← Back to Cybersecurity News Center
Severity
HIGH
CVSS
7.5
Priority
0.754
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
Throughout 2025 and into early 2026, threat actors shifted from stealing credentials to fully hijacking employee identities by exploiting help-desk trust, resetting MFA factors, and registering attacker-controlled devices under legitimate accounts. Microsoft 365 Direct Send misconfigurations allowed spoofed internal email to bypass filtering, enabling social engineering at scale against finance and payroll workflows. Organizations face direct financial loss through fraudulent wire transfers and payroll redirection, compounded by prolonged attacker persistence via legitimate remote management tools that evade standard detection.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
HIGH
High severity — prioritize for investigation
Actor Attribution
HIGH
MuddyWater, OilRig
TTP Sophistication
HIGH
20 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
Microsoft 365 (Direct Send feature), Cisco Duo, IAM platforms (generic), enterprise help-desk workflows
Are You Exposed?
⚠
Your industry is targeted by MuddyWater, OilRig → Heightened risk
⚠
You use products/services from Microsoft 365 (Direct Send feature) → Assess exposure
⚠
20 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
Attackers who complete this identity compromise chain can redirect payroll deposits and authorize fraudulent wire transfers, producing direct, immediate financial loss with limited recovery options once funds clear. Because attackers operate under legitimate employee identities using approved tools, fraud can persist undetected for weeks, compounding the financial exposure and generating significant incident response costs. Organizations in regulated industries face secondary exposure: unauthorized access to financial systems and employee personally identifiable information may trigger breach notification obligations under GDPR, state privacy laws, and sector-specific regulations depending on what data the compromised identities could access.
You Are Affected If
You use Microsoft 365 with Direct Send connectors configured for any application or device, and DMARC is not set to 'reject' on your primary sending domains
You deploy Cisco Duo with push-based MFA (Duo Push) as the primary factor for remote access, privileged accounts, or financial system access, without number-matching or phishing-resistant alternatives enforced
Your help-desk MFA reset process relies on caller verification without a secondary out-of-band confirmation requirement or manager approval step
Legitimate RMM tools (AnyDesk, TeamViewer, ScreenConnect, or similar) are installed on endpoints without a software allowlist or network-level restriction limiting their use to approved IT personnel
Payroll or wire transfer destination changes can be submitted and processed through email or help-desk tickets without an independent out-of-band verification step
Board Talking Points
Attackers are bypassing our security controls not by breaking technology, but by impersonating employees to our own IT and finance staff, then redirecting payroll and wire transfers to attacker-controlled accounts.
We recommend completing a review of MFA configuration and help-desk verification procedures within 30 days, prioritizing accounts with access to financial systems and administrative privileges.
Organizations that do not address these process gaps face direct financial loss through fraudulent transfers, with limited ability to recover funds once transactions clear.
PCI DSS v4.0 — Requirement 8 (Identify Users and Authenticate Access to System Components) and Requirement 10 (Log and Monitor All Access to System Components) are directly implicated. MFA bypass against accounts with access to cardholder data environments and inadequate audit log review for authentication anomalies both represent potential PCI DSS findings. Organizations processing payment card data should verify compliance with these requirements given the help-desk MFA reset and Direct Send spoofing vectors described.
HIPAA Security Rule — 45 CFR §164.312(d) (Person or Entity Authentication) and §164.312(b) (Audit Controls) apply to covered entities and business associates. Unauthorized MFA resets enabling access to systems containing ePHI, and insufficient audit logging of authentication events, may constitute Security Rule violations. Verify that workforce access controls and audit log requirements cover identity management workflows described in this campaign.
SOC 2 Type II (AICPA TSC CC6 — Logical and Physical Access Controls and CC7 — System Operations) — The help-desk social engineering vector and MFA reset abuse directly test CC6.1 (logical access security measures), CC6.2 (access provisioning), and CC6.3 (access removal). Organizations under SOC 2 audit scope should document compensating controls for help-desk verification procedures and MFA enrollment integrity.
Technical Analysis
This campaign cluster exploits organizational trust mechanisms across a multi-stage identity compromise chain.
Initial access relied on spear-phishing (T1566.001 , T1566.002 ), accounting for approximately 40% of incidents per source reporting.
Attackers exploited Microsoft 365 Direct Send misconfigurations to send spoofed internal email that bypasses standard mail filtering, enabling convincing impersonation of internal senders.
MFA bypass techniques included MFA fatigue attacks against push-based systems (T1621 ) and SIM-swapping, with Cisco Duo deployments specifically identified as targeted. Post-authentication, attackers reset MFA factors (T1556 , T1556.006 ) and registered attacker-controlled devices to legitimate identities (T1098.005 ), establishing durable footholds. Lateral movement used legitimate RMM tools (T1219 ) and living-off-the-land binaries (T1218 ) to blend with normal IT operations, defeating behavioral baselines. Financial fraud was executed by impersonating employees to help-desk staff to redirect payroll and wire transfers (T1534 ). Relevant CWEs include CWE-287 (improper authentication), CWE-306 (missing authentication for critical function), CWE-940 (improper verification of source of communication channel), CWE-1390 (weak authentication), and CWE-522 (insufficiently protected credentials). Threat actors associated with similar identity hijacking campaigns include groups tracked as MuddyWater, OilRig, APT33, Agrius, CyberAv3ngers, and affiliated clusters; specific attribution of this 2025-2026 activity cluster requires verification against primary threat intelligence sources. No CVE identifier applies; the attack surface is misconfiguration and process exploitation, not a patchable software vulnerability. Sources: Microsoft Security Blog (January 2026, T1), Cisco Talos Blog (T3), The Register (February 2026, T3), WeLiveSecurity (T3).
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate to CISO, legal counsel, and financial institution contacts immediately if Entra ID audit logs confirm any MFA factor was successfully reset and a new device registered under a finance or payroll role, or if M365 message trace confirms a wire transfer or payroll change request was sent via a Direct Send connector — both conditions indicate confirmed identity hijacking with probable financial fraud, triggering breach notification assessment under applicable state laws and potential GLBA or SOX obligations.
1
Step 1: Containment — Audit Microsoft 365 Direct Send connectors immediately; disable or restrict any connector not required for business operations. Enforce SPF, DKIM, and DMARC with reject policy on all domains. Block unauthenticated SMTP relay from internal IP ranges. (Cite: NIST AC-4 — Information Flow Enforcement; NIST AC-17 — Remote Access; CIS 4.2 — Establish and Maintain a Secure Configuration Process for Network Infrastructure; CIS 4.4 — Implement and Manage a Firewall on Servers)
IR Detail
Containment
NIST 800-61r3 §3.3 — Containment Strategy
NIST IR-4 (Incident Handling)
NIST SC-8 (Transmission Confidentiality and Integrity)
NIST SI-10 (Information Input Validation)
CIS 4.4 (Implement and Manage a Firewall on Servers)
CIS 6.3 (Require MFA for Externally-Exposed Applications)
CIS 6.5 (Require MFA for Administrative Access)
Compensating Control
Use the Microsoft 365 Admin Center > Settings > Mail Flow > Connectors to enumerate all Direct Send connectors and export via PowerShell: 'Get-InboundConnector | Select Name,ConnectorType,SenderIPAddresses,Enabled | Export-Csv connectors.csv'. For SPF/DKIM/DMARC validation without a paid tool, query current DNS records with 'Resolve-DnsName -Type TXT -Name yourdomain.com' and cross-check against MXToolbox (free tier). For Duo, navigate to Duo Admin Panel > Policies > Global Policy and set 'Require number matching' — no license upgrade required for push policy changes on existing Duo deployments.
Preserve Evidence
Before modifying any connector, export the full M365 connector configuration including SenderIPAddresses, SmartHosts, and TLSSettings via 'Get-InboundConnector | ConvertTo-Json | Out-File inbound_connectors_evidence.json' and 'Get-OutboundConnector | ConvertTo-Json | Out-File outbound_connectors_evidence.json'. Capture current DMARC/SPF/DKIM DNS records as a timestamped snapshot. Preserve Cisco Duo Admin Panel authentication logs showing all push approvals and denials for the 30 days preceding discovery, specifically filtering for accounts whose MFA factors were reset within 24 hours of a help-desk ticket.
2
Step 2: Containment — Disable push-based MFA for privileged and finance roles. Enforce number-matching or phishing-resistant MFA (FIDO2/hardware tokens) per CISA phishing-resistant MFA guidance. Apply to all externally-exposed applications and remote network access. (Cite: NIST AC-7 — Unsuccessful Logon Attempts; CIS 6.3 — Require MFA for Externally-Exposed Applications; CIS 6.4 — Require MFA for Remote Network Access; CIS 6.5 — Require MFA for Administrative Access; D3-MFA — Multi-factor Authentication; D3-CH — Credential Hardening)
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis
NIST IR-5 (Incident Monitoring)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST AU-12 (Audit Record Generation)
NIST SI-4 (System Monitoring)
CIS 8.2 (Collect Audit Logs)
Compensating Control
Query Entra ID audit logs directly via Microsoft Graph API or the free Entra ID portal: filter 'AuditLogs > DirectoryLogs' for ActivityType 'Update user' and 'Update StrongAuthenticationMethod' where InitiatedBy actor UPN does not match TargetResource UPN — this isolates admin-initiated or help-desk-initiated MFA resets. For device registrations, run: 'Get-MgAuditLogDirectoryAudit -Filter "activityDisplayName eq \'Register device\'" | Where-Object { $_.InitiatedBy.User.UserPrincipalName -ne $_.TargetResources[0].UserPrincipalName }'. For RMM detection on endpoints without EDR, deploy Sysmon with the SwiftOnSecurity config and query Event ID 1 (Process Create) for anydesk.exe, TeamViewer.exe, ScreenConnect.ClientService.exe. Use the free Sigma rule 'proc_creation_win_anydesk_execution.yml' from the SigmaHQ repository to parse Sysmon logs via grep or PowerShell.
Preserve Evidence
Preserve Entra ID Sign-In Logs and Audit Logs for the full 30-day retention window immediately — these are overwritten and cannot be recovered after the retention period expires. Specifically capture: (1) Entra ID Audit Log entries for 'Reset user password' and 'Update user' filtered on StrongAuthenticationMethod changes, noting InitiatedBy actor, timestamp, and IP; (2) M365 Message Trace export (Admin Center > Exchange > Mail Flow > Message Trace) for all messages transiting Direct Send connectors, filtering for From/Return-Path header mismatch which indicates spoofed sender; (3) Entra ID 'Registered Device' audit entries cross-correlated against help-desk ticketing system timestamps; (4) Duo authentication logs showing the specific accounts that received and approved push notifications, with source IP geolocation.
3
Step 3: Detection — Query Entra ID / Azure AD audit logs for MFA factor resets not initiated by the account owner. Flag new device registrations against existing identities within 24 hours of a help-desk interaction. Alert on device compliance state 'Unknown' for newly registered devices. (Cite: NIST AU-2 — Event Logging; NIST AU-6 — Audit Record Review, Analysis, and Reporting; NIST AU-12 — Audit Record Generation; CIS 8.2 — Collect Audit Logs; D3-LAM — Local Account Monitoring)
IR Detail
Eradication
NIST 800-61r3 §3.4 — Eradication
NIST IR-4 (Incident Handling)
NIST SI-2 (Flaw Remediation)
NIST SI-3 (Malicious Code Protection)
NIST CM-2 (Baseline Configuration)
CIS 2.3 (Address Unauthorized Software)
CIS 5.3 (Disable Dormant Accounts)
CIS 7.2 (Establish and Maintain a Remediation Process)
Compensating Control
Remove unauthorized Entra ID devices via: 'Get-MgDevice | Where-Object { $_.ApproximateLastSignInDateTime -eq $null -or (conditions) } | Remove-MgDevice'. Revoke all active sessions and MFA tokens for compromised accounts: 'Revoke-MgUserSignInSession -UserId upn@domain.com' followed by 'Update-MgUser -UserId upn@domain.com -AccountEnabled:$false' then re-enable after MFA re-enrollment via verified out-of-band call. Block AnyDesk, TeamViewer, and ScreenConnect relay endpoints using Windows Firewall GPO targeting known relay IP ranges (AnyDesk: relay.anydesk.com; ScreenConnect: instance-specific cloud URLs). For application control without a paid solution, use Windows Defender Application Control (WDAC) policy in audit mode first, then enforce to block unsigned RMM binaries.
Preserve Evidence
Before removing any device registration, capture the full device object including deviceId, displayName, enrollmentType, operatingSystem, registeredOwner, and approximateLastSignInDateTime via 'Get-MgDevice -DeviceId <id> | ConvertTo-Json'. Before revoking MFA factors, export the account's current authentication methods via 'Get-MgUserAuthenticationMethod -UserId upn@domain.com | ConvertTo-Json' as this documents the attacker-registered factor for later forensic and legal review. On endpoints where RMM tools were installed, collect Sysmon Event ID 11 (File Create) and Event ID 13 (Registry Value Set) artifacts showing installation path, parent process, and any persistence mechanism (e.g., HKLM\SYSTEM\CurrentControlSet\Services entries for ScreenConnect.ClientService).
4
Step 4: Detection — Alert on installation or execution of RMM tools (AnyDesk, TeamViewer, ScreenConnect) outside the approved software inventory where the process parent is a user-interactive shell rather than an approved deployment system (MITRE T1219). (Cite: NIST AC-6 — Least Privilege; CIS 2.1 — Establish and Maintain a Software Inventory; CIS 2.3 — Address Unauthorized Software; NIST AU-2 — Event Logging; D3-SFA — System File Analysis)
IR Detail
Recovery
NIST 800-61r3 §3.5 — Recovery
NIST IR-4 (Incident Handling)
NIST CP-10 (System Recovery and Reconstitution)
NIST IA-5 (Authenticator Management)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
CIS 5.1 (Establish and Maintain an Inventory of Accounts)
CIS 5.4 (Restrict Administrator Privileges to Dedicated Administrator Accounts)
CIS 6.3 (Require MFA for Externally-Exposed Applications)
CIS 6.5 (Require MFA for Administrative Access)
Compensating Control
Validate MFA enrollment state for all privileged and finance-role accounts using: 'Get-MgUserAuthenticationMethod -UserId upn@domain.com' — confirm only FIDO2 or Microsoft Authenticator (with number-match) entries exist; flag any phone/SMS entries on privileged accounts for immediate re-enrollment. For payroll destination validation, pull ACH/wire change records from your HR system and cross-reference against banking records using the oldest available pre-incident export — this is a manual reconciliation step requiring finance team involvement. Establish a free osquery scheduled query to detect AnyDesk, TeamViewer, and ScreenConnect process execution going forward: query 'processes' table for name LIKE '%anydesk%' OR '%screenconnect%' and alert on any match outside approved asset list.
Preserve Evidence
Before re-enabling any previously compromised account, verify that Entra ID Sign-In Risk is cleared (Identity Protection blade > Risky Users) and document the risk dismissal with analyst justification. Capture a post-eradication snapshot of all registered MFA methods across privileged accounts as a recovery baseline. Review M365 mailbox audit logs (via 'Search-UnifiedAuditLog -Operations SendAs,SendOnBehalf,MailItemsAccessed' filtered to compromised accounts) to identify any payroll or finance emails sent by the attacker during the dwell period — these are required evidence for any financial fraud claim or regulatory notification.
5
Step 5: Detection — Review M365 message trace logs for mail sent via Direct Send connectors where the From domain matches an internal domain. Cross-reference sending IP against published SPF records. Flag mismatched From/Return-Path headers. Monitor for after-hours payroll or wire transfer change requests submitted within 48 hours of a help-desk MFA reset ticket on the same identity. (Cite: NIST AU-6 — Audit Record Review, Analysis, and Reporting; NIST AU-3 — Content of Audit Records; NIST AU-8 — Time Stamps; CIS 8.2 — Collect Audit Logs)
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity
NIST IR-3 (Incident Response Testing)
NIST IR-6 (Incident Reporting)
NIST IR-8 (Incident Response Plan)
NIST IR-2 (Incident Response Training)
NIST IA-5 (Authenticator Management)
CIS 5.2 (Use Unique Passwords)
CIS 6.3 (Require MFA for Externally-Exposed Applications)
CIS 6.5 (Require MFA for Administrative Access)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
Compensating Control
Tabletop scenario should walk help-desk staff through a scripted caller posing as a remote employee claiming a locked account and lost phone — include a deepfake voice or spoofed callback number variant to reflect 2025–2026 attacker TTPs. For the identity verification protocol, implement a Jira or ServiceNow (free tier) workflow that requires a ticket field 'Manager Approval UPN' to be populated and auto-emails the manager before any MFA reset ticket can be closed. For CISA phishing-resistant MFA gap analysis, use CISA's published 'Phishing-Resistant MFA Fact Sheet' (cisa.gov) as the scoring rubric and document current Duo push or SMS usage against each privileged role — this gap register becomes the migration roadmap.
Preserve Evidence
The lessons-learned report must include: (1) a timeline correlating help-desk ticket timestamps with Entra ID MFA reset audit events to document attacker dwell time; (2) the full list of Entra ID devices registered by the attacker with registration timestamps and source IPs; (3) M365 message trace evidence of Direct Send connector abuse including spoofed From headers and targeted recipient roles (finance, payroll, HR); and (4) Duo authentication logs showing which push-based approvals were fraudulently granted. This evidence package supports both internal process improvement and potential regulatory notification obligations under state breach notification laws if PII or financial account data was accessed.
6
Step 6: Eradication — Remove unauthorized registered devices from all identities in Entra ID / Active Directory. Revoke and reissue MFA factors for any account where a reset cannot be verified as user-initiated. Reconfigure or disable M365 Direct Send connectors not meeting documented business requirements. (Cite: NIST AC-2 — Account Management; CIS 5.1 — Establish and Maintain an Inventory of Accounts; CIS 6.2 — Establish an Access Revoking Process; D3-CRO — Credential Rotation; D3-UAP — User Account Permissions)
7
Step 7: Eradication — Uninstall unauthorized RMM tools from all endpoints. Block RMM tool network endpoints at the perimeter and via application control policy. Remove any unauthorized software identified during the incident. (Cite: NIST AC-6 — Least Privilege; CIS 2.3 — Address Unauthorized Software; CIS 4.5 — Implement and Manage a Firewall on End-User Devices; CIS 1.2 — Address Unauthorized Assets)
8
Step 8: Recovery — Validate MFA enrollment for all privileged accounts and accounts with access to financial systems. Require out-of-band (phone or in-person) verification for any future MFA reset or financial account change request. (Cite: NIST AC-2 — Account Management; CIS 6.3 — Require MFA for Externally-Exposed Applications; CIS 6.5 — Require MFA for Administrative Access; D3-MFA — Multi-factor Authentication; D3-CH — Credential Hardening)
9
Step 9: Recovery — Confirm payroll and wire transfer destination accounts against records predating the incident window. Re-baseline behavioral analytics with RMM tool usage explicitly tracked in the approved software inventory. (Cite: NIST AU-6 — Audit Record Review, Analysis, and Reporting; NIST AC-5 — Separation of Duties; CIS 2.1 — Establish and Maintain a Software Inventory; CIS 3.2 — Establish and Maintain a Data Inventory)
10
Step 10: Post-Incident — Implement a formal identity verification protocol for help-desk MFA resets requiring manager approval plus secondary out-of-band verification before any MFA factor change. Document this as a defined access granting and revoking process. (Cite: NIST AC-2 — Account Management; NIST AC-5 — Separation of Duties; CIS 6.1 — Establish an Access Granting Process; CIS 6.2 — Establish an Access Revoking Process; D3-CH — Credential Hardening)
11
Step 11: Post-Incident — Conduct a tabletop exercise against help-desk social engineering scenarios. Map your MFA deployment against CISA phishing-resistant MFA guidance. Establish a migration timeline away from push-based SMS or app-push MFA for privileged and finance roles. (Cite: NIST AC-1 — Policy and Procedures; NIST AU-1 — Policy and Procedures; CIS 6.3 — Require MFA for Externally-Exposed Applications; CIS 6.5 — Require MFA for Administrative Access; D3-MFA — Multi-factor Authentication)
Recovery Guidance
After eradication, maintain elevated monitoring of Entra ID Identity Protection (Risky Sign-Ins and Risky Users blades) for a minimum of 30 days, as threat actors in this campaign have demonstrated persistence by pre-staging secondary device registrations or shadow accounts during the initial access window. Validate all payroll and ACH destination account numbers against records from 90 days prior to the incident and obtain written confirmation from your financial institution that no unauthorized transactions were processed. Re-run the MFA enrollment audit weekly for the first month post-recovery, specifically targeting finance, HR, payroll, and privileged IT roles, as these were the primary targets of help-desk social engineering in the 2025–2026 campaign activity.
Key Forensic Artifacts
Entra ID Unified Audit Log — filter ActivityType 'Update StrongAuthenticationMethod' and 'Register device' where InitiatedBy actor differs from TargetResource UPN; these entries document each attacker-executed MFA reset and device registration with timestamp, source IP, and actor identity
M365 Message Trace and Exchange Online mail headers — specifically the X-MS-Exchange-Organization-SCL, Return-Path, and Authentication-Results headers from messages transiting Direct Send connectors; mismatched From/Return-Path and 'dmarc=fail' in Authentication-Results confirm spoofed internal sender identity
Cisco Duo Administrator Audit Log and Authentication Log — filter for 'factor_changed', 'enrollment', and 'bypass_created' events correlated against help-desk ticket timestamps; push approval events from unexpected geolocations or new device IDs indicate attacker-controlled factor usage
Sysmon Event ID 1 (Process Create) logs on endpoints where RMM tools were installed — parent/child process chain showing how AnyDesk, TeamViewer, or ScreenConnect was launched (e.g., spawned by a browser or email client process confirms social engineering delivery), plus Event ID 3 (Network Connection) showing outbound relay connections to RMM infrastructure
Entra ID Registered Devices list export and Azure AD Sign-In Logs — cross-correlate DeviceId, enrollmentType 'azureADRegistered', operatingSystem, and approximateLastSignInDateTime against the help-desk interaction window; attacker-registered devices will show a short first-seen to first-used delta and often source from VPN exit nodes or residential proxy IP ranges inconsistent with the legitimate user's historical sign-in geography
Detection Guidance
Detection for this campaign requires correlated visibility across identity, email, endpoint, and financial workflow log sources.
Ground each signal in the following KB-verified controls.
1.
ENTRA ID / AZURE AD SIGN-IN AND AUDIT LOGS — NIST AU-2 (Event Logging) requires identifying loggable event types; configure Entra ID to log MFA method changes, device registration events, and authentication method updates as defined event types.
NIST AU-3 (Content of Audit Records) requires that records capture what occurred, when, where, and who — verify Entra ID audit records include UPN, IP, device ID, and MFA method for every authentication and registration event. NIST AU-6 (Audit Record Review, Analysis, and Reporting) requires periodic review for anomalous activity; operationalize this by alerting on: MFA factor reset events not matching a user-initiated self-service workflow; new device registrations (compliance state 'Unknown') occurring within 24 hours of a help-desk ticket on the same identity; and authentication events where the MFA method changed within the same session. Apply D3-LAM (Local Account Monitoring) to flag local and cloud account changes outside approved provisioning workflows.
2. M365 MESSAGE TRACE — NIST AU-6 (Audit Record Review, Analysis, and Reporting) supports on-demand log analysis; configure message trace queries to filter for messages delivered via Send Connector where the From domain matches your internal domain. NIST AU-3 (Content of Audit Records) requires source identification — cross-reference sending IP against your published SPF record to identify IPs not in your authorized range. Inspect message headers for mismatched From/Return-Path fields. NIST AC-4 (Information Flow Enforcement) provides the policy basis for blocking unauthenticated internal-spoofed mail flows — detection signals here directly inform enforcement gaps.
3. ENDPOINT AND SOFTWARE INVENTORY — CIS 2.1 (Establish and Maintain a Software Inventory) provides the authoritative baseline against which to detect unauthorized RMM tools. Alert on installation or execution of AnyDesk, TeamViewer, ScreenConnect, or similar RMM binaries (MITRE T1219 ) where the process parent is a user-interactive shell rather than an approved deployment system. CIS 2.3 (Address Unauthorized Software) requires that unauthorized software be removed or receive a documented exception — any RMM tool not in the approved inventory is a detection-worthy event. Apply D3-SFA (System File Analysis) to monitor for RMM binary drops, configuration file changes, and persistence mechanisms written during RMM installation. NIST AU-2 (Event Logging) requires that process execution and software installation events are included in the defined loggable event set.
4. HR/PAYROLL SYSTEM AUDIT LOGS — NIST AU-6 (Audit Record Review, Analysis, and Reporting) requires analysis for anomalous or inappropriate activity; flag any direct deposit or payment destination change submitted within 48 hours of a help-desk ticket for account recovery or MFA reset on the same identity. NIST AC-5 (Separation of Duties) provides the control basis for requiring that payroll destination changes be approved by a second party independent of the requestor's identity chain — a detection gap here indicates a control gap. NIST AU-8 (Time Stamps) requires accurate timestamps on all audit records; ensure payroll system audit logs use synchronized time to enable precise correlation with Entra ID and help-desk ticket timestamps.
5. AUDIT LOG INTEGRITY AND RETENTION — NIST AU-9 (Protection of Audit Information) requires protecting audit logs from unauthorized access and modification; attackers who gain privileged access may attempt to clear Entra ID or M365 audit trails. Alert on audit log deletion or retention policy changes. NIST AU-11 (Audit Record Retention) requires retaining records for the organization-defined period; ensure Entra ID unified audit logs and M365 message trace retention cover at least the investigation window for identity compromise (minimum 90 days recommended, longer for regulated environments). CIS 8.2 (Collect Audit Logs) requires that logging is enabled across enterprise assets — validate that Entra ID, M365, endpoint EDR, and HR system logging is active and forwarding to your SIEM before an incident occurs.
6. COUNTERMEASURE ALIGNMENT — D3-MFA (Multi-factor Authentication) and D3-CH (Credential Hardening) map directly to detection gaps exposed when push-based MFA is bypassed via fatigue attacks; detection signals for MFA fatigue include high-frequency MFA push denials from a single account within a short window (T1621 ). D3-CRO (Credential Rotation) supports post-reset verification workflows — detect accounts where credential rotation was performed outside the approved self-service or IT workflow. D3-UAP (User Account Permissions) maps to detecting privilege changes applied to accounts following a help-desk interaction.
Indicators of Compromise (1)
Export as
Splunk SPL
KQL
Elastic
Copy All (1)
1 url
Type Value Enrichment Context Conf.
🔗 URL
Direct Send connector abuse via internal SMTP relay — no specific IP/domain IOC published
VT
US
M365 Direct Send misconfigurations used to send spoofed internal email; detection relies on mail header analysis rather than static IOCs
LOW
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (1)
1 URL indicator(s).
KQL Query Preview
Read-only — detection query only
// Threat: Identity Hijacking at Scale: Attackers Weaponize MFA, Help-Desk Processes, and L
let malicious_urls = dynamic(["Direct Send connector abuse via internal SMTP relay — no specific IP/domain IOC published"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (malicious_urls)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (6)
Sentinel rule: Supply chain / cross-tenant access
KQL Query Preview
Read-only — detection query only
SigninLogs
| where TimeGenerated > ago(7d)
| where HomeTenantId != ResourceTenantId
| project TimeGenerated, UserPrincipalName, AppDisplayName, IPAddress, Location, HomeTenantId, ResourceTenantId
| sort by TimeGenerated desc
Sentinel rule: Sign-ins from unusual locations
KQL Query Preview
Read-only — detection query only
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| summarize Locations = make_set(Location), LoginCount = count(), DistinctIPs = dcount(IPAddress) by UserPrincipalName
| where array_length(Locations) > 3 or DistinctIPs > 5
| sort by DistinctIPs desc
Sentinel rule: Phishing email delivery
KQL Query Preview
Read-only — detection query only
EmailEvents
| where Timestamp > ago(7d)
| where ThreatTypes has "Phish" or DetectionMethods has "Phish"
| summarize Attachments = make_set(AttachmentCount), Urls = make_set(UrlCount) by NetworkMessageId, Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation, ThreatTypes
| sort by Timestamp desc
Sentinel rule: Lateral movement via RDP / SMB / WinRM
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (3389, 5985, 5986, 445, 135)
| where LocalIP != RemoteIP
| summarize ConnectionCount = count(), TargetDevices = dcount(RemoteIP) by DeviceName, InitiatingProcessFileName
| where ConnectionCount > 10 or TargetDevices > 3
| sort by TargetDevices desc
Sentinel rule: LOLBin abuse (mshta, regsvr32, rundll32)
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("mshta.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe", "cmstp.exe", "msiexec.exe")
| where ProcessCommandLine has_any ("http", "ftp", "\\\\", "javascript:", "vbscript:", "scrobj.dll", "/i:", "-decode", "-urlcache")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Privilege escalation / account modification
KQL Query Preview
Read-only — detection query only
AuditLogs
| where TimeGenerated > ago(7d)
| where OperationName has_any ("Add member to role", "Add app role assignment", "Add owner to application", "Reset user password")
| extend Target = tostring(TargetResources[0].userPrincipalName), Actor = tostring(InitiatedBy.user.userPrincipalName)
| project TimeGenerated, OperationName, Actor, Target, Result
| sort by TimeGenerated desc
No actionable IOCs for CrowdStrike import (benign/contextual indicators excluded).
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1484
T1199
T1621
T1485
T1078
T1590
+14
AC-2
AC-6
IA-2
IA-5
AT-2
SC-7
+10
164.312(d)
164.308(a)(5)(ii)(D)
164.308(a)(5)(i)
MITRE ATT&CK Mapping
T1484
Domain or Tenant Policy Modification
defense-evasion
T1199
Trusted Relationship
initial-access
T1621
Multi-Factor Authentication Request Generation
credential-access
T1485
Data Destruction
impact
T1078
Valid Accounts
defense-evasion
T1590
Gather Victim Network Information
reconnaissance
T1566.001
Spearphishing Attachment
initial-access
T1531
Account Access Removal
impact
T1021.001
Remote Desktop Protocol
lateral-movement
T1556
Modify Authentication Process
credential-access
T1218
System Binary Proxy Execution
defense-evasion
T1534
Internal Spearphishing
lateral-movement
T1650
Acquire Access
resource-development
T1219
Remote Access Tools
command-and-control
T1556.006
Multi-Factor Authentication
credential-access
T1195
Supply Chain Compromise
initial-access
T1566
Phishing
initial-access
T1195.002
Compromise Software Supply Chain
initial-access
Guidance Disclaimer
