Beginning at 0900 UTC on April 19th, Huntress started receiving reports from multiple partners regarding Leaked Credentials alerts from Microsoft.
Upon deeper investigation leveraging open-source research and social media, Huntress identified the addition of a new Microsoft first-party application called "MACE Credential Revocation" to roughly 1,500 Huntress-protected tenants.
We currently suspect that this application is directly linked to the reports from Microsoft.
Huntress cannot independently verify whether or not these alerts are false positives but continues to protect all tenants from malicious access.
Partners can check for this new Microsoft application in their Huntress Rogue Applications dashboard.
The process to check for the presence of this app is as follows :
1: Navigate to the Rogue Applications dashboard by navigating from ITDR to Rogue Applications
2: Select "View All Installed Apps"
3: Type in "Mace" and hit enter.
If the application is present within your tenant you should find it here, along with the timestamp associated with the install. Partners can leverage this information in order to determine if the recent "Leaked Credential" reports they have received might be associated with this application.