metadata.vendor_name = "Microsoft" metadata.product_name = "Office 365" metadata.product_event_type = "ChatCreated" security_result.detection_fields["ParticipantInfo_HasForeignTenantUsers"] = "true" ( principal.user.userid = /help/ OR principal.user.email_addresses = /help/ OR about.user.user_display_name = /help/ )
Identity Session Risk & Visibility
Detections should include: -
Authentication from infrequent locations - including from proxy and VPN service providers.
-
Attempts made to change authentication methods or criteria.
-
Monitoring and hunting for authentication anomalies based upon social engineering tactics.
Bypassing Multi-Factor Authentication
UNC3944 has been known to modify requirements for the use of Multi-factor Authentication. Therefore, organizations should: -
For Entra ID, monitor for modifications to any Trusted Named Locations that may be used to bypass the requirement for MFA.
-
For Entra ID, monitor for changes to Conditional Access Policies that enforce MFA, specifically focusing on exclusions of compromised user accounts and/or devices for an associated policy.
-
Ensure the SOC has visibility into token replay or suspicious device logins, aligning workflows that can trigger step-up (re)authentication when suspicious activity is detected.
Abuse of Domain Federation
For organizations that are using Microsoft Entra ID, monitor for possible abuse of Entra ID Identity Federation: -
Check domain names that are registered in the Entra ID tenant, paying particular attention to domains that are marked as Federated.
-
Review the Federation configuration of these domains to ensure that they are correct.
-
Monitor for creation of any new domains within the tenant and for changing the authentication method to be Federated.
-
Abuse of Domain Federation requires the account accomplishing the changes to have administrative permissions in Entra ID. Hardening of all administrative accounts, portals, and programmatic access is imperative.
Social Engineering Awareness
UNC3944 is extremely proficient at using multiple forms of social engineering to convince users into doing something that will allow them to gain access. Organizations should educate users to be aware of and notify internal security teams of attempts that utilize the following tactics: -
SMS phishing messages that claim to be from IT requesting users to download and install software on their machine. These may include claims that the user’s machine is out-of-compliance or is failing to report to internal management systems.
-
SMS messages or emails with links to sites that reference domain names that appear legitimate and reference SSO (single sign-on) and a variation of the company name. Messages may include text informing the user that they need to reset their password and/or MFA.
-
Phone calls to users from IT with requests to reset a password and/or MFA - or requesting that the user provide a validated one time passcode (OTP) from their device.
-
SMS messages or emails with requests to be granted access to a particular system, particularly if the organization already has an established method for provisioning access.
-
MFA fatigue attacks, where attackers may repeatedly send MFA push notifications to a victim’s device until the user unintentionally or out of frustration accepts one. Organizations should train users to reject unexpected MFA prompts and report such activity immediately.
-
Impersonation via collaboration tools - UNC3944 has used platforms like Microsoft Teams to pose as internal IT support or service desk personnel. Organizations should train users to verify unusual chat messages and avoid sharing credentials or MFA codes over internal collaboration tools like Microsoft Teams. Limiting external domains and monitoring for impersonation attempts (e.g., usernames containing ‘helpdesk’ or ‘support’) is advised.
-
In rare cases, attackers have used doxxing threats or aggressive language to scare users into compliance. Ensure employees understand this tactic and know that the organization will support them if they report these incidents.
Additional References
