Windows EDR - Phishing Detection
complete
Matthiew Morin (Huntress)
complete
We shipped this capability back in April but it looks like we forgot to update this post. Sorry about that!
R
Ren Niania
Matthiew Morin (Huntress) All Good! Thx
A
Alex Perrot
Matthiew Morin (Huntress) Will this be added to macOS as well – or has it been already?
S
Stephen Stooke
Matthiew Morin (Huntress) Where are the settings for this?
Matthiew Morin (Huntress)
Alex Perrot: We're looking into adding this to macOS later this year or early next year.
Matthiew Morin (Huntress)
Stephen Stooke: there aren't any settings associated with this. We automatically gather the required data with the Huntress agent and if we find something suspicious you'll get an Incident Report (just like how things work with Process Insights.)
J
Jordy Minnebo
Matthiew Morin (Huntress) Will you close the webpage too?
Matthiew Morin (Huntress)
Jordy Minnebo: no, not currently. We're keeping an eye on how effective these detections are before we make a decision to introduce some sort of "automatic action" (i.e. closing the webpage.)
E
Eli Kibbe
Will we only be alerted on spoofed Microsoft webpages?
Matthiew Morin (Huntress)
Eli Kibbe: currently, yes. That data that we initially gathered was targeted at Microsoft pages because it aligns nicely with ITDR identities. Are there any others that are top of mind for you?
S
Stephen Stooke
Matthiew Morin (Huntress) Oh, this is just for ITDR and only Microsoft sites. I assumed it was a more generic phishing protection system.
Matthiew Morin (Huntress)
Stephen Stooke: it will work without ITDR. The phishing sites that we're looking for are limited to those imitating Microsoft for a couple of reasons:
- This is by far the most common group of sites that we see imitated.
- For ITDR customers, we're looking at ways to tie EDR and ITDR detections together and what better way to do that than looking at threat actors trying to phish M365 identities?
As with all things Huntress, we'll continue iterating on this capability as we see how effective it is and if we see tradecraft changing to target other sites.
T
Tyler Gibbs
Yesss
James Mason | SE @ Huntress
this quarter