Inside Microsoft Threat Protection: Solving cross-domain security incidents through the power of correlation analytics

In theory, a cyberattack can be disrupted at every phase of the attack chain. In reality, however, defense stack boundaries should overlap in order to be effective. When a threat comes via email, for example, even with good security solutions in place, organizations must assume that the threat may slip past email defenses, reach the target recipient, and further compromise endpoints and identities. While defenses on endpoints and identities could successfully tackle the attack in isolation, coordinating signals across protection components significantly increases the ability of these solutions to block and mitigate.

Microsoft Threat Protection takes this approach and delivers coordinated defense that binds together multiple solutions in the Microsoft 365 security portfolio. Microsoft Threat Protection continuously and seamlessly scours endpoints, email and docs, cloud app, and identity activities for suspicious signals. Through deep correlation logic, Microsoft Threat Protection automatically finds links between related signals across domains. It connects related existing alerts and generates additional alerts where suspicious events that could otherwise be missed can be detected. We call these correlated entities incidents.

How Microsoft Threat Protection’s advanced correlation make SOC analysts’ work easier and more efficient

Microsoft Threat Protection’s incident creation logic combines AI technology and our security experts’ collective domain knowledge, and builds on broad optics to provide comprehensive coverage. These correlations align with the MITRE ATT&CK framework over a unified schema of attack entities, enabling Microsoft Threat Protection to automatically connect the dots between seemingly unrelated signals.

Incidents ensure that elements otherwise spread across various portals and queues are presented in a single coherent view, helping security operations centers (SOC) in important ways. First, they reduce the SOC’s workload: incidents automatically collect and correlate isolated alerts and other related security events, so analysts have fewer, more comprehensive work items in their queue. Second, SOC analysts can analyze related alerts, affected assets, and other evidence together, reducing the need for manual correlation and making it easier and faster to understand the complete attack story and take informed actions.

Attack sprawl illustrated

The level of sophistication of today’s threats, including nation-state level attacks and human operated ransomware, highlight why coordinated defense is critical in ensuring that organizations are protected.

To illustrate how Microsoft Threat Protection protects against such sophisticated attacks, we asked our security research team to simulate an end-to-end attack chain across multiple domains, based on techniques we observed in actual investigations.

Their attack starts with a spear-phishing email targeting a specific user. The email contains a link that, when clicked, leads to the download of a malicious .lnk file that stages the Meterpreter payload. With their malicious code running on the target device, the attackers perform reconnaissance to understand which users have signed into the device and which other devices these users have access to. For example, in this case, they find the credentials of an IT helpdesk team member. Impersonating this IT helpdesk team member via overpass-the-hash, the attackers are able to move laterally to a second device.

On the second device, they steal the user’s web credentials, which they use to remotely access the user’s cloud apps like OneDrive or SharePoint. This allows the attackers to insert a malicious macro into an existing online Word document, which they then deploy in a lateral phishing attack by distributing links to the malicious document to other users in the organization.

Diagram showing an attack chain involving attack sprawl and techniques like overpass-the-hash

Figure 1. Our attack case scenario showing the initial access through spear-phishing and lateral movement through overpass-the-hash attack

When we ran this attack in our simulation environment, Microsoft Threat Protection was able to track attacker activities as they accessed the target organization, established foothold, and moved across the network. Then, invoking advanced correlation, Microsoft Threat Protection automatically collected all signals, alerts, and relevant entities into a single comprehensive incident representing the whole attack:

Screenshot of the incidents view in Microsoft security center

Figure 2. Incident showing the full attack chain and affected entities

Initial access: Correlating email, identity, and endpoint signals

Let’s look behind the scenes to understand how Microsoft Threat Protection connects the dots in such an attack.

When the target of the initial spear-phishing email clicks the URL in the email, a malicious .lnk file is downloaded and run on the device. In such a scenario, Office 365 Advanced Threat Protection (ATP) flags both the email and the URL as malicious and raises an alert. Normally, SOC analysts would analyze this alert, extract attacker indicators such as the malicious URL, manually search for all devices where this malicious URL was clicked, then take remediation actions on those devices.

Microsoft Threat Protection automates this process and saves time. The intelligence behind Microsoft Threat Protection correlations combines Office 365 ATP signals, Microsoft Defender ATP events, and Azure Active Directory (Azure AD) identity data to find the relevant malicious URL click activity on affected devices, even before SOC analysts starts looking at the alert. The automatic correlation of email, identity, and endpoint signals across on-premises and cloud entities raises the alert “Suspicious URL clicked”. Through this correlation-driven alert, Microsoft Threat Protection helps the SOC to expand their understanding of the attack using all relevant pieces of evidence and automate the search for compromised devices.

Screenshot of Microsoft security center showing list of alerts and highlighting the correlation-driven alert "Suspicious URL clicked"

Figure 3. Microsoft Threat Protection correlation-driven alert “Suspicious URL clicked”

Lateral movement: Correlating overpass-the-hash attack on one device and suspicious sign-in on another

So we’ve seen how automatic correlation allows Microsoft Threat Protection to uncover attacker activity related to initial access. The same capability exposes the next stages in the attack chain: credential theft and lateral movement.

Diagram showing an attack chain and showing correlation of cross-domain signals

Figure 4. Attack scenario showing alerts raised by correlation of cross-domain signals

In the next stage, the attackers use the overpass-the-hash method, a well-known impersonation technique. They control one device in the network where a domain user, like the IT helpdesk team member, is currently signed in. They then harvest NTLM credentials stored on the device to obtain a Kerberos ticket on the user’s behalf. The Kerberos ticket is a valid ticket that’s encrypted with the credentials of the domain user, allowing the attackers to pretend to be that user and access all resources that the user can access. Once attackers obtain credentials for a user with high privileges, they use the stolen credentials to sign in to other devices and move laterally.

In such cases, Azure ATP raises an alert on the suspicious Kerberos ticket, pointing to a potential overpass-the-hash attack. What would SOC analysts do at this point when investigating an overpass-the-hash alert? They would probably start enumerating all the users who signed in to the compromised device. They would also enumerate all other sign-ins for these users and further activities propagating to other devices in the network, all while mentally building an attack graph.

Saving precious time and eliminating manual work, Microsoft Threat Protection determines that the lateral movement activity is related to the earlier initial access. As a result, Microsoft Threat Protection correlates this activity, as well as users and devices involved, into the same incident, exposing other related activities and surfacing them as additional alerts in the same incident.

Screenshot of Microsoft security center showing list of alerts and highlighting the correlation-driven alert "Successful logon using potentially stolen credentials"

Figure 5. Correlating the overpass-the-hash alert

Microsoft Threat Protection also finds related sign-in events following the overpass-the-hash attack to trace the footprint of the impersonated user and surfaces alerts for malicious sign-ins made by the attacker. This allows Microsoft Threat Protection to elevate a series of raw sign-in events (which, when considered on their own, may lack context for detection) to alerts. The correlation-driven alert “Successful logon using potentially stolen credentials” instantly flags the compromised endpoints and pinpoints the start of the malicious activity in the timeline.

Screenshot of Microsoft security center showing correlation-driven alerts that determine that start of the attack

Figure 6. Correlation-driven alert can help determine the start of the attack

Lateral phishing: Correlating email, cloud, and device data

Using the breadth and depth of information available from the incident, SOC analysts can further expand their investigation. The Go hunt action allows SOC analysts to run an exhaustive, predefined query to hunt for relevant or similar threats and malicious activities from endpoints to the cloud, whether issued from inside the network or outside organizational boundaries.

Screenshot of Microsoft security center showing the Go hunt action

Figure 7. Generating a hunting query with a single click

 In this attack scenario, the query that Go hunt auto-generates instantly reveals suspicious OneDrive activity: while the user is operating from Great Britain, somebody from Sweden with the same account name seems to have downloaded a .docx file and replaced it with a similar file with .doc extension, indicating the insertion of the malicious macro.

Screenshot of Microsoft security center showing results of the Go hunt query, which reveals additional suspicious acitivity

Figure  8. “Go hunt” on the compromised user reveals suspicious activity

SOCs can further follow the propagation of the replaced file using an additional hunting query that combines email, OneDrive, and device data to find more affected users and devices, allowing SOC analysts to assess if additional compromise occurred and to take remediation actions. In our next blog post, we’ll provide more details about the investigation and hunting aspects of this scenario.

Conclusion: Connecting the dots and enriching incidents with more signals that tell the story

In this blog we demonstrated Microsoft Threat Protection’s unique ability to correlate signals across email and docs, devices, identities, and cloud apps, and present attack evidence in a unified form. Incidents significantly improve SOC efficiency by eliminating the need to use different portals and manually finding and connecting events, as well as enabling investigation and comprehensive response to attacks. The incident view shows alerts, affected entities, and related activities from across Microsoft 365 security solutions in a unified view.

Automatic correlations enrich incidents by consolidating relevant events and raising new alerts on malicious activities that couldn’t be flagged by any individual product on its own. These correlations paint a seamless attack story across perimeters by building an attack graph that SOC analysts can follow, starting with the earliest initial access.

Diagram showing automatic correlation of signals and alerts across domains

Figure 9. Automatic correlation across domains

Microsoft Threat Protection harnesses the power of Microsoft 365 security products to deliver unparalleled coordinated defense that detects, correlates, blocks, remediates, and prevents attacks across an organization’s Microsoft 365 environment. Existing Microsoft 365 licenses provide access to Microsoft Threat Protection features in Microsoft 365 security center without additional cost. To start using Microsoft Threat Protection, go to security.microsoft.com.

Learn how Microsoft Threat Protection can help your organization to stop attacks with coordinated defense. Read these blog posts in the Inside Microsoft Threat Protection series:

Stefan Sellmer, Tali Ash, Tal Maor

Microsoft Threat Protection Team