If someone tries ransacking your Windows network, it's a bit easier now to grok in Microsoft 365 Defender

Microsoft is bringing Azure Active Directory Identity Protection alerts to Microsoft 365 Defender to seemingly help IT folks thwart criminals infiltrating corporate networks via compromised users.

For one thing, this means that if you want to find out the role an Azure AD identity played in an intrusion, you can now do so from one place, Microsoft 365 Defender, saving you from having to check your Azure portal, according to Microsoftie Idan Pelleg. Identity Protection alerts can be configured to trigger when it appears one or more user accounts have been compromised, based on their behavior, location, and other factors. This is useful for detecting and blocking suspicious or rogue actions.

"Identity Protection alerts are now correlated into related incidents along with alerts from the other security domains, and can be reviewed directly in Microsoft 365 Defender for a full view of the end-to-end attack," Pelleg explained on Tuesday.

Ultimately, this all matters because an attacker with control over a legitimate organizational account can use it to move around networks and compromise systems, resources, and other accounts.

"With sufficient permissions in hand, attackers have the 'keys to the kingdom' to finally achieve their objective – encrypting the entire network, exfiltrating emails or other confidential information, or any other malicious goals," Pelleg added, arguing the need for security teams to be able to spot suspicious activities related to identity.

• The only Windows 10 updates for the year are coming. Spoiler alert: It's just security
• Microsoft says it's boosted phishing protection in Windows 11 22H2
• Imagine surviving a wiper attack only for ransomware to scramble your restored files
• Security pros get ability to manually add incidents to Microsoft Sentinel

There are several high-profile attacks that prove this point, including the Nobelium case. The Kremlin-backed crew – also known as Cozy Bear and APT29 – is an advanced persistent threat (APT) best known for the high-profile attack last year on SolarWinds, which put a spotlight on supply chain security.

Threat intelligence firms, such as Mandiant and Kaspersky, have been following Nobelium for years. Mandiant researchers in August described Nobelium – a name assigned by Microsoft – as an "extremely prolific" espionage group that likely is sponsored by Russia's Foreign Intelligence Service (SVR) and during the course of 2022 has targeted organizations that are involved with creating foreign policy for NATO countries.

"This has included instances where APT29 revisited victims they had compromised years, or only sometimes months beforehand," the Mandiant bods wrote. "This persistence and aggressiveness are indicative of sustained interest in this information and strict tasking by the Russian government."

They added the group continues to "demonstrate exceptional operational security and advanced tactics targeting Microsoft 365."

Nobelium and other attackers compromise identities across organizations' on-prem networks and cloud environments. Pelleg described a Nobelium attack in which the cybersnoops got into an on-premises network and compromised accounts with AD Federation Services permissions, which gave them access to cloud resources and services. They were able to mint tokens for cloud access and exfiltrate info from users' email boxes.

Azure AD Identity Protection apparently takes in "trillions of detection signals" to spot compromised identities; it can generate warnings for, among other things, accounts using leaked credentials, suspicious forwarding of email, and logins coming from unexpected IP addresses and locations.

With these alerts, organizations can suspend specific accounts to block an attack in progress and limit the impact, confirm a user has been compromised and tag them within Identity Protection as high risk, and have them change their password. ®