My tenants meet the requirements but they haven't got the conditional access policy? 

The team is currently evaluating a way to deploy this continually to newly onboarded tenants and tenants who meet the requirements. At this time there isn't an automated solution available and due to how prevalent this attack has been we want to ensure our partners are protected as quickly as possible. If you don't currently have the CA policy enabled we have included the version down below so you can deploy it manually. If this isn't available for whatever reason please let SOC Support know and we can raise a request on your behalf.

Will Huntress continue to update this policy with new malicious infrastructure?

At present we won't be updating this CA policy with additional malicious infrastructure however the team is evaluating a way we can build this into the product in the future that works within the limitations of Entra.

Technical Details

Conditional Access Policy Overview:

Groups Created:

[HUNTRESS MANAGED] CAP - Emergency Access Exclusion:

Empty by default and a requirement for "all user" policies.

[HUNTRESS MANAGED] Confirmed Adversary Infrastructure:

Confirmed adversary infrastructure, includes the current list of known IP Addresses utilised by Railway in CIDR notation:

IPv4:
152.55.176.0/20
162.220.232.0/22
208.77.244.0/22
66.33.22.0/23
69.46.46.0/24
69.9.164.0/22

IPv6:
2607:99c0::/32

Policy Removal.

If your tenant already includes a policy which prevents device authentication or you do not wish to have this policy in place, you can remove it with the following steps.

- Sign into the Entra portal (entra.microsoft.com) with an admin account with at least Conditional Access Administrator permissions.

- Navigate to Entra ID > Conditional Access > Policies

- Select the policy and select delete.