Alert for failed axios signins
E
Eric Zappe
Currently huntress will only alert if there's a SUCCESSFUL sign in with an axios user agent.
In my mind, an axios user agent guarantees the user provided their credentials in a phishing page. At a minimum, their password needs to be reset. Even if M365 is protected by MFA, the threat actor may be able to sign in to other platforms where MFA is not required with the same username/password.
We would prefer to be alerted for ANY sign in attempts with "axios" in the user agent.
Y
Yidel Steinfeld
Existing FR here
https://feedback.huntress.com/managed-itdr/p/alert-on-successful-password-entry-mfa-failed
E
Eric Zappe
Yidel Steinfeld
Hey Yidel,
I saw your request before making this one.
You're asking for alerts when a correct password is entered, but MFA fails. While that could lead to findings of malicious activity, I worry it could be noisy.
I thought it would be worth making a slightly narrower request for the same thing, but only when axios user agents are involved. That way if yours is rejected, this one might be accepted.
Happy hunting!
F
Frank Villarreal
This is a great idea.
If you’re in an O365 environment that can’t wait on this feature enhancement, this detection can be implemented today in Defender Online (user agent =
axios
& login failed). With the right licensing, you can even enable automated remediation too, including forced password reset.E
Eric Zappe
Frank Villarreal
Ohhhh. Thanks for the tip!
Unfortunately, because we're managing hundreds of M365 tenants, maintaining something like this would be difficult. We'd prefer if we could set it up once in Huntress. � ( < that was supposed to be a fingers crossed emoji)