CISA Updates – Threat Activity in Microsoft Cloud

 

CISA has reported seeing post-compromise threat activity in Microsoft Cloud/Azure environments, identifying three key components of this advanced persistent threat:

  • Compromise / bypassing of federated identity solutions
  • Use of forged authentication tokens to move laterally to Microsoft cloud environments
  • Use of privileged access to a victim’s cloud environment to establish difficult-to-detect persistence mechanisms for Application Programming Interface (API)-based access.

In response, CISA is providing guidance on use of open-source tools, including a tool developed by CISA named Sparrow. This tool helps in the analysis of Microsoft 365/Azure environments to detect potentially malicious activity.

For more information on this advanced persistent threat and open-source tools please visit CISA.gov, or reach out to our QED National team directly.