Security Integrations: Enriching Darktrace with Microsoft Defender
11
Apr 2023
11
Apr 2023
This blog demonstrates the relationship between Microsoft Defender and Darktrace security solutions. It takes a deep dive into the relationship between Darktrace DETECT, RESPOND, and Microsoft Defender, providing real examples as to how the two are able to integrate with each other and support security teams.
Introduction
Darktrace and Microsoft entered a partnership in 2021 with a joint commitment to empower security defenders to free their organizations of cyber disruption. Darktrace AI complements Microsoft’s global reach and established intelligence community with its deep understanding of ‘self’ for individual organizations – learning ‘normal’ in order to prevent, detect, and respond to cyber-threats that represent a deviation from ‘normal’. With both products utilizing AI in different ways, the result for customers is the fusion of two security philosophies for a best-of-breed detection and response stack.
Now in 2023, Darktrace is proud to have this integration between its DETECT and RESPOND product families and Defender for Endpoint become part of the Microsoft Intelligence Security Association catalogue (MISA).
MISA is a global community dedicated to the shared mission of providing better security by integrating the very best solutions from across the digital landscape. Also see Darktrace’s membership for Darktrace for Defender for Email and Darktrace for Microsoft Sentinel.
Integrating Darktrace and Defender
Darktrace is designed to coordinate with Microsoft products, including hosting its email solution service on Azure and allowing customers using Sentinel to visualize and share incidents and AI Analyst investigations within their security information and event management (SIEM) tools. Integrating Microsoft Defender with Darktrace takes just minutes and can be set up using the System Configuration page of the deployment.
Figure 1: The System Configuration page of a standard deployment.
Additionally, Darktrace can retrieve data made available to it by Microsoft’s Graph Security API (Figure 2). When Defender Advanced Hunting (AH) is in use and a valid P2 license is integrated into Darktrace, it allows for more powerful API calls (Figure 3).
Figure 2: A Darktrace RESPOND licensed Microsoft Graph Security API integration.
Figure 3: A valid Microsoft Defender AH license.
Defender can contextualize Darktrace information with endpoint insights, providing security teams visibility of the host-level detections surrounding network-level anomalies. Furthermore, if both Darktrace and Defender’s Advanced Hunting are in use and a compromise falls under the scope of both products, Darktrace can retrieve additional details, such as device operating system information (OS) and a list of common vulnerabilities and exposures (CVEs). This information is then presented in the Device Summary of the Threat Visualizer.
After the integration allows access to endpoint information, Darktrace learns from Defender and changes its behavior accordingly. When Defender identifies malicious activity, Darktrace simultaneously activates its integrated model breaches to show the Defender alert natively, ensuring consistency across platforms. This enables host-level anomaly detection; Darktrace applies its unsupervised machine learning to learn typical patterns of endpoint-level detections from Defender, to then alert based on deviations from regular Defender activity. Also using the integrated model breaches, Darktrace's AI Analyst can autonomously collate timestamp and device information from a Defender alert and investigate surrounding unusual activity from the suspect device, presenting a summary of all suspicious activity detected on the device.
Integration at Work
In December 2022, Darktrace DETECT identified a suspicious new user on an internal customer server. Immediately afterwards, an integration model breach was triggered based on Defender’s detection of suspicious activity on the same device.
Figure 4: Event logs showing Darktrace DETECT identifying a New User Agent and the subsequent integration model breach.
Independently, Darktrace detected a New User Agent to Internal Server event based on a connection between two internal devices. Prior to this, Defender had independently alerted signs of a threat actor group (DEV-0408), which was represented in Darktrace’s Event Logs. Darktrace can pull information from Defender directly into the UI to enhance its investigation and provide a unified view for the customer (Figure 5).
Figure 5: An expanded window from the model breach information showing Security Integration information available from Defender regarding threat activity group DEV-0408.
Figure 6: Event logs showing Darktrace RESPOND’s action and the subsequent model breach.
After Darktrace and Defender models both breached, Darktrace RESPOND acted instantly; the connections triggering the breaches were blocked and new connections to those endpoints on the detected port were suspended for the next two hours (Figure 6). This response proactively protected against subsequent suspicious activity, such as lateral movement. The device was later manually quarantined by the customer’s security team based on these detections and responses.
Conclusion
Darktrace’s Self-Learning AI works to understand customer environments and augment security teams with early warning detection and machine-speed response. Integration with Microsoft Defender helps to provide an even broader network security visibility by augmenting network-layer insights with host-specific information and activity. Defense in depth is crucial to a modern cyber security strategy and protection plan for organizations. Implementing the proven capabilities of Microsoft Defender alongside Darktrace’s innovative suite of products provides highly informed insights and holistic coverage from host to network to defend against a broad range of threats.
Thanks to Brianna Leddy, Director of Analysis, for her contributions to the above.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Don’t Take the Bait: How Darktrace Keeps Microsoft Teams Phishing Attacks at Bay
20
May 2024
Social Engineering in Phishing Attacks
Faced with increasingly cyber-aware endpoint users and vigilant security teams, more and more threat actors are forced to think psychologically about the individuals they are targeting with their phishing attacks. Social engineering methods like taking advantage of the human emotions of their would-be victims, pressuring them to open emails or follow links or face financial or legal repercussions, and impersonating known and trusted brands or services, have become common place in phishing campaigns in recent years.
Phishing with Microsoft Teams
The malicious use of the popular communications platform Microsoft Teams has become widely observed and discussed across the threat landscape, with many organizations adopting it as their primary means of business communication, and many threat actors using it as an attack vector. As Teams allows users to communicate with people outside of their organization by default [1], it becomes an easy entry point for potential attackers to use as a social engineering vector.
In early 2024, Darktrace/Apps™ identified two separate instances of malicious actors using Microsoft Teams to launch a phishing attack against Darktrace customers in the Europe, the Middle East and Africa (EMEA) region. Interestingly, in this case the attackers not only used a well-known legitimate service to carry out their phishing campaign, but they were also attempting to impersonate an international hotel chain.
Despite these attempts to evade endpoint users and traditional security measures, Darktrace’s anomaly detection enabled it to identify the suspicious phishing messages and bring them to the customer’s attention. Additionally, Darktrace’s autonomous response capability, was able to follow-up these detections with targeted actions to contain the suspicious activity in the first instance.
Darktrace Coverage of Microsoft Teams Phishing
Chats Sent by External User and Following Actions by Darktrace
On February 29, 2024, Darktrace detected the presence of a new external user on the Software-as-a-Service (SaaS) environment of an EMEA customer for the first time. The user, “REDACTED@InternationalHotelChain[.]onmicrosoft[.]com” was only observed on this date and no further activities were detected from this user after February 29.
Later the same day, the unusual external user created its first chat on Microsoft Teams named “New Employee Loyalty Program”. Over the course of around 5 minutes, the user sent 63 messages across 21 different chats to unique internal users on the customer’s SaaS platform. All these chats included the ‘foreign tenant user’ and one of the customer’s internal users, likely in an attempt to remain undetected. Foreign tenant user, in this case, refers to users without access to typical internal software and privileges, indicating the presence of an external user.
Figure 1: Darktrace’s detection of unusual messages being sent by a suspicious external user via Microsoft Teams.
Figure 2: Advanced Search results showing the presence of a foreign tenant user on the customer’s SaaS environment.
Darktrace identified that the external user had connected from an unusual IP address located in Poland, 195.242.125[.]186. Darktrace understood that this was unexpected behavior for this user who had only previously been observed connecting from the United Kingdom; it further recognized that no other users within the customer’s environment had connected from this external source, thereby deeming it suspicious. Further investigation by Darktrace’s analyst team revealed that the endpoint had been flagged as malicious by several open-source intelligence (OSINT) vendors.
Figure 3: External Summary highlighting the rarity of the rare external source from which the Teams messages were sent.
Following Darktrace’s initial detection of these suspicious Microsoft Teams messages, Darktrace's autonomous response was able to further support the customer by providing suggested mitigative actions that could be applied to stop the external user from sending any additional phishing messages.
Unfortunately, at the time of this attack Darktrace's autonomous response capability was configured in human confirmation mode, meaning any autonomous response actions had to be manually actioned by the customer. Had it been enabled in autonomous response mode, it would have been able promptly disrupt the attack, disabling the external user to prevent them from continuing their phishing attempts and securing precious time for the customer’s security team to begin their own remediation procedures.
Figure 4: Darktrace autonomous response actions that were suggested following the ’Large Volume of Messages Sent from New External User’ detection model alert.
External URL Sent within Teams Chats
Within the 21 Teams chats created by the threat actor, Darktrace identified 21 different external URLs being sent, all of which included the domain "cloud-sharcpoint[.]com”. Many of these URLs had been recently established and had been flagged as malicious by OSINT providers [3]. This was likely an attempt to impersonate “cloud-sharepoint[.]com”, the legitimate domain of Microsoft SharePoint, with the threat actor attempting to ‘typo-squat’ the URL to convince endpoint users to trust the legitimacy of the link. Typo-squatted domains are commonly misspelled URLs registered by opportunistic attackers in the hope of gaining the trust of unsuspecting targets. They are often used for nefarious purposes like dropping malicious files on devices or harvesting credentials.
Upon clicking this malicious link, users were directed to a similarly typo-squatted domain, “InternatlonalHotelChain[.]sharcpoInte-docs[.]com”. This domain was likely made to appear like the SharePoint URL used by the international hotel chain being impersonated.
Figure 5: Redirected link to a fake SharePoint page attempting to impersonate an international hotel chain.
This fake SharePoint page used the branding of the international hotel chain and contained a document named “New Employee Loyalty Program”; the same name given to the phishing messages sent by the attacker on Microsoft Teams. Upon accessing this file, users would be directed to a credential harvester, masquerading as a Microsoft login page, and prompted to enter their credentials. If successful, this would allow the attacker to gain unauthorized access to a user’s SaaS account, thereby compromising the account and enabling further escalation in the customer’s environment.
Figure 6: A fake Microsoft login page that popped-up when attempting to open the ’New Employee Loyalty Program’ document.
This is a clear example of an attacker attempting to leverage social engineering tactics to gain the trust of their targets and convince them to inadvertently compromise their account. Many corporate organizations partner with other companies and well-known brands to offer their employees loyalty programs as part of their employment benefits and perks. As such, it would not necessarily be unexpected for employees to receive such an offer from an international hotel chain. By impersonating an international hotel chain, threat actors would increase the probability of convincing their targets to trust and click their malicious messages and links, and unintentionally compromising their accounts.
In spite of the attacker’s attempts to impersonate reputable brands, platforms, Darktrace/Apps was able to successfully recognize the malicious intent behind this phishing campaign and suggest steps to contain the attack. Darktrace recognized that the user in question had deviated from its ‘learned’ pattern of behavior by connecting to the customer’s SaaS environment from an unusual external location, before proceeding to send an unusually large volume of messages via Teams, indicating that the SaaS account had been compromised.
A Wider Campaign?
Around a month later, in March 2024, Darktrace observed a similar incident of a malicious actor impersonating the same international hotel chain in a phishing attacking using Microsoft Teams, suggesting that this was part of a wider phishing campaign. Like the previous example, this customer was also based in the EMEA region.
The attack tactics identified in this instance were very similar to the previously example, with a new external user identified within the network proceeding to create a series of Teams messages named “New Employee Loyalty Program” containing a typo-squatted external links.
There were a few differences with this second incident, however, with the attacker using the domain “@InternationalHotelChainExpeditions[.]onmicrosoft[.]com” to send their malicious Teams messages and using differently typo-squatted URLs to imitate Microsoft SharePoint.
As both customers targeted by this phishing campaign were subscribed to Darktrace’s Proactive Threat Notification (PTN) service, this suspicious SaaS activity was promptly escalated to the Darktrace Security Operations Center (SOC) for immediate triage and investigation. Following their investigation, the SOC team sent an alert to the customers informing them of the compromise and advising urgent follow-up.
Conclusion
While there are clear similarities between these Microsoft Teams-based phishing attacks, the attackers here have seemingly sought ways to refine their tactics, techniques, and procedures (TTPs), leveraging new connection locations and creating new malicious URLs in an effort to outmaneuver human security teams and conventional security tools.
As cyber threats grow increasingly sophisticated and evasive, it is crucial for organizations to employ intelligent security solutions that can see through social engineering techniques and pinpoint suspicious activity early.
Darktrace’s Self-Learning AI understands customer environments and is able to recognize the subtle deviations in a device’s behavioral pattern, enabling it to effectively identify suspicious activity even when attackers adapt their strategies. In this instance, this allowed Darktrace to detect the phishing messages, and the malicious links contained within them, despite the seemingly trustworthy source and use of a reputable platform like Microsoft Teams.
Credit to Min Kim, Cyber Security Analyst, Raymond Norbert, Cyber Security Analyst and Ryan Traill, Threat Content Lead
Appendix
Darktrace Model Detections
SaaS Model
Large Volume of Messages Sent from New External User
SaaS / Unusual Activity / Large Volume of Messages Sent from New External User
Indicators of Compromise (IoCs)
IoC – Type - Description
https://cloud-sharcpoint[.]com/[a-zA-Z0-9]{15} - Example hostname - Malicious phishing redirection link
InternatlonalHotelChain[.]sharcpolnte-docs[.]com – Hostname – Redirected Link
195.242.125[.]186 - External Source IP Address – Malicious Endpoint
Lost in Translation: Darktrace Blocks Non-English Phishing Campaign Concealing Hidden Payloads
15
May 2024
Email – the vector of choice for threat actors
In times of unprecedented globalization and internationalization, the enormous number of emails sent and received by organizations every day has opened the door for threat actors looking to gain unauthorized access to target networks.
Now, increasingly global organizations not only need to safeguard their email environments against phishing campaigns targeting their employees in their own language, but they also need to be able to detect malicious emails sent in foreign languages too [1].
Why are non-English language phishing emails more popular?
Many traditional email security vendors rely on pre-trained English language models which, while function adequately against malicious emails composed in English, would struggle in the face of emails composed in other languages. It should, therefore, come as no surprise that this limitation is becoming increasingly taken advantage of by attackers.
Darktrace/Email™, on the other hand, focuses on behavioral analysis and its Self-Learning AI understands what is considered ‘normal’ for every user within an organization’s email environment, bypassing any limitations that would come from relying on language-trained models [1].
In March 2024, Darktrace observed anomalous emails on a customer’s network that were sent from email addresses belonging to an international fast-food chain. Despite this seeming legitimacy, Darktrace promptly identified them as phishing emails that contained malicious payloads, preventing a potentially disruptive network compromise.
Attack Overview and Darktrace Coverage
On March 3, 2024, Darktrace observed one of the customer’s employees receiving an email which would turn out to be the first of more than 50 malicious emails sent by attackers over the course of three days.
The Sender
Darktrace/Email immediately understood that the sender never had any previous correspondence with the organization or its employees, and therefore treated the emails with caution from the onset. Not only was Darktrace able to detect this new sender, but it also identified that the emails had been sent from a domain located in China and contained an attachment with a Chinese file name.
Figure 1: The phishing emails detected by Darktrace sent from a domain in China and containing an attachment with a Chinese file name.
Darktrace further detected that the phishing emails had been sent in a synchronized fashion between March 3 and March 5. Eight unique senders were observed sending a total of 55 emails to 55 separate recipients within the customer’s email environment. The format of the addresses used to send these suspicious emails was “12345@fastflavor-shack[.]cn”*. The domain “fastflavor-shack[.]cn” is the legitimate domain of the Chinese division of an international fast-food company, and the numerical username contained five numbers, with the final three digits changing which likely represented different stores.
*(To maintain anonymity, the pseudonym “Fast Flavor Shack” and its fictitious domain, “fastflavor-shack[.]cn”, have been used in this blog to represent the actual fast-food company and the domains identified by Darktrace throughout this incident.)
As these emails were sent from a legitimate domain associated with a trusted organization and seemed to be coming from the correct connection source, they were verified by Sender Policy Framework (SPF) and were able to evade the customer’s native email security measures. Darktrace/Email; however, recognized that these emails were actually sent from a user located in Singapore, not China.
Figure 2: Darktrace/Email identified that the email had been sent by a user who had logged in from Singapore, despite the connection source being in China.
The Emails
Darktrace/Email autonomously analyzed the suspicious emails and identified that they were likely phishing emails containing a malicious multistage payload.
Figure 3: Darktrace/Email identifying the presence of a malicious phishing link and a multistage payload.
There has been a significant increase in multistage payload attacks in recent years, whereby a malicious email attempts to elicit recipients to follow a series of steps, such as clicking a link or scanning a QR code, before delivering a malicious payload or attempting to harvest credentials [2].
In this case, the malicious actor had embedded a suspicious link into a QR code inside a Microsoft Word document which was then attached to the email in order to direct targets to a malicious domain. While this attempt to utilize a malicious QR code may have bypassed traditional email security tools that do not scan for QR codes, Darktrace was able to identify the presence of the QR code and scan its destination, revealing it to be a suspicious domain that had never previously been seen on the network, “sssafjeuihiolsw[.]bond”.
Figure 4: Suspicious link embedded in QR Code, which was detected and extracted by Darktrace.
At the time of the attack, there was no open-source intelligence (OSINT) on the domain in question as it had only been registered earlier the same day. This is significant as newly registered domains are typically much more likely to bypass gateways until traditional security tools have enough intelligence to determine that these domains are malicious, by which point a malicious actor may likely have already gained access to internal systems [4]. Despite this, Darktrace’s Self-Learning AI enabled it to recognize the activity surrounding these unusual emails as suspicious and indicative of a malicious phishing campaign, without needing to rely on existing threat intelligence.
The most commonly used sender name line for the observed phishing emails was “财务部”, meaning “finance department”, and Darktrace observed subject lines including “The document has been delivered”, “Income Tax Return Notice” and “The file has been released”, all written in Chinese. The emails also contained an attachment named “通知文件.docx” (“Notification document”), further indicating that they had been crafted to pass for emails related to financial transaction documents.
Figure 5: Darktrace/Email took autonomous mitigative action against the suspicious emails by holding the message from recipient inboxes.
Conclusion
Although this phishing attack was ultimately thwarted by Darktrace/Email, it serves to demonstrate the potential risks of relying on solely language-trained models to detect suspicious email activity. Darktrace’s behavioral and contextual learning-based detection ensures that any deviations in expected email activity, be that a new sender, unusual locations or unexpected attachments or link, are promptly identified and actioned to disrupt the attacks at the earliest opportunity.
In this example, attackers attempted to use non-English language phishing emails containing a multistage payload hidden behind a QR code. As traditional email security measures typically rely on pre-trained language models or the signature-based detection of blacklisted senders or known malicious endpoints, this multistage approach would likely bypass native protection.
Darktrace/Email, meanwhile, is able to autonomously scan attachments and detect QR codes within them, whilst also identifying the embedded links. This ensured that the customer’s email environment was protected against this phishing threat, preventing potential financial and reputation damage.
Credit to: Rajendra Rushanth, Cyber Analyst, Steven Haworth, Head of Threat Modelling, Email
Appendices
List of Indicators of Compromise (IoCs)
IoC – Type – Description
sssafjeuihiolsw[.]bond – Domain Name – Suspicious Link Domain
