How Microsoft uses Enterprise Exposure Graph to detect hybrid attacks

Microsoft has continuously observed hybrid attacks leading to espionage, business interruption, and ransomware deployment that involve threat actors moving from on-premises environments to the cloud. Many organizations manage their resources across different realms, including on-premises and cloud environments, and create complex infrastructures, where interconnections between services, resources, and identities become vital. If not managed with caution and diligence, these interconnections can pose significant risks. A threat actor’s pivot from on-premises to the cloud may easily be a blind spot when there is no shared indication that the device sequence of events is related to the cloud sequence of events, because the former occurs in the context of the local account while the latter occurs in the context of the cloud identity. This prevents SOC teams from correlating operations across different realms (on-premises and cloud), as there are no shared entities. To bridge the gap, Microsoft uses the Enterprise Exposure Graph in Microsoft Defender XDR to integrate both contexts and formulate a comprehensive picture of a malicious campaign with high confidence. By enriching the XDR capabilities, defenders can correlate events through shared paths in the graph, allowing them to consolidate the device compromise, credential theft, and the cloud compromise and operations into a single, cohesive incident. Learn more about the Microsoft Enterprise exposure graph works to help detect hybrid attacks: https://msft.it/6045SvsEx

  • No alternative text description for this image
Theodore Longtchi, Ph.D.

IT Security | Researcher | Computer Science/Engineering | Software Engineering

3w

Multitenancy in the cloud can be a vulnerability itself if the technology is not well hardened, especially with the H1 hypervisor that is common in the cloud but smaller than H2 hypervisor. Multitenancy can facilitate vulnerabilities like guest escape, or worse, host escape, as well as the old-school side channel attacks. Hardening the hypervisors is a remediation to these vulnerabilities, of course without affecting functional effectiveness. #DevSecOps

Like
Reply
Tina Oriola

we never stop working for you

3w

Insightful read from Microsoft Threat Intelligence. As a proud Microsoft Solutions Partner, VSI Technologies echoes the call to unify on-prem and cloud signals; leveraging Microsoft Defender XDR’s Enterprise Exposure Graph to stay one step ahead of hybrid threats and keep our clients’ environments secure.

Like
Reply
Topaz Hurvitz

GenAI & Cloud Security Architect | Defending Microsoft 365 & Multi-Agent Systems

3w

The exposure graph approach is brilliant, but session token persistence mapping is where SOC teams get blindsided. Even with Entra session correlation, we're missing alternate token stores - browser profiles, cached certificates, service account tokens that don't surface in standard graph connections. In my M365 hybrid deployments, attackers abuse legitimate tokens through background services while the exposure graph only sees the original device-user link. The gap IMO: We need session-level behavioral baselines, not just connection mapping. I've started layering custom detection rules tracking authentication velocity across the hybrid boundary - catching sophisticated actors who understand these correlation blind spots.

Like
Reply
Mitchell Myers

Navy SEAL | Ethical Hacker | Helping businesses protect their data |

3w

The Enterprise Exposure Graph in Microsoft Defender XDR is a smart move, it’s about connecting the dots before an attacker completes the kill chain. Mapping identities, credentials, and device behaviors across environments isn’t just helpful, it’s necessary.

Aakash Rahsi

Cloud & AI Architect | Consultant | M365, Azure, Power Platform, Google Cloud & Gemini | Security & Digital Workplace Consultant | AI Automation Innovator | Open to Projects & Partnerships | aakashrahsi.online

3w

The hybrid campaigns mentioned here aren’t just exploiting infrastructure. They’re exploiting memory gaps. Password spray is just the surface. What’s beneath is a pattern of permission echoes, role residues and incomplete revocations replayed at scale. These attackers don’t break the door. They wait by the ones we forgot to close. This post signals something deeper not just about threat visibility, but about the need for causal memory enforcement in identity systems. True Zero Trust might begin with denial… but it must evolve into remembrance: Why was this identity ever allowed to exist here in the first place? Beautiful work as always from Microsoft. Inspires a lot Some of us are listening for the signal inside the signal

See more comments

To view or add a comment, sign in

Explore topics