Playbook for the Secure Enterprise

CyberSecurity Latest Rundown

Heroes, have a great Labor Day. This is the fresh-off-the-BBQ look at the cybersecurity landscape for September 1, 2025.

HIGH SEVERITY ITEMS

• Russian-Linked APT29 Targets Microsoft Credentials in Watering Hole Campaign

  Date & Time: 2025-09-01T03:30:50

  The Russian-linked cyberespionage group APT29 (aka Cozy Bear) was observed using a watering hole campaign to steal Microsoft account credentials. The attack tricks users on compromised websites into granting access via Microsoft's device code authentication flow, a sophisticated method for bypassing standard login procedures to gain persistent access to cloud data.

  CVE Details: n/a

  Source: securityboulevard.com

• AI-Powered Cybercrime Used in Data Extortion Campaigns

  Date & Time: 2025-08-31T18:47:36

  Cybercriminals are reportedly using the Claude AI model to automate and scale data extortion campaigns, having already targeted at least 17 organizations. This marks a significant evolution in cybercrime TTPs, where AI is leveraged to make threats more efficient, personalized, and dangerous.

  Source: psilvas.wordpress.com

EXECUTIVE INSIGHTS

• Supply Chain Attacks Have Doubled, Increasing Organizational Risk

  Date & Time: 2025-09-01T10:27:29

  Recent data indicates that supply chain attacks have doubled, a trend exemplified by the recent third-party breach affecting Google. This trend requires executives to re-evaluate third-party risk management programs, as adversaries increasingly target smaller, less secure partners to gain access to larger, high-value targets.

  Source: cyble.com

• When Browsers Become the Attack Surface

  Date & Time: 2025-09-01T11:55:00

  With over 80% of security incidents originating from web applications, the browser has become the new enterprise perimeter and a primary attack surface. Threat actors like Scattered Spider are exploiting this shift, forcing security leaders to rethink security strategies and implement browser-centric security controls to protect against modern threats.

  Source: thehackernews.com

VENDOR SPOTLIGHT

• Spotlight Rationale: Selected to address the identity-based attack vector used by APT29 in their latest campaign targeting Microsoft credentials.

  Threat Context: Russian-Linked APT29 Targets Microsoft Credentials in Watering Hole Campaign

  Platform Focus: MojoAuth - Risk-Based Authentication (RBA)

  MojoAuth's Risk-Based Authentication (RBA) provides a direct defense against credential theft campaigns like the one waged by APT29. Instead of relying solely on static credentials, RBA dynamically assesses the risk of each login attempt by analyzing signals such as user location, device fingerprint, time of day, and IP reputation. This allows the system to automatically challenge high-risk authentication attempts—like those originating from an APT29-controlled watering hole—with step-up authentication (MFA) or block them entirely, preventing unauthorized access even if the initial authentication flow is manipulated.

  Actionable Platform Guidance: Implement a risk-based authentication policy to detect and mitigate anomalous access patterns. Define risk signals (e.g., new device, impossible travel, known malicious IP), establish risk tiers (low, medium, high), and configure adaptive access policies. For example, a login attempt using the device code flow from a previously unseen geographic location should automatically trigger a mandatory MFA challenge or be blocked.

  Source: mojoauth.com

DETECTION & RESPONSE KIT

• ⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.

  1. Vendor Platform Configuration - MojoAuth

  [copy]

  # Conceptual Configuration Guide for MojoAuth Risk-Based Authentication
  
  # Step 1: Define and Enable Risk Signals
  # In the MojoAuth admin console, navigate to Security -> Risk Engine.
  # Enable the following signals for analysis:
  # - IP Reputation (Threat intelligence feeds)
  # - Geolocation and Impossible Travel Detection
  # - Device Fingerprinting and New Device Detection
  # - User Behavior Analytics (UBA)
  
  # Step 2: Configure Risk Tiers
  # Define risk scores for different events.
  # - Low Risk (Score 0-30): Login from a registered device in a known location.
  # - Medium Risk (Score 31-70): Login from a new device or unfamiliar IP address.
  # - High Risk (Score 71-100): Login attempt from a known malicious IP or exhibiting impossible travel.
  
  # Step 3: Create Adaptive Access Policies
  # Navigate to Policies -> Access Policies and create rules based on risk.
  # - IF risk_score <= 30 THEN allow_access
  # - IF risk_score > 30 AND risk_score <= 70 THEN require_mfa(push_notification)
  # - IF risk_score > 70 THEN block_access AND alert(security_team)
  
  # Step 4: Monitor and Tune
  # Regularly review the risk engine dashboard for false positives/negatives.
  # Adjust risk scores and policies based on observed attacker TTPs and user feedback.

  2. YARA Rule for Suspicious Device Code Authentication Scripts

  [copy]

  rule Detect_Suspicious_MS_Device_Code_Flow {
  meta:
  description = "Detects JavaScript patterns potentially used in watering hole attacks to abuse Microsoft's device code authentication flow, as seen in APT29 campaigns."
  author = "Threat Rundown"
  date = "2025-09-01"
  reference = "https://securityboulevard.com/?p=2068136"
  strings:
  $s1 = "device_code"
  $s2 = "login.microsoftonline.com"
  $s3 = "oauth2/v2.0/devicecode"
  $s4 = "user_code"
  $s5 = "verification_uri"
  condition:
  uint16(0) == 0x3c21 and filesize < 500KB and all of them
  }

  3. SIEM Query — Anomalous Microsoft Entra ID Device Code Logins

  [copy]

  // Splunk Query
  index=azuread sourcetype="azure:signin"
  | spath input=properties output=auth_method path=authenticationDetails{}.authenticationMethod
  | search auth_method="Device code"
  | iplocation properties.ipAddress
  | stats count by user, Country, City, properties.ipAddress, appDisplayName
  | eventstats avg(count) as avg_logins_per_user by user
  | where count > (avg_logins_per_user * 2) OR isnull(avg_logins_per_user)
  | sort - count
  | table user, Country, City, properties.ipAddress, appDisplayName, count

  4. PowerShell Script — Audit Entra ID for Device Code Flow Usage

  [copy]

  <#
  .SYNOPSIS
  Audits Azure AD Sign-in logs for authentications using the device code flow.
  .DESCRIPTION
  This script connects to Microsoft Graph and queries sign-in logs from the last 7 days
  to identify users and applications that have authenticated via the device code flow.
  Requires the Microsoft.Graph.Authentication and Microsoft.Graph.Reports modules.
  #>
  
  # Ensure required modules are installed
  if (-not (Get-Module -ListAvailable -Name Microsoft.Graph.Authentication)) { Install-Module Microsoft.Graph.Authentication -Scope CurrentUser -Force }
  if (-not (Get-Module -ListAvailable -Name Microsoft.Graph.Reports)) { Install-Module Microsoft.Graph.Reports -Scope CurrentUser -Force }
  
  Connect-MgGraph -Scopes "AuditLog.Read.All"
  
  Write-Host "Querying sign-in logs for device code flow authentications in the last 7 days..." -ForegroundColor Yellow
  
  $filterDate = (Get-Date).AddDays(-7).ToString("yyyy-MM-ddTHH:mm:ssZ")
  $filterString = "createdDateTime ge $($filterDate) and authenticationDetails/any(c:c/authenticationMethod eq 'Device code')"
  
  try {
  $signInEvents = Get-MgAuditLogSignIn -Filter $filterString -All
  if ($signInEvents) {
  $signInEvents | Select-Object CreatedDateTime, UserPrincipalName, AppDisplayName, IPAddress, Location, DeviceDetail.OperatingSystem
  } else {
  Write-Host "No sign-in events using device code flow found in the last 7 days." -ForegroundColor Green
  }
  } catch {
  Write-Error "An error occurred while querying logs: $_"
  }
  
  Disconnect-MgGraph

  This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!