Veroot Cyber Partner - Huntress MDR/ITDR Services in Action

Step 4: Attacker Gains Access

Description: The attacker now has the victim’s login details and can access their account, leading to data breaches or financial fraud.

• As we can see by Geo-Location that logins have been accepted in abnormal locations.

Consequences:

• Unauthorized access to email or company accounts.
• Use of stolen credentials for further attacks. – Huntress MDR/ITDR Services was able to block access and isolate account and endpoint.
• Huntress ITDR was triggered by Geo-Location ID of login to user account. 

• Huntress continuously monitors Microsoft 365 authentication events. When a login occurs from a previously unseen geolocation (e.g., a different country or an unexpected region), ITDR assesses the event based on:

  • User behavior history: Has this user logged in from this location before?
    • As shown above, Geo-Location had changed from Ohio to Atlanta, Georgia. 
  • IP reputation: Is the IP associated with VPNs, proxies, or known threat actors?
    • Huntress Detected a known User Agent - Axios, that has been used in successful phishing campaigns in the wild. 
  • Anomalous patterns: Does this login differ significantly from the user's normal activity?
    • These detections can be confirmed through Admin portal in M365. 

• The Report is shown above to Administrator(s) of Huntress account, as well as remediation steps needed to take moving forward. 

Step 5: Mitigation & Response

Actions to Take if You Suspect Phishing:

1. Do not click links or download attachments from unknown sources.
2. Verify the sender by contacting them through official channels.
3. Report the phishing email to IT/security teams

        4. Reset your password immediately if credentials were entered.

        5. Enable multi-factor authentication (MFA) for added security.

Why Huntress ITDR?

1. Huntress IDTR (Identity Threat Detection & Response) provides continuous monitoring to detect identity-based threats, such as compromised credentials and lateral movement, before they can escalate into full-scale breaches.

2. It enhances visibility into identity-related attack paths, helping organizations detect and respond to adversary activity within Microsoft 365, Active Directory, and other identity ecosystems.

3. Huntress IDTR reduces dwell time by rapidly detecting suspicious authentication attempts, privilege escalations, and unauthorized access, allowing security teams to take immediate action.

4. It integrates seamlessly with existing security tools, providing enriched threat intelligence and actionable insights to improve incident response capabilities.

5. By leveraging expert threat hunting and automated detection, Huntress IDTR helps small and mid-sized businesses (SMBs) strengthen their defenses against sophisticated cyber threats.

6. With a focus on post-exploitation detection and response, Huntress IDTR ensures that identity-related attacks are identified even when traditional endpoint security solutions fail to catch them.

If your business is lacking adequate M365 and EDR protections against an ever-growing threat. Please contact us at cyber@veroot.com.