On or Off (Master Toggle)
You can turn Identity Isolation off for the entire account using the master toggle in your Account Settings.
⚠️ Disabling the Feature is Not Recommended. Doing so prevents Huntress SOC Analysts from thwarting attackers that have compromised user accounts in your Microsoft 365 environment.
Identity Isolation Exclusion Settings
Account administrators can exclude entire organizations or individual Microsoft 365 UPNs from Huntress Managed ITDR Identity Isolation. This allows you to keep the feature on but exempt specific identities. Note: Excluding an identity from isolation also excludes it from having inbox rules automatically disabled.
How to Exclude: Access Identity Isolation Exclusions by scrolling to the bottom of your Managed Response settings page.
⚠️ Warning: Exclusions should be used sparingly. If malicious activity is detected for an excluded UPN, Huntress will not be authorized to revoke the user session and disable the account on your behalf.
Self Managed Identity Isolation
Manual Override: Identities can be manually isolated / disabled and un-isolated / enabled at any time, regardless of exclusion settings.
Disable
Enable
Filtering Incident Reports by Response Actions
From the Account or Organization Incident Reports table, you can filter incidents by Response Actions. This allows you to quickly view incidents where an identity was isolated or other specific actions were taken by the SOC.