Product: Huntress Managed Identity Threat Detection and Response (ITDR, formerly MDR for Microsoft 365)
Environment: Unwanted Access
Summary: The Unwanted Access capability targets adversary tradecraft that attempts to maliciously gain access to partner or customer Microsoft 365 tenants. This access usually occurs through the utilization of stolen credentials (username/password) or stolen session tokens.
The Unwanted Access capability combats malicious tradecraft with the key functionality described below.
- Session Token Theft Detection
- Credential Theft Detection
- Unwanted Access Rules
- Unexpected Country / VPN Escalations
New UX (Dashboard Previews)
Terminology
Session Token Theft Detection
Session Token Theft is adversary tradecraft that focuses on stealing and re-using an active Microsoft session token to gain unwanted access to an identity. Session token theft can bypass MFA. Huntress detects session token theft by looking at changes in key attributes between login events within the same session.
Credential Theft Detection
Credential Theft is adversary tradecraft that focuses on stealing the username and password for an identity. Credential theft can be mitigated by MFA, but many businesses still do not enforce MFA. Huntress detects credential theft by looking at all non-MFA logins and detecting login events with new attributes.
Unwanted Access Rules
Huntress has released Unwanted Access rules as a feature of the Unwanted Access capability. These rules allow partners to set locations and VPNs as either Expected or Unauthorized. Expected locations and VPNs will not trigger on our credential theft detectors. Rules set at the identity level will override rules set at the organization level, which will override rules set at the account level. Unauthorized locations and VPNs will immediately cause a Critical alert to be generated and will logout and disable the associated identity.
Unexpected Country/VPN Escalations
New login events from countries that do not match an existing Unwanted Access Rule and that do match an identity’s Microsoft Entra License Usage Location will trigger an Unexpected Country escalation within the Huntress portal. These escalations roll up all unexpected logins for that country and Huntress organization into the same escalation. New unexpected logins for that country will continue to be added to the escalation until the escalation is resolved by creating a rule.
New login events from VPNs that do not match an existing Unwanted Access Rule will trigger an Unexpected VPN escalation within the Huntress portal. These escalations roll up all unexpected logins for that VPN and Huntress organization into the same escalation. New unexpected logins for that VPN will continue to be added to the escalation until the escalation is resolved by creating a rule.
Entities with no Microsoft Entra usage location set within Entra will receive a No Entra Usage Location Set escalation. This escalation will provide instructions on how to set the identity’s usage location within Entra. It can be resolved by the partner. After resolving the escalation, the partner will not receive a new escalation for the identities within the resolved escalation.
New UX
Unwanted Access Dashboard
Unwanted Access Rules