Blog
/
/
February 24, 2021

LockBit Ransomware Analysis: Compromised Credentials

Darktrace examines how a LockBit ransomware attack that took place over just four hours was caused by one compromised credential. Read more here.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Max Heinemeyer
Global Field CISO
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
24
Feb 2021

Lockbit ransomware found

LockBit ransomware was recently identified by Darktrace's Cyber AI during a trial with a retail company in the US. After an initial foothold was established via a compromised administrative credential, internal reconnaissance, lateral movement, and encryption of files occurred simultaneously, allowing the ransomware to steamroll through the digital system in just a few hours.

This incident serves as the latest reminder that ransomware campaigns now move through organizations at a speed that far outpaces human responders, demonstrating the need for machine-speed Autonomous Response to contain the threat before damage is done.

Lockbit ransomware defined

First discovered in 2019, LockBit is a relatively new family of ransomware that quickly exploits commonly available protocols and tools like SMB and PowerShell. It was originally known as ‘ABCD’ due the filename extension of the encrypted files, before it started using the current .lockbit extension. Since those early beginnings, it has evolved into one of the most calamitous strains of malware to date, asking for an average ransom of around $40,000 per organization.

As cyber-criminals level up the speed and scale of their attacks, ransomware remains a critical concern for organizations across every industry. In the past 12 months, Darktrace has observed an increase of over 20% in ransomware incidents across its customer base. Attackers are constantly developing new threat variants targeting exploits, utilizing off-the-shelf tools, and profiting from the burgeoning Ransomware-as-a-Service (RaaS) business model.

How does LockBit work?

In a typical attack, a threat actor will spend days or weeks inside a system, manually screening for the best way to grind the victim’s business to a halt. This phase tends to expose multiple indicators of compromise such as command and control (C2) beaconing, which Darktrace AI identifies in real time.

LockBit, however, only requires the presence of a human for a number of hours, after which it propagates through a system and infects other hosts on its own, without the need for human oversight. Crucially, the malware performs reconnaissance and continues to spread during the encryption phase. This allows it to cause maximal damage faster than other manual approaches.

AI-powered defense is essential in fighting back against these machine-driven attacks, which have the capacity to spread at speed and scale, and often go undetected by signature-based security tools. Cyber AI augments human teams by not only detecting the subtle signs of a threat, but autonomously responding in seconds, quicker than any human can be expected to react.

Ransomware analysis: Breaking down a LockBit attack with AI

Figure 1: Timeline of attack on the infected host and the encryption host. The infected host was the device initially infected with LockBit, which then spread to the encryption host, the device which performed the encryption.

Initial compromise

The attack commenced when a cyber-criminal gained access to a single privileged credential – either through a brute-force attack on an externally facing device, as seen in previous LockBit ransomware attacks, or simply with a phishing email. With the use of this credential, the device was able to spread and encrypt files within hours of the initial infection.

Had the method of infiltration been via phishing attack, a route that has become increasingly popular in recent months, Darktrace/ EMAIL would have withheld the email and stripped the malicious payloads, and so prevented the attack from the outset.

Limiting permissions, the use of strong passwords, and multi-factor authentication (MFA), are critical in preventing the exploitation of standard network protocols in such attacks.

Internal reconnaissance

At 14:19 local time, the first of many WMI commands (ExecMethod) to multiple internal destinations was performed by an internal IP address over DCE-RPC. This series of commands occurred throughout the encryption process. Given these commands were unusual in the context of the normal ‘pattern of life’ for the organization, Darktrace DETECT alerted the security team to each of these connections.

Within three minutes, the device had started to write executable files over SMB to hidden shares on multiple destinations – many of which were the same. File writes to hidden shares are ordinarily restricted. However, the unauthorized use of an administrative credential granted these privileges. The executable files were written to the Windows / Temp directory. Filenames had a similar formatting: .*eck[0-9]?.exe

Darktrace identified each of these SMB writes as a potential threat, since such administrative activity was unexpected from the compromised device.

The WMI commands and executable file writes continued to be made to multiple destinations. In less than two hours, the ExecMethod command was delivered to a critical device – the ‘encryption host’ – shortly followed by an executable file write (eck3.exe) to its hidden c$ share.

LockBit’s script has the capability to check its current privileges and, if non-administrative, it attempts to bypass using Windows User Account Control (UAC). This particular host did provide the required privileges to the process. Once this device was infected, encryption began.

File encryption

Only one second after encryption had started, Darktrace alerted on the unusual file extension appendage in addition to the previous, high-fidelity alerts for earlier stages of the attack lifecycle.

A recovery file – ‘Restore-My-Files.txt’ – was identified by Darktrace one second after the first encryption event. 8,998 recovery files were written, one to each encrypted folder.

An example of Darktrace’s Threat Visualizer showcasing anomalous SMB connections, with model breaches represented by dots.
Figure 2: An example of Darktrace’s Threat Visualizer showcasing anomalous SMB connections, with model breaches represented by dots.

The encryption host was a critical device that regularly utilized SMB. Exploiting SMB is a popular tactic for cyber-criminals. Such tools are so frequently used that it is difficult for signature-based detection methods to identify quickly whether their activity is malicious or not. In this case, Darktrace’s ‘Unusual Activity’ score for the device was elevated within two seconds of the first encryption, indicating that the device was deviating from its usual pattern of behavior.

Throughout the encryption process, Darktrace also detected the device performing network reconnaissance, enumerating shares on 55 devices (via srvsvc) and scanning over 1,000 internal IP addresses on nine critical TCP ports.

During this time, ‘Patient Zero’ – the initially infected device – continued to write executable files to hidden file shares. LockBit was using the initial device to spread the malware across the digital estate, while the ‘encryption host’ performed reconnaissance and encrypted the files simultaneously.

Despite Cyber AI detecting the threat even before the encryption had begun, the security team did not have eyes on Darktrace at the time of the attack. The intrusion was thus allowed to continue and over 300,000 files were encrypted and appended with the .lockbit extension. Four servers and 15 desktop devices were affected, before the attack was stopped by the administrators.

The rise of ‘hit and run’ ransomware

While most ransomware resides inside an organization for days or weeks, LockBit’s self-governing nature allows the attacker to ‘hit and run’, deploying the ransomware with minimal interaction required after the initial intrusion. The ability to detect anomalous activity across the entire digital infrastructure in real time is therefore crucial in LockBit’s prevention.

WMI and SMB are relied upon by the vast majority of companies around the world, and yet they were utilized in this attack to propagate through the system and encrypt hundreds of thousands of files. The prevalence and volume of these connections make them near-impossible to monitor with humans or signature-based detection techniques alone.

Moreover, the uniqueness of every enterprise’s digital estate impedes signature-based detection from effectively alerting on internal connections and the volume of such connections. Darktrace, however, uses machine learning to understand the individual pattern of behavior for each device, in this case allowing it to highlight the unusual internal activity as it occurred.

The organization involved did not have Darktrace’s Autonomous Response technology configured in active mode. If enabled, i would have surgically blocked the initial WMI operations and SMB drive writes that triggered the attack whilst allowing the critical network devices to continue standard operations. Even if the foothold had been established, D would have enforced the ‘pattern of life’ of the encryption host, preventing the cascade of encryption over SMB. This demonstrates the importance of meeting machine-speed attacks with autonomous cyber security, which reacts in real time to sophisticated threats when human security teams cannot.

LockBit has the ability to encrypt thousands of files in just seconds, even when targeting well-prepared organizations. This type of ransomware, with built-in worm-like functionality, is expected to become increasingly common over 2021. Such attacks can move at a speed which no human security team alone can match. Darktrace’s approach, which uses unsupervised machine learning, can respond in seconds to these rapid attacks and shut them down in their earliest stages.

Thanks to Darktrace analyst Isabel Finn for her insights on the above threat find.

Darktrace model detections:

  • Device / New or Uncommon WMI Activity
  • Compliance / SMB Drive Write
  • Compromise / Ransomware / Suspicious SMB Activity
  • Compromise / Ransomware / Ransom or Offensive Words Written to SMB
  • Anomalous File / Internal / Additional Extension Appended to SMB File
  • Anomalous Connection / SMB Enumeration
  • Device / Network Scan – Low Anomaly Score
  • Anomalous Connection / Sustained MIME Type Conversion
  • Anomalous Connection / Suspicious Read Write Ratio
  • Unusual Activity / Sustained Anomalous SMB Activity
  • Device / Large Number of Model Breaches

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Max Heinemeyer
Global Field CISO

More in this series

No items found.

Blog

/

/

April 30, 2025

Boosting Security with Azure Virtual Network TAP Traffic Mirroring

Man sitting at computerDefault blog imageDefault blog image

We are thrilled to announce that Darktrace is a launch partner for the Public Preview of Microsoft Azure Virtual Network Terminal Access Point (TAP). As Microsoft's 2024 UK Partner of the Year, we continue to innovate alongside Microsoft to deliver proactive cyber protection tailored to every organization.

Enhanced Defense Across the Modern Network

Modern networks are expanding far beyond on-premises into virtual environments, cloud and hybrid networks. More than 50% of incidents will come from cloud network activity by 2029, meaning defenders need a solution that can level the playing field against complex attacks that traverse multiple areas of a digital estate, including north-south and east-west traffic.

With Azure Virtual Network TAP, Darktrace’s self-learning AI gains seamless access to granular packet data in hybrid environments. This integration helps our Cyber AI platform build a comprehensive understanding of a customers’ Azure network. Microsoft's recent enhancement allows Virtual Network TAP to mirror the full throughput of VMs without impacting VM bandwidth, enabling agentless Cyber AI defense across these instances.

Darktrace's Cyber AI provides real-time visibility and adaptive, autonomous defense for your Microsoft security strategy. Our platform continuously learns the normal behavior of every user, device, and workload in your environment. This deep understanding of usual 'patterns of life' enables Darktrace to detect subtle deviations that indicate threats, from account takeovers to critical misconfigurations.

Our bespoke, real-time knowledge of usual activity allows Darktrace to identify unknown and unpredictable threats that bypass policy-based defenses—without relying on rules, signatures, or prior assumptions. This approach is a powerful compliment to Microsoft’s unprecedented threat intelligence.

Expanding Azure Virtual Network TAP

Azure Virtual Network TAP allows continuous streaming of virtual machine network traffic, which customers can leverage for Darktrace’s AI-driven threat detection and investigation. Darktrace / NETWORK passively ingests traffic from on-premises, virtual, cloud, hybrid environments, and remote devices, analyzing both encrypted and decrypted packets to uncover unusual activity in real-time. Unlike other NDR vendors that process data in the cloud, our industry-leading Self-Learning AI is deployed locally and trained solely on your data, ensuring tailored security outcomes without compromising privacy.

Benefits to Darktrace Customers

Darktrace customers will experience enhanced security through deeper insights into network traffic, enabling more accurate threat detection and response. The ability to mirror full VM throughput without affecting bandwidth ensures optimal performance, while agentless defense reduces barrier to entry and simplifies management. Customers benefit from proactive protection by continuously monitoring and analyzing traffic to identify and mitigate threats before they cause harm. Additionally, seamless integration with existing Azure environments leverages the power of Darktrace’s AI for enhanced security.

[related-resource]

Continue reading
About the author
Adam Stevens
Director of Product, Cloud Security

Blog

/

/

April 29, 2025

MFA Under Attack: AiTM Phishing Kits Abusing Legitimate Services

fingerprintDefault blog imageDefault blog image

In late 2024 and early 2025, the Darktrace Security Operations Center (SOC) investigated alerts regarding separate cases of Software-as-a-Service (SaaS) account compromises on two customer environments that presented several similarities, suggesting they were part of a wider phishing campaign.

This campaign was found to leverage the project collaboration and note-taking application, Milanote, and the Tycoon 2FA phishing kit.

Legitimate services abused

As highlighted in Darktrace's 2024 Annual Threat Report [1], threat actors are abusing legitimate services, like Milanote, in their phishing campaigns. By leveraging these trusted platforms and domains, malicious actors can bypass traditional security measures, making their phishing emails appear benign and increasing the likelihood of successful attacks.

Darktrace categorizes these senders and platforms as free content senders. These services allow users to send emails containing custom content (e.g., files) from fully validated, fixed service address belonging to legitimate corporations. Although some of these services permit full body and subject customization by attackers, the structure of these emails is generally consistent, making it challenging to differentiate between legitimate and malicious emails.

What is Tycoon 2FA?

Tycoon 2FA is an Adversary-in-the-Middle (AitM) phishing kit, first seen in August 2023 and distributed via the Phishing-as-a-Service (PhaaS) model [2]. It targets multi-factor authentication (MFA) by intercepting credentials and MFA tokens during authentication on fake Microsoft or Google login pages. The attacker captures session cookies after MFA is completed, allowing them to replay the session and access the user account, even if credentials are reset. The rise in MFA use has increased the popularity of AitM phishing kits like Tycoon 2FA and Mamba 2FA, another AiTM phishing kit investigated by Darktrace.

Initial access via phishing email

At the beginning of 2025, Darktrace observed phishing emails leveraging Milanote being sent to multiple internal recipients in an organization. In this attack, the same email was sent to 19 different users, all of which were held by Darktrace.

The subject line of the emails mentioned both a legitimate internal user of the company, the company name, as well as a Milanote board regarding a “new agreement” in German. It is a common social engineering technique to mention urgent matters, such as unpaid invoices, expired passwords, or awaiting voicemails, in the subject line to prompt immediate action from the user. However, this tactic is now widely covered in phishing awareness training, making users more suspicious of such emails. In this case, while the subject mentioned a “new agreement,” likely raising the recipient’s curiosity, the tone remained professional and not overly alarming. Additionally, the mention of a colleague and the standardized language typical of free content sender emails further helped dispel concerns regarding the email.

These emails were sent by the legitimate address support@milanote[.]com and referenced "Milanote" in the personal field of the header but originated from the freemail address “ahnermatternk.ef.od.13@gmail[.]com”. Darktrace / EMAIL recognized that none of the recipients had previously received a file share email from Milanote, making this sender unfamiliar in the customer's email environment

The emails contained several benign links to legitimate Milanote endpoints (including an unsubscribe link) which were not flagged by Darktrace. However, they also included a malicious link designed to direct recipients to a pre-filled credential harvesting page hosted on Milanote, prompting them to register for an account. Despite not blocking the legitimate Milanote links in the same email, Darktrace locked the malicious link, preventing users from visiting the credential harvester.

Credential harvesting page sent to recipients, as seen in. sandbox environment.
Figure 1: Credential harvesting page sent to recipients, as seen in. sandbox environment.

Around one minute later, one recipient received a legitimate email from Milanote confirming their successful account registration, indicating they had accessed the phishing page. This email had a lower anomaly score and was not flagged by Darktrace / EMAIL because, unlike the first email, it did not contain any suspicious links and was a genuine account registration notification. Similarly, in the malicious Milanote email, only the link leading to the phishing page was blocked, while the benign and legitimate Milanote links remained accessible, demonstrating Darktrace’s precise and targeted actioning.

A legitimate and a malicious Milanote email received by one recipient.
Figure 2: A legitimate and a malicious Milanote email received by one recipient.

Around the same time, Darktrace / NETWORK observed the same user’s device making DNS query for the domain name “lrn.ialeahed[.]com” , which has been flagged as a Tycoon 2FA domain [2], suggesting the use of this phishing platform.

Once the user had entered their details in the credential harvester, it is likely that they were presented a document hosted on Milanote that contained the final payload link – likely hidden behind text instructing users to access a “new agreement” document.

External research indicates that the user was likely directed to a Cloudflare Turnstile challenge meant to reroute unwanted traffic, such as automated security scripts and penetration testing tools [2] [3]. After these checks and other background processes are completed, the user is directed to the final landing page. In this case, it was likely a fake login prompt hosted on the attacker’s server, where the user is asked to authenticate to their account using MFA. By burrowing malicious links and files in this manner, threat actors can evade analysis by traditional security email gateways, effectively bypassing their protection.

Darktrace’s analysis of the structure and word content of the phishing emails resulted in an 82% probability score that the email was malicious, and the email further received a 67% phishing inducement score, representing how closely the structure and word content of the emails compared to typical phishing emails.

All these unusual elements triggered multiple alerts in Darktrace / EMAIL, focusing on two main suspicious aspects: a new, unknown sender with no prior correspondence with the recipients or the environment, and the inclusion of a link to a previously unseen file storage solution.

Milanote phishing email as seen within Darktrace / EMAIL.
Figure 3: Milanote phishing email as seen within Darktrace / EMAIL.

After detecting the fifth email, the “Sender Surge” model alert was triggered in Darktrace / EMAIL due to a significant number of recipients being emailed by this new suspicious sender in a short period. These recipients were from various departments across the customer’s organization, including sales, marketing, purchasing, and production. Darktrace / EMAIL determined that the emails were sent to a highly unusual group of internal recipients, further raising doubts about the business legitimacy.

Darktrace / EMAIL suggested actions to contain the attack by holding all Milanote phishing emails back from recipient’s inboxes, except for the detailed email with locked links. However, autonomous actions were not enabled at the time, allowing the initial email to reach recipients' inboxes, providing a brief window for interaction. Unfortunately, during this window, one recipient clicked on the Milanote payload link, leading to the compromise of their account.

SaaS account takeover

About three minutes after the malicious Milanote email was received, Darktrace / IDENTITY detected an unusual login to the email recipient’s SaaS account. The SaaS actor was observed accessing files from their usual location in Germany, while simultaneously, a 100% rare login occurred from a location in the US that had never been seen in the customer’s environment before. This login was also flagged as suspicious by Microsoft 365, triggering a 'Conditional Access Policy' that required MFA authentication, which was successfully completed.

Tycoon 2FA adnimistration panel login page dated from October 2023 [3].
Figure 4: Tycoon 2FA adnimistration panel login page dated from October 2023 [3].

Despite the successful authentication, Darktrace / IDENTITY recognized that the login from this unusual location, coupled with simultaneous activity in another geographically distant location, were highly suspicious. Darktrace went on to observe MFA-validated logins from three separate US-based IP addresses: 89.185.80[.]19, 5.181.3[.]68, and 38.242.7[.]252. Most of the malicious activity was performed from the latter, which is associated with the Hide My Ass (HMA) VPN network [5].

Darktrace’s detection of the suspicious login from the US while the legitimate user was logged in from Germany.
Figure 5: Darktrace’s detection of the suspicious login from the US while the legitimate user was logged in from Germany.
Darktrace’s detection of the suspicious login following successful MFA authentication.
Figure 6: Darktrace’s detection of the suspicious login following successful MFA authentication.

Following this, the malicious actor accessed the user’s inbox and created a new mailbox rule named “GTH” that deleted any incoming email containing the string “milanote” in the subject line or body. Rules like this are a common technique used by attackers to leverage compromised accounts for launching phishing campaigns and concealing replies to phishing emails that might raise suspicions among legitimate account holders. Using legitimate, albeit compromised, accounts to send additional phishing emails enhances the apparent legitimacy of the malicious emails. This tactic has been reported as being used by Tycoon 2FA attackers [4].

The attacker accessed over 140 emails within the legitimate user’s inbox, including both the inbox and the “Sent Items” folder. Notably, the attacker accessed five emails in the “Sent Items” folder and modified their attachments. These emails were mainly related to invoices, suggesting the threat actor may have been looking to hijack those email threads to send fake invoices or replicate previous invoice emails.

Darktrace’s Cyber AI AnalystTM launched autonomous investigations into the individual events surrounding this suspicious activity. It connected these separate events into a single, broad account takeover incident, providing the customer with a clearer view of the ongoing compromise.

Cyber AI Analyst’s detection of unusual SaaS account activities in a single incident.
Figure 7: Cyber AI Analyst’s detection of unusual SaaS account activities in a single incident.
Cyber AI Analyst investigation of suspicious activities performed by the attacker.
Figure 8: Cyber AI Analyst investigation of suspicious activities performed by the attacker.

Darktrace's response

Within three minutes of the first unusual login alert, Darktrace’s Autonomous Response intervened, disabling the compromised user account for two hours.

As the impacted customer was subscribed to the Managed Threat Detection Service, Darktrace’s SOC team investigated the activity further and promptly alerted the customer’s security team. With the user’s account still disabled by Autonomous Response, the attack was contained, allowing the customer’s security team valuable time to investigate and remediate. Within ten minutes of receiving the alert from Darktrace’s SOC, they reset the user’s password, closed all active SaaS sessions, and deleted the malicious email rule. Darktrace’s SOC further supported the customer through the Security Operations Service Support service by providing information about the data accessed and identifying any other affected users.

Autonomous Response actions carried out by Darktrace / IDENTITY to contain the malicious activity
Figure 9: Autonomous Response actions carried out by Darktrace / IDENTITY to contain the malicious activity.

A wider Milanote phishing campaign?

Around a month before this compromise activity, Darktrace alerted another customer to similar activities involving two compromised user accounts. These accounts created new inbox rules named “GFH” and “GVB” to delete all incoming emails containing the string “milanote” in their subject line and/or body.

The phishing emails that led to the compromise of these user accounts were similar to the ones discussed above. Specifically, these emails were sent via the Milanote platform and referenced a “new agreement” (in Spanish) being shared by a colleague. Additionally, the payload link included in the phishing emails showed the same UserPrincipalName (UPN) attribute (i.e., click?upn=u001.qLX9yCzR), which has been seen in other Milanote phishing emails leveraging Tycoon 2FA reported by OSINT sources [6]. Interestingly, in some cases, the email also referenced a “new agreement” in Portuguese, indicating a global campaign.

Based on the similarities in the rule’s naming convention and action, as well as the similarities in the phishing email subjects, it is likely that these were part of the same campaign leveraging Milanote and Tycoon 2FA to compromise user accounts. Since its introduction, the Tycoon 2FA phishing kit has undergone several enhancements to increase its stealth and obfuscation methods, making it harder for security tools to detect. For example, the latest versions contain special source code to obstruct web page analysis by defenders, prevent users from copying meaningful text from the phishing webpages, and disable the right-click menu to prevent offline analysis [4].

Conclusion

Threat actors are continually employing new methods to bypass security detection tools and measures. As highlighted in this blog, even robust security mechanisms like MFA can be compromised using AitM phishing kits. The misuse of legitimate services such as Milanote for malicious purposes can help attackers evade traditional email security solutions by blurring the distinction between legitimate and malicious content.

This is why security tools based on anomaly detection are crucial for defending against such attacks. However, user awareness is equally important. Delays in processing can impact the speed of response, making it essential for users to be informed about these threats.

Appendices

References

[1] https://www.darktrace.com/resources/annual-threat-report-2024

[2] https://www.validin.com/blog/tycoon_2fa_analyzing_and_hunting_phishing-as-a-service_domains

[3] https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/#h-iocs-amp-technical-details

[4] https://blog.barracuda.com/2025/01/22/threat-spotlight-tycoon-2fa-phishing-kit

[5] https://spur.us/context/38.242.7.252    

[6] https://any.run/report/5ef1ac94e4c6c1dc35579321c206453aea80d414108f9f77abd2e2b03ffbd658/be5351d9-53c0-470b-8708-ee2e29300e70

Indicators of Compromise (IoCs)

IoC         Type      Description + Probability

89.185.80[.]19 - IP Address - Malicious login

5.181.3[.]68 - IP Address -Malicious login

38.242.7[.]252 - IP Address - Malicious login and new email inbox rule creation -  Hide My Ass VPN

lrn.ialeahed[.]com – Hostname - Likely Tycoon 2FA domain

Darktrace Model Detections

Email alerts

Platforms / Free Content Sender + High Sender Surge

Platforms / Free Content Sender + Sender Surge

Platforms / Free Content Sender + Unknown Initiator

Platforms / Free Content Sender

Platforms / Free Content Sender + First Time Recipient

Unusual / New Sender Surge

Unusual / Sender Surge

Antigena Anomaly / High Antigena Anomaly

Association / Unknown Sender

History / New Sender

Link / High Rarity Link to File Storage

Link/ Link To File Storage

Link / Link to File Storage + Unknown Sender

Link / Low Link Association

Platforms / Free Content Sender + First Time Initiator

Platforms / Free Content Sender + Unknown Initiator + Freemail

Platforms / Free Content Sender Link

Unusual / Anomalous Association

Unusual / Unlikely Recipient Association

IDENTITY

SaaS / Access / Unusual External Source for SaaS Credential Use

SaaS / Compromise / Login from Rare High Risk Endpoint

SaaS / Access / M365 High Risk Level Login

SaaS / Compromise / Login From Rare Endpoint While User Is Active

SaaS / Access / MailItemsAccessed from Rare Endpoint

SaaS / Unusual Activity / Multiple Unusual SaaS Activities

SaaS / Unusual Activity / Multiple Unusual External Sources For SaaS Credential

SaaS / Compliance / Anomalous New Email Rule

SaaS / Compromise / Unusual Login and New Email Rule

SaaS / Compromise / SaaS Anomaly Following Anomalous Login

Antigena / SaaS / Antigena Suspicious SaaS Activity Block

Antigena / SaaS / Antigena Enhanced Monitoring from SaaS User Block

Antigena / SaaS / Antigena Unusual Activity Block

Antigena / SaaS / Antigena Suspicious SaaS and Email Activity Block

Cyber AI Analyst Incident

Possible Hijack of Office365 Account

MITRE ATT&CK Mapping

Tactic – Technique

DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS - Cloud Accounts

INITIAL ACCESS - Phishing

CREDENTIAL ACCESS - Steal Web Session Cookie

PERSISTENCE - Account Manipulation

PERSISTENCE - Outlook Rules

RESOURCE DEVELOPMENT - Email Accounts

RESOURCE DEVELOPMENT - Compromise Accounts

Continue reading
About the author
Alexandra Sentenac
Cyber Analyst
Your data. Our AI.
Elevate your network security with Darktrace AI