Today's Core Dump is brought to you by ThreatPerspective

Threat Intelligence

Cybercrime Observations from the Frontlines: UNC6040 Proactive Hardening Recommendations


M365 Graph Data-Pull After Risky Login

Entra ID login from risky egress followed by Microsoft Graph endpoints that pull mail/files/reports.

Why high-fidelity: Captures post-login data access typical in account takeovers.

Key signals: OFFICE_365 USER_LOGIN with off-corp IP or VPN/Tor ASN, then HTTP to URLs matching M365_SENSITIVE_GRAPH_REGEX by the same account within hours.

Lists/knobs: ENTERPRISE_EGRESS_CIDRS, VPN_TOR_ASNS, M365_SENSITIVE_GRAPH_REGEX.

$login.metadata.log_type = "OFFICE_365" $login.metadata.event_type = "USER_LOGIN" $ip  = coalesce($login.principal.asset.ip, $login.principal.ip) ( not ($ip in cidr %ENTERPRISE_EGRESS_CIDRS)  or strings.concat(ip_to_asn($ip), "") in %VPN_TOR_ASNS ) $acct = coalesce($login.principal.user.userid, $login.principal.user.email_addresses) $http.metadata.product_name in ("Entra ID","Microsoft") ($http.metadata.event_type = "NETWORK_HTTP" or $http.target.url != "") $acct = coalesce($http.principal.user.userid, $http.principal.user.email_addresses) strings.to_lower(coalesce($http.target.url, "")) in regex %M365_SENSITIVE_GRAPH_REGEX match: $acct over 30m

Tuning & Exceptions

  • Identity joins - The lateral rule groups by IP for robustness. If you have strong identity normalization (Salesforce <-> Okta <-> M365), clone it and match on user email instead of IP.

  • Change windows - Suppress time-bound rules during approved data migrations/Connected App onboarding (temporarily add vendor app to ALLOWLIST_CONNECTED_APP_NAMES)

  • Integration accounts - Keep KNOWN_INTEGRATION_USERS current; most noise in exfil rules comes from scheduled ETL.

  • Egress hygiene - Keep ENTERPRISE_EGRESS_CIDRS current; stale NAT/VPN ranges inflate VPN/Tor findings.

  • Streaming vs stored - The aforementioned rules assume Real-Time Event Monitoring Stream objects (e.g., ApiEventStream, ReportEventStream, ListViewEventStream, BulkApiResultEvent). For historical hunts, query the stored equivalents (e.g., ApiEvent, ReportEvent, ListViewEvent) with the same logic.

IOC-Based Detections

Scenario & Objectives

A malicious threat actor has either successfully accessed or attempted to access an organization's network.

The objective is to detect the presence of known UNC6040 IOCs in the environment based on all of the available logs.
Reference Lists

Reference lists organizations should maintain:

  • STRING

    • UNC6040_IOC_LIST (IP addresses from threat intel sources eg. VirusTotal)

List of indicators of compromise (IOCs).
High Fidelity Detection Catalog (Pseudo-Code)
UNC6040 IP_IoC Detected

A known IOC associated with UNC6040 was detected in the organization's environment either from a source or destination connection.

  • High-fidelity when conditioned on source or destination IP address matches a known UNC6040 IOC.

($e.principal.ip in %unc6040_IoC_list) or ($e.target.ip in %unc6040_IoC_list)

Acknowledgements


We would like to thank Salesforce for their collaboration and assistance in building this guide.



Published: 2025-09-29T14:00:00











© Segmentation Fault . All rights reserved.

Privacy | Terms of Use | Contact Us