CISA has reported seeing post-compromise threat activity in Microsoft Cloud/Azure environments, identifying three key components of this advanced persistent threat:
- Compromise / bypassing of federated identity solutions
- Use of forged authentication tokens to move laterally to Microsoft cloud environments
- Use of privileged access to a victim’s cloud environment to establish difficult-to-detect persistence mechanisms for Application Programming Interface (API)-based access.
In response, CISA is providing guidance on use of open-source tools, including a tool developed by CISA named Sparrow. This tool helps in the analysis of Microsoft 365/Azure environments to detect potentially malicious activity.
For more information on this advanced persistent threat and open-source tools please visit CISA.gov, or reach out to our QED National team directly.