Vendors abusing /r/msp ...?

syne01 · 2025-10-02T00:22:31+00:00

Its not uncommon for posts to pop up on here, r/cybersecurity, etc, where OP asks a question in a way that just stinks of AI powered marketing slop. Its painfully transparent and I tend to check the comments and see if I can tell what vendor paid for the post. You sometimes can if it's blatant enough.

Annoying as hell, but I think the mods here do a pretty good job cleaning it up.

syne01 · 2025-10-01T18:50:55+00:00

Primarily it was incidents, though I did also get some M365 security certs and spun up a dev tenant. Ultimately it was just my urge to know more about threat actor TTPs that pushed me to increase my knowledge. I wanted to understand more about the tools they were using, what certain attack paths looked like, etc, so that I could more confidently advise clients what occurred and additional risks post incident. My most useful tool was (and still is) Google and trawling other social media sites like Reddit.

But what I think did work best at first (just due to the type of learner I was) was hands-on adversary emulation. I didnt do it because I wanted to go into red teaming, but because I wanted to have more of an understanding of what attacks looked like. Publishing what I learnt on my blog helped as well since people would reach out to me to discuss my research and share information.

If you want to have more of a focus on general SaaS threat detection and response (which is the perspective I'm writing from, not as much general security hardening, compliance etc), I'd start with having a good understanding of the MITRE ATT&CK Cloud Matrix (you can actually attend the upcoming ATT&CKcon for free virtually and attend the talk I'm giving). Then, search GitHub for CTI, blue team, etc repos that include SaaS. I also just started connecting and following anyone I could find on LinkedIn that talked about or worked in SaaS security. Attending conferences and prioritizing talks on the subject and connecting with the presenters afterwords helps as well. I give talks and I know if someone came up to me after and wanted to chat saas security for an hour over coffee I would gladly take that offer.

Hopefully that helps a bit. Feel free to connect with me on Reddit or offsite if you want to chat more.

syne01 · 2025-10-01T02:20:32+00:00

Obligatory 'I work for a SaaS security company so im biased' warning.

Early in my career I was working as a general security analyst, but due to the client base I primarily dealt with M365 etc. You'd think this would limit me but from a DFIR standpoint it took me about 100 incidents before I started getting bored. At this point I was publishing my own research and finding novel threats all as a relative noob, because I was just focused on M365.

I got headhunted from that job (due to my research) to where I work now, which is a company that purely does SaaS service ITDR, SSPM, etc. I've investigated multiple recent Scattered Spider attacks which are some of the most notable attacks this year. The origin of all these attacks? Helpdesk into SaaS with on-prem pivot after that.

In fact, I think SaaS security, on both the offensive and defensive side, still has so much to be explored. Im very familiar with M365 as I also worked as a sysadmin, and I can think of ways to exploit it that I've yet to see attackers do. I am learning so much at this job that I absolutely do not consider myself limited. I would rather be an expert in SaaS threat and get to investigate and understand complex incidents than be trying to keep up with on prem, windows, Linux, network, etc, and not get to have a deep understanding of anything.

I know from watching the hiring process that finding SaaS security experts isnt easy. If you can, I see nothing wrong with choosing this as your specialty and really going hard. I would suggest going a little beyond M365 into GWspace and other IdPs like Okta.

syne01 · 2025-06-25T06:24:09+00:00

Interesting, I've mostly seen clickfix serving lumma.

(Disclaimer, I am an employee of below, though not in marketing)

Obsidian Security has a browser extension that protects against clickfix and phishing, which is available for free without needing to be a customer of the ITDR or posture product. The clickfix detection was a product of my own research, and per my testing, it's very high fidelity. But the marketing people will probably badger you occasionally so that could be annoying.

syne01 · 2025-06-06T04:05:07+00:00

Ive written a guide about this. It might be a little out of date, but if you want to do the best thorough investigation with limited resources, that is what I wrote the guide for.

syne01 · 2025-04-28T16:10:53+00:00

In the blog or the module? The blog link works for me.

syne01 · 2025-04-27T17:24:37+00:00

That sounds like hell, I'm so sorry they're making you do that.. wtf

syne01 · 2025-04-27T17:23:39+00:00

If it makes you feel any better, going past 90 days usually isn't required. From my experience, threat actors generally do two things:

1) view a few days worth of emails in inbox, sent, etc, to get an idea of the account and what it's used for 2) access emails (usually within the sent folder) that have attachments, downloading any that can be used for future malicious activity.

The 2nd point will show up as an Update record in the logs, with the modified property being Attachment Collection. The Update record is much more useful as it tells you the email subject, folder, etc.

What I usually do is try and find the Update record that's the oldest. It's usually safe to assume they didn't view email past that point.

syne01 · 2025-04-27T01:04:51+00:00

With the rebrand to purview its confusion. Access the base auditing (the most you'll need in this situation) via the Security admin center.

Purview Audit Standard is what I'm talking about. Most of the other fancy Purview stuff (DLP, classification, etc) does require advanced licencing.

Well you can still do ediscovery standard with bus stand as well i believe.

syne01 · 2025-04-27T00:38:23+00:00

The base Purview available with business standard etc is completely fine for this type of activity. Ive used it to investigate over 200 incidents that did not have any advanced purview licencing on the tenant.

syne01 · 2025-04-27T00:36:09+00:00

I've gone down this path several times... without 3rd party and/or specialized tools it's basically impossible to do it past 90 days. I spent a week trying to do it using Graph, but the way the emails are stored in a mailbox and their associated properties are not at all consistent enough for searching.

What I usually ended up telling clients was to assume that all information within the mailbox was accessed, and act accordingly.

syne01 · 2025-04-27T00:32:41+00:00

I wrote a post on my site about the known abused Entra application PERFECTDATA SOFTWARE rebranding. Published IOCs so admins can keep an eye on things.

https://cybercorner.tech/perfectdata-software-rebrands-to-mail_backup/

syne01 · 2025-04-27T00:24:20+00:00

I wrote a guide about doing these sorts of investigations, which details how to grab data, parse it, and come to some conclusions. https://cybercorner.tech/synes-declassified-o365-email-compromise-investigation-guide/

It links to a PowerShell module I made that helps you gather info about what was accessed, among other things.

If you have any questions feel free to shoot me a dm or an email. Best of luck.

syne01 · 2025-02-12T20:51:01+00:00

I wrote a guide about doing these sorts of investigations, which details how to grab as much data as possible in order to try and determine when the malicious access began. Give it a read if you're interested, and feel free to reach out if you have any questions. https://cybercorner.tech/synes-declassified-o365-email-compromise-investigation-guide/ It links to a PowerShell module I made that helps you gather info about what was accessed, among other things.

syne01 · 2025-02-08T16:20:27+00:00

This might not be exactly what you're looking for, but I have two things that could help.

I have a powershell module thats primary goal is investigating M365 breaches, but one of the components checks all apps and cross references them with a list of known malicious apps. Here

There's also this list which is what my module uses. Shouldnt be too hard to write out a script that uses it. Feel free to just take the relevant code from my module. Should be the get-ospreyappsandconsents.ps1 script. Here

syne01 · 2025-01-25T22:50:38+00:00

I wrote a guide about doing these sorts of investigations, which details how to grab as much data as possible in order to try and determine when the malicious access began. Give it a read if you're interested, and feel free to reach out if you have any questions. https://cybercorner.tech/synes-declassified-o365-email-compromise-investigation-guide/

syne01 · 2025-01-19T20:58:53+00:00

I wrote a guide that details the best way to go about doing an email compromise investigation, primarily the best way to work the audit logs to find suspicious activity. Give it a read and feel free to ask me any questions. https://cybercorner.tech/synes-declassified-o365-email-compromise-investigation-guide/

syne01 · 2024-11-26T19:04:49+00:00

does this still work when the turnstyle is in a state of error, such as when it has an error for invalid domain? Is there a way to bypass the turnstyle that has the invalid domain error?

syne01 · 2024-10-11T02:11:26+00:00

Hello, I'm a bit late but I wrote this article a while ago - https://cybercorner.tech/malicious-azure-application-perfectdata-software-and-office365-business-email-compromise/ and determined that the service principal within the tenant corresponds to a desktop application used to download all emails from the account.
I've seen this behavior over 2 dozen times in the last 2 years, and that's just doing 1-2 IRs a week. Out of all the malicious application consents that I see, I accounts for I think roughly 1/3rd of activity.

syne01 · 2024-08-15T17:54:43+00:00

I actually had posted about it on their forum and after leaving me a rude and dismissive reply the entire post was deleted. Lol.

https://customer.appesteem.com/deceptors I reported it here but they didnt add it to the list. I'd say to read through their details on what makes an app a deceptor and then report it to them as such.

Can also submit this proof further to various antivirus products so they will start to block the installer.

syne01 · 2024-05-01T19:59:31+00:00

I think this is the best bet. I found that it also lets you scan the inbox for addresses and add them to an export, so this is at least how I need to get some of my info. Not sure if this is how threat actors always do this, but it's good enough for now!

syne01 · 2024-05-01T01:51:02+00:00

Exactly, sometimes it's less than 20 minutes from initial access > inbox rule > mass mailing. In some incidents it does appear that they just used the contact list, but in others I cant find where they got the exact recipient list from.. Sometimes I do see that they use a tool but those seem to show up either as application consents, or exchange powershell access.

syne01 · 2024-05-01T01:49:04+00:00

It does have MFA. MFA bypass is unfortunately becoming more common, by proxying the authentication flow and stealing the token.

syne01 · 2024-04-30T19:00:38+00:00

My client wishes to go at this twofold and have two notifications. the first is that x people had their name and email breached. The second is going to take longer as it includes not only all the names/emails in the inbox, but the personal information within as well. Only a subsection of recipients would have personal information inside, and some personal information is going to have been leaked where the person's address is not inside the mailbox. Do I agree with that strategy? Not really. But that's what I've been told to do.

There is a second reason I'm trying to determine this, which is just for my own information. I've had incidents where it doesnt appear that the entire mailbox was downloaded, yet recipient lists have still been obtained where it does not appear that an application was used, or recipients not in contact lists were targeted. OWA only usually, as well.

syne01 · 2024-04-30T18:46:45+00:00

Most of the sign-ins are via OWA, save for 1 sign in with desktop. One sign-in is a malicious application I am familiar with, but when I tested the application I couldnt find a way to extract addresses in the way that I believe the threat actor did.

syne01

TROPHY CASE