Microsoft has continuously observed hybrid attacks leading to espionage, business interruption, and ransomware deployment that involve threat actors moving from on-premises environments to the cloud. Many organizations manage their resources across different realms, including on-premises and cloud environments, and create complex infrastructures, where interconnections between services, resources, and identities become vital. If not managed with caution and diligence, these interconnections can pose significant risks. A threat actor’s pivot from on-premises to the cloud may easily be a blind spot when there is no shared indication that the device sequence of events is related to the cloud sequence of events, because the former occurs in the context of the local account while the latter occurs in the context of the cloud identity. This prevents SOC teams from correlating operations across different realms (on-premises and cloud), as there are no shared entities. To bridge the gap, Microsoft uses the Enterprise Exposure Graph in Microsoft Defender XDR to integrate both contexts and formulate a comprehensive picture of a malicious campaign with high confidence. By enriching the XDR capabilities, defenders can correlate events through shared paths in the graph, allowing them to consolidate the device compromise, credential theft, and the cloud compromise and operations into a single, cohesive incident. Learn more about the Microsoft Enterprise exposure graph works to help detect hybrid attacks: https://msft.it/6045SvsEx
Insightful read from Microsoft Threat Intelligence. As a proud Microsoft Solutions Partner, VSI Technologies echoes the call to unify on-prem and cloud signals; leveraging Microsoft Defender XDR’s Enterprise Exposure Graph to stay one step ahead of hybrid threats and keep our clients’ environments secure.
The exposure graph approach is brilliant, but session token persistence mapping is where SOC teams get blindsided. Even with Entra session correlation, we're missing alternate token stores - browser profiles, cached certificates, service account tokens that don't surface in standard graph connections. In my M365 hybrid deployments, attackers abuse legitimate tokens through background services while the exposure graph only sees the original device-user link. The gap IMO: We need session-level behavioral baselines, not just connection mapping. I've started layering custom detection rules tracking authentication velocity across the hybrid boundary - catching sophisticated actors who understand these correlation blind spots.
The Enterprise Exposure Graph in Microsoft Defender XDR is a smart move, it’s about connecting the dots before an attacker completes the kill chain. Mapping identities, credentials, and device behaviors across environments isn’t just helpful, it’s necessary.
The hybrid campaigns mentioned here aren’t just exploiting infrastructure. They’re exploiting memory gaps. Password spray is just the surface. What’s beneath is a pattern of permission echoes, role residues and incomplete revocations replayed at scale. These attackers don’t break the door. They wait by the ones we forgot to close. This post signals something deeper not just about threat visibility, but about the need for causal memory enforcement in identity systems. True Zero Trust might begin with denial… but it must evolve into remembrance: Why was this identity ever allowed to exist here in the first place? Beautiful work as always from Microsoft. Inspires a lot Some of us are listening for the signal inside the signal
IT Security | Researcher | Computer Science/Engineering | Software Engineering
3wMultitenancy in the cloud can be a vulnerability itself if the technology is not well hardened, especially with the H1 hypervisor that is common in the cloud but smaller than H2 hypervisor. Multitenancy can facilitate vulnerabilities like guest escape, or worse, host escape, as well as the old-school side channel attacks. Hardening the hypervisors is a remediation to these vulnerabilities, of course without affecting functional effectiveness. #DevSecOps