Therefore, we recommend also taking the following actions: Keep in mind that lists of IOCs may not be exhaustive, and may expand as investigations continue. Implementing new updates will help identify any prior campaigns and prevent future campaigns against your system. Microsoft 365 security solutions and services.We recommend that customers follow updates from system providers, including both Microsoft and any partners, and implement any new detections and protections provided and identify published incidents of compromise (IOCs).Ĭheck for updates in the following Microsoft security products, and implement any recommended changes: Make sure that you do not communicate about your new tenant on your existing, and potentially compromised, email accounts.įor more information, see Best practices for securely using Microsoft 365. Limit administrative rights, with no trusts for outside applications or vendors. If you do create a new Microsoft 365 tenant, make sure to follow all best practices for the tenant, and especially for administrative accounts and rights. Create accounts only for key personnel who need to be part of the response. Make sure to isolate any communications related to the incident so that the attacker is not tipped-off to your investigation and is taken by surprise at your response actions.įor initial one-on-one and group communications, you may want to use PSTN calls, conference bridges that are not connected to the corporate infrastructure, and end-to-end encrypted messaging solutions.Ĭommunications outside these frameworks should be treated as compromised and untrusted, unless verified through a secure channel.Īfter those initial conversations, you may want to create an entirely new Microsoft 365 tenant, isolated from the organization's production tenant. After you have control again and have refreshed your system's security posture, make sure to remediate or block all possible persistence techniques and new initial access exploits.īefore you start responding, you must be sure that you can communicate safely without the attacker eavesdropping. You must regain administrative control of your environment from the attacker.
Make sure to continue your continuous monitoring efforts as time goes on and the security landscape changes.
At the same time, start establishing continuous monitoring operations during your recovery efforts.Įnable security features and capabilities following best practice recommendations for improved system security moving forward. Identify your indications of compromise, and then look for initial access points and persistence. Securing communications must be your very first step so that you can proceed without the attacker's knowledge.Īfter you have secured communications on your core investigation team, you can start looking for initial access points and persistence techniques.
Before taking any recovery action, you must ensure that the members of your team who are key to your investigation and response effort can communicate securely. Responding to systemic identity compromises should include the steps shown in the following image and table:Īn organization that has experienced a systemic identity compromise must assume that all communication is affected. Highly-privileged account access can also be used to add attacker-controlled credentials to existing applications, enabling attackers to access your system undetected, such as to call APIs, using those permissions. In an on-premises compromise, if trusted SAML token-signing certificates are not stored in an HSM, the attack includes access to that trusted SAML token-signing certificate.Īttackers can then use the certificate to forge SAML tokens to impersonate any of the organization's existing users and accounts without requiring access to account credentials, and without leaving any traces. If this has happened to your organization, you are in a race against the attacker to secure your environment before further damage can be done.Īttackers with administrative control of an environment's identity infrastructure can use that control to create, modify, or delete identities and identity permissions in that environment. About systemic identity compromiseĪ systemic identity compromise attack on an organization occurs when an attacker successfully gains a foothold into the administration of an organization's identity infrastructure.
This information is provided as-is and constitutes generalized guidance the ultimate determination about how to apply this guidance to your IT environment and tenant(s) must consider your unique environment and needs, which each Customer is in the best position to determine.