Team: Huntress Managed Identity Threat Detection and Response (ITDR, formerly MDR for Microsoft 365)
Environment: Huntress Platform
Summary: Describes how Microsoft 365 identity isolation is determined by our system, how to create UPN (user principal name) or organization-level exclusions, and how to manually isolate a Microsoft 365 UPN.
For hybrid environments where identities are based in an on-premises directory and sync to the cloud, attempts to disable identities on the cloud side are quickly overwritten by sync. Therefore, we are no longer attempting to disable the identities that are synced from on-premises AD. The Huntress Security Operation Center (SOC) can still revoke existing sessions/log out these identities when sending our incident reports.
The Huntress SOC determines when an "isolation-worthy" incident has occurred. Often, these are Critical-severity incidents, but not all Critical-severity incidents warrant identity isolation. This Huntress-managed response action can occur when Huntress has detected an incident indicative of hands-on threat actor activity within a partner's Microsoft 365 environment. The current Microsoft 365 user session will be revoked, and the UPN will be disabled, preventing future logins until re-enabled.
Identity isolation will take effect after a Huntress SOC Analyst sends the incident report for the compromised Microsoft 365 UPN. These users will be un-isolated when the associated incident report is resolved. At any time, account administrators can manually re-enable the Microsoft 365 UPN via the Huntress Portal.
All Huntress accounts are opted into Huntress Managed ITDR Identity Isolation by default.
Benefits of Huntress Managed ITDR Identity Isolation
- Compromised Microsoft 365 accounts can lead to Business Email Compromise (BEC) attacks and even sensitive data exfiltration.
- Relying on Huntress's 24 x 7 SOC to disable these compromised accounts is necessary to prevent further compromise and loss when your IT staff are not online to respond.
- These response actions can buy your organization invaluable time when determining and implementing remediation actions.
When do we isolate identities?
If authorized in Account Settings, Huntress's SOC team will assess the need for identity isolation based on the potential impact of the cyber attack. If deemed necessary, the user session will be revoked, and the UPN will be disabled in the partner's Microsoft environment once a SOC Analyst sends the incident report.
Example Attack Pattern:
- Login from a known bad IP address.
- Malicious email forwarding rule set up.
Opting Into Huntress Managed ITDR Identity Isolation
All Huntress accounts are opted in by default. Account administrators can opt out of this feature in Account Settings. Microsoft 365 UPNs that are not explicitly excluded in Exclusion Settings will be eligible for identity isolation.
Disabling Huntress Managed ITDR Identity Isolation will prevent Huntress SOC Analysts from thwarting attackers that have compromised user accounts in your Microsoft 365 environment.
** This is not recommended **
If you have a specific Microsoft 365 UPN or an entire organization that you never want isolated, we recommend using Isolation Exclusions.
Automatic Email Rule Disable
In the event that a suspicious rule is detected, we will disable the inbox rule to prevent it from running. This will keep any malicious rules from continuing to run.
Note: Excluding the identity from isolation will also exclude it from having inbox rules automatically disabled.
At this time, the inbox rules will not be re-enabled if an incident report is rejected. These will need to be manually re-enabled.
Identity Isolation Exclusion Settings
Account administrators can exclude entire organizations or individual Microsoft 365 UPNs from Huntress Managed ITDR Identity Isolation. Exclusions should be used sparingly since excluded UPNs are not eligible for isolation. If malicious activity is detected for an excluded UPN, Huntress will not be authorized to revoke the user session and disable the account on your behalf.
You can access Identity Isolation Exclusions by scrolling to the bottom of your Account Settings page (hamburger menu at the top right, then click on Settings).
Note: Partners will be able to manually isolate and un-isolate specific UPNs, regardless of exclusions.
Self Managed Identity Isolation
Partners can isolate/disable and unisolate/enable users at any time from the Microsoft 365 User Overview Page.
Isolate/Disable:
Unisolate/Enable:
Identity Isolation Scenario
An attacker has compromised a Microsoft 365 user account.
What actions does Huntress take?
1. Huntress identifies a strange login from a suspicious IP address.
2. A SOC Analyst correlates this alert with additional telemetry indicative of new email forwarding rules, which mark all inbound emails as read and move them to the Deleted email folder.
3. The Huntress Analyst handcrafts an incident report to communicate the impact and severity of the events.
4. The report is sent ASAP, and the account (Microsoft UPN) is isolated when sent.
Resolving the Incident & Re-Enabling the Microsoft UPN
1. The partner can resolve the incident manually or leverage Huntress Assisted Remediations to resolve the incident.
2. When the incident report is Resolved, the account (Microsoft UPN) will automatically be re-enabled.
Filtering Incident Reports by Response Actions
From the Account or Organization Incident Reports table you can filter incidents by Response Actions:
How does Huntress isolate identities?
Huntress uses the Microsoft Graph API to programmatically interact with a partner's Microsoft 365 environment. We leverage Huntress Portal "tasks" (API calls) to revoke user sessions, disable UPNs and delete malicious inbox rules when necessary.