Ninous.dev

Recently I received a ticket to create a detection for a client BEC. Microsoft Defender for Office 365 (MDO) didn’t flag the phishing email, but Entra ID raised Unfamiliar sign-in properties and the incident surfaced in Sentinel. Storytime: the signals we saw Sentinel incident: unfamiliar sign-in properties; RiskEventType: “unfamiliarFeatures” and “passwordSpray”. Indicators: User-Agent axios/1.11.0, sign-in source: M247-LTD Los Angeles Infrastructure (m247global.com); Classic hosting/DC footprint. Conditional Access forced MFA; logs confirm MFA was passed. The client confirmed compromise. The user was not using VPN or any odd third-party apps. I pivoted to URL clicks around the time of the malicious sign-in. In UrlClickEvents for the victim over the prior few minutes to hours, most URLs looked normal, but one stood out. Sandboxing showed a “file was shared -> enter email” lure that then redirected to a newly registered .ru page impersonating Microsoft 365. ...

Intro Earlier this year on LinkedIn, I shared a quirky “feature” in Microsoft Defender for Endpoint (MDE): it happily accepts input from the user as trusted without any validation. (LinkedIn Post). Example: curl.exe 142.250.69.142 -H "host: example.com" #One of Google's IPs In MDE, the RemoteUrl field will log example.com, not the actual destination domain behind the IP. Not an exploit, but a perfect way to hide malicious traffic under the “safe domains” umbrella. If your hunting queries filter out common benign sites, you’ll miss it entirely. ...

While onboarding a client to Microsoft Sentinel and MDE, I discovered a subtle misconfiguration involving internal device names leaking to public DNS. This blog breaks down how I found it, the detection logic I used, and how this seemingly harmless mistake could have led to credential theft through a supply-chain vector. The Setting A recent project involved onboarding a new client to Microsoft Sentinel. Their tenant and workspace were already configured, along with Defender XDR. My job was to reduce alert fatigue by fine-tuning analytics rules, whitelisting noise (after validating it wasn’t malicious), and creating new rules for coverage gaps. ...