Скачать или смотреть How Threat Actors Persist In Your Microsoft 365

Backdoors & Breadcrumbs: How Threat Actors Persist In Your Microsoft 365

🎙️ Federico Cedolini, DFIR Senior Consultant, Stroz Friedberg
📍 Presented at SANS DFIR Summit 2025

Threat actors don’t just break in, they find creative ways to remain persistent. In this session, we will explore persistence techniques used in real-life Microsoft 365 incidents and how to identify them in your environment.
From basic inbox rules to advanced techniques such as domain federation abuse, we’ll break down the tactics and techniques used by threat actors to maintain long-term access.

For example, this talk will walk through what a threat actor needs to use SSPR to re-enter an account after the organization has changed the account password and reset sessions, and we'll also cover how threat actors have leveraged app passwords to initiate mass phishing campaigns even after being kicked out of the target account.

Attendees will learn how to detect and investigate these persistence techniques using Microsoft logs, gain deeper insight into these techniques, and explore hardening strategies that help minimize risk.

Key Takeaways:
There are several persistence mechanisms threat actors can leverage to maintain stealth hold of your environment.
The detection methods of these different persistence mechanisms can be included on your threat hunt playbooks and used to identified suspicious and malicious activity.
The techniques and remediations steps can complement your incident response playbooks to reduce the impact of more sophisticated threats.
Administrators can take actions to reduce the risk of successful persistence by threat actors.

View upcoming Summits: https://www.sans.org/u/DuS