GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE

  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Conversation

Notices

  1. Embed this notice
    Fritz Adalis (fritzadalis@infosec.exchange)'s status on Thursday, 02-Jan-2025 23:00:14 JST Fritz Adalis Fritz Adalis

    Wondering if anyone else has seen this behavior.

    We received an alert from MS Defender for Cloud that a suspicious IP had downloaded from a storage blob using a SAS token. It turned out that someone was misusing the SAS token feature and had sent the URL via email.

    Since then, we've determined that every URL sent via email (O365) is being downloaded immediately by... someone. We brought in someone for IR but they haven't seen anything similar and we can't find a cause. We even set up two secops mailboxes (which are supposed to bypass all MS security) and sending an email between them still triggers the downloads.

    The source IPs so far have all been in the US, and Spur tags most with "Oculus Proxy" and most ASNs are "Constant" or "HostRoyale". User agents match Chrome 125 or 131.

    The only thing I've found online is complaints on Reddit about this causing a 100% click rate in KnowBe4. No real resolution there though.

    We're thinking it's something automated/enterprise, but I want to be sure. Has anyone seen anything similar? TIA.

    #threatintel #incidentresponse

    In conversation about 4 months ago from infosec.exchange permalink

    Feeds

    • Activity Streams
    • RSS 2.0
    • Atom
    • Help
    • About
    • FAQ
    • TOS
    • Privacy
    • Source
    • Version
    • Contact

    GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

    Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.