@NathanMcNulty@DXPetti Thats very interesting, Thanks for sharing
I can't wait for you guys to crack the federated credentials so that we can build multi tenant apps and provide comprehensive reports for multi app tenants
There so much that is not exposed publicly.
Speaking at #HIPConf in Frankfurt on 10 February.
We've built a Microsoft 365 security posture management app and service, and one thing that's become clear a small set of controls deliver disproportionate results at tenant hardening. This session is all about how you can get a whole lot in Entra wrong as long as you get those few things right.
Register for 'Entra ID’s 80/20: Practical Lessons in High-Impact Security Controls' at: https://t.co/XNB7VQ0YUG
Join me, @WillTheFrenchie, and @WelkasWorld TONIGHT, 1800-2000 UTC for the latest Microsoft security news and two awesome speakers:
• @RyanJohnMurphy4 – The new Microsoft eDiscovery UI and UX
• @sfennah – The Oversharing Solution Blueprint
REGISTER: https://t.co/YAEuRohZ3E
Even though Microsoft provided a PowerShell command in April 2025 to disable the SMTP DirectSend feature in Exchange Online, we are still seeing attackers successfully reach the inbox for organizations that do not have their DMARC DNS Record set to Reject or Quarantine. According to public DNS, 30% of the Fortune 500 are vulnerable. Small to Medium orgs are even more likely to be exposed.
It is recommended to perform threat hunting to identify these emails.
Here is KQL we used to successfully detect DirectSend Phishing in Microsoft Defender XDR or Microsoft Sentinel (https://t.co/YDnPaiAZMr)
EmailEvents
|where Timestamp > ago(30d)
| where EmailDirection == “Inbound”
| extend LeftPartSender = substring(SenderFromAddress, 0, indexof(SenderFromAddress, “@”))
| extend LeftPartRecipient = substring(RecipientEmailAddress, 0, indexof(RecipientEmailAddress, “@”))
| where LeftPartSender == LeftPartRecipient
| where isempty(Connectors) // not coming in on a connector
| where DeliveryLocation == “Inbox/folder”
| where parse_json(AuthenticationDetails) contains “fail”
| project Timestamp, RecipientEmailAddress, SenderFromAddress, Subject, NetworkMessageId, EmailDirection, Connectors, SenderIPv4
Threat hunting on the EmailEvents table requires the Microsoft Defender for Office P2 license. Otherwise, follow the MSFT reference links below for syntax on Historical Message Trace.
One of the easiest ways to detect DirectSend is when the sender and recipient are identical (which is typically unusual). We have observed cases where using an exact match of sender and recipient domain name does not detect all results. In some cases the sender domain is a MOERA domain ([email protected]) and they use a different alias on the same mailbox for the recipient address (such as the primary SMTP alias). We suspect this was done to evade the exact == comparison, so we updated the query above to look for the alias matching instead of domain matching (this resulted in finding additional results).
If you get too many results, try adding this where clause before the last project statement to reduce results:
| where Subject has_any (
'Pay Raise',
'Strategic Organizational Restructuring',
'Bonus Disbursement',
'Bonus Distribution',
'Merit-Based Pay',
'Compensation Bonus',
'Compensation Review',
'Wage Increase',
'Wages Increase',
'Incentive')
References:
https://t.co/bfm4CI3Zqh
https://t.co/LBYHhUIbws
https://t.co/f3TFxu7Qfs
If you don't have a valid use of DirectSend you can disable it with this Exchange Online PowerShell cmdlet:
Set-OrganizationConfig -RejectDirectSend $true
I’ll be delivering “Zero to Hero: Adaptive Protection with Insider Risk Management and Conditional Access” at 8:15 AM (GMT) on February 21st, 2025, during the Workplace Ninja User Group Denmark meeting.
Register now: https://t.co/90OV2g1j50
🌱 Did you know that we have 100+ built-in roles in Microsoft Entra?
Here's a free mind map of all of them 👇
BONUS → I'm giving away a free pdf of all my Entra mind maps
To graph gurus
Do you know what is the value of methodsRegistered for passkey in userRegistrationDetails/Get-MgBetaReportAuthenticationMethodUserRegistrationDetail
@merill ? @DanielatOCN ?
Thanks in advance!