{ "id": "eab6e3a0-cbae-48b9-93d1-5226e4c741a9", "created_at": "2026-04-06T00:17:51.502715Z", "updated_at": "2026-04-10T03:34:03.037673Z", "deleted_at": null, "sha1_hash": "5aa3c1e9c8647fa4e3b9df306a6c98a86bbf47a7", "title": "Inside Microsoft 365 Defender: Mapping attack chains from cloud to endpoint | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2507882, "plain_text": "Inside Microsoft 365 Defender: Mapping attack chains from cloud\r\nto endpoint | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2020-06-18 · Archived: 2026-04-05 19:01:37 UTC\r\nThreat actors\r\nSandstorm\r\nToken theft\r\nApril 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned\r\naround the theme of weather. HOLMIUM is now tracked as Peach Sandstorm. To learn about how the new\r\ntaxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat\r\nactor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.\r\nThe increasing pervasiveness of cloud services in today’s work environments, accelerated by a crisis that forced\r\ncompanies around the globe to shift to remote work, is significantly changing how defenders must monitor and\r\nprotect organizations. Corporate data is spread across multiple applications—on-premises and in the cloud—and\r\naccessed by users from anywhere using any device. With traditional surfaces expanding and network perimeters\r\ndisappearing, novel attack scenarios and techniques are introduced.\r\nEvery day, we see attackers mount an offensive against target organizations through the cloud and various other\r\nattack vectors with the goal of finding the path of least resistance, quickly expanding foothold, and gaining control\r\nof valuable information and assets. To help organizations fend off these advanced attacks, Microsoft 365\r\nDefender (previously Microsoft Threat Protection) leverages the Microsoft 365 security portfolio to automatically\r\nanalyze cross-domain threat data, building a complete picture of each attack in a single dashboard. With this\r\nbreadth and depth of clarity, defenders can focus on critical threats and hunting for sophisticated breaches across\r\nendpoints, email, identities and applications.\r\nAmong the wide range of actors that Microsoft tracks—from digital crime groups to nation-state activity groups—\r\nHOLMIUM is one of the most proficient in using cloud-based attack vectors. Attributed to a Middle East-based\r\ngroup and active since at least 2015, HOLMIUM has been performing espionage and destructive attacks targeting\r\naerospace, defense, chemical, mining, and petrochemical-mining industries. HOLMIUM’s activities and\r\ntechniques overlap with what other researchers and vendors refer to as APT33, StoneDrill, and Elfin.\r\nHOLMIUM has been observed using various vectors for initial access, including spear-phishing email, sometimes\r\ncarrying archive attachments that exploit the CVE-2018-20250 vulnerability in WinRAR, and password-spraying.\r\nMany of their recent attacks, however, have involved the penetration testing tool Ruler used in tandem with\r\ncompromised Exchange credentials.\r\nThe group used Ruler to configure a specially crafted Outlook Home Page URL to exploit the security bypass\r\nvulnerability CVE-2017-11774, which was fixed shortly after it was discovered. Successful exploitation\r\nhttps://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/\r\nPage 1 of 9\n\nautomatically triggered remote code execution of a script when an Outlook client synced with a mailbox and\r\nrendered the profile Home Page URL. These scripts, usually VBScript followed by PowerShell, in turn initiated\r\nthe delivery of various payloads.\r\nIn this blog, the first in the Inside Microsoft 365 Defender series, we will show how Microsoft 365 Defender\r\nprovides unparalleled end-to-end visibility into the activities of nation-state level attacks like HOLMIUM. In\r\nsucceeding blog posts in this series, we will shine a spotlight on aspects of the coordinated defense delivered by\r\nMicrosoft 365 Defender.\r\nTracing an end-to-end cloud-based HOLMIUM attack\r\nHOLMIUM has likely been running cloud-based attacks with Ruler since 2018, but a notable wave of such attacks\r\nwas observed in the first half of 2019. These attacks combined the outcome of continuous password spray\r\nactivities against multiple organizations, followed by successful compromise of Office 365 accounts and the use\r\nof Ruler in short sequences to gain control of endpoints. This wave of attacks was the subject of a warning\r\nfrom US Cybercom in July 2019.\r\nThese HOLMIUM attacks typically started with intensive password spray against exposed Active Directory\r\nFederation Services (ADFS) infrastructure; organizations that were not using multi-factor authentication (MFA)\r\nfor Office 365 accounts had a higher risk of having accounts compromised through password spray. After\r\nsuccessfully identifying a few user and password combinations via password spray, HOLMIUM used virtual\r\nprivate network (VPN) services with IP addresses associated with multiple countries to validate that the\r\ncompromised accounts also had access to Office 365.\r\nFigure 1. Password spray and compromised account sign-ins by HOLMIUM as detected in Microsoft Defender for\r\nIdentity (previously Azure Advanced Threat Protection) and Microsoft Defender for Cloud Apps (previously\r\nMicrosoft Cloud App Security)\r\nArmed with a few compromised Office 365 accounts and not blocked by MFA defense, the group launched the\r\nnext step with Ruler and configured a malicious Home Page URL which, once rendered during a normal email\r\nsession, resulted in the remote code execution of a PowerShell backdoor through the exploitation of a\r\nhttps://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/\r\nPage 2 of 9\n\nvulnerability like CVE-2017-11774. The two domains abused by HOLMIUM and observed during this 2019\r\ncampaign were “topaudiobook.net” and “customermgmt.net”.\r\nFigure 2. Exploitation of Outlook Home Page feature using Ruler-like tools\r\nFigure 3. Weaponized home page and initial PowerShell payload\r\nThis initial foothold allowed HOLMIUM to run their custom PowerShell backdoor (known as POWERTON)\r\ndirectly from an Outlook process and to perform the installation of additional payloads on the endpoint with\r\ndifferent persistence mechanisms, such as WMI subscription (T1084) or registry autorun keys (T1060). Once the\r\ngroup has taken control of the endpoint (in addition to the cloud identity), the next phase was hours of exploration\r\nof the victim’s network, enumerating user accounts and machines for additional compromise, and lateral\r\nmovement within the perimeter. HOLMIUM attacks typically took less than a week from initial access via the\r\nhttps://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/\r\nPage 3 of 9\n\ncloud to obtaining unhampered access and full domain compromise, which then allowed the attackers to stay\r\npersistent for long periods of time, sometimes for months on end.\r\nFigure 4. Snippets of HOLMIUM PowerShell backdoor (POWERTON) implementing two different persistence\r\nmechanisms: WMI event subscription (T1084) and Registry run keys or Startup folder (T1060)\r\nHOLMIUM attacks as seen and acted upon by Microsoft 365 Defender\r\nHOLMIUM attacks demonstrate how hybrid attacks that span from cloud to endpoints require a wide range of\r\nsensors for comprehensive visibility. Enabling organizations to detect attacks like these by correlating events in\r\nmultiple domains – cloud, identity, endpoints – is the reason why we build products like Microsoft 365 Defender.\r\nAs we described in our analysis of HOLMIUM attacks, the group compromised identities in the cloud and\r\nleveraged cloud APIs to gain code execution or persist. The attackers then used a cloud email configuration to run\r\nspecially crafted PowerShell on endpoints every time the Outlook process is opened.\r\nhttps://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/\r\nPage 4 of 9\n\nDuring these attacks, many target organizations reacted too late in the attack chain—when the malicious activities\r\nstarted manifesting on endpoints via the PowerShell commands and subsequent lateral movement behavior. The\r\nearlier attack stages like cloud events and password spray activities were oftentimes missed or sometimes not\r\nlinked with activities observed on the endpoint. This resulted in gaps in visibility and, subsequently, incomplete\r\nremediation.\r\nWhile it’s relatively easy to remediate and stop malicious processes and downloaded malware on endpoints using\r\nendpoint security solutions, such a conventional approach would mean that the attack is persistent in the cloud, so\r\nthe endpoint could be immediately compromised again. Remediating identities in the cloud is a different story.\r\nFigure 5. The typical timeline of a HOLMIUM attack kill-chain\r\nIn an organization utilizing Microsoft 365 Defender, multiple expert systems that monitor various aspects of the\r\nnetwork would detect and raise alerts on HOLMIUM’s activities. Microsoft 365 Defender sees the full attack\r\nchain across domains beyond simply blocking on endpoints or zapping emails, thus putting organizations in a\r\nsuperior position to fight the threat.\r\nhttps://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/\r\nPage 5 of 9\n\nFigure 6. Microsoft 365 Defender components able to prevent or detect HOLMIUM techniques across the kill\r\nchain.\r\nThese systems work in unison to prevent attacks or detect, block, and remediate malicious activities. Across\r\naffected domains, Microsoft 365 Defender detects signs of HOLMIUM’s attacks:\r\nMicrosoft Defender for Identity (previously Azure Advanced Threat Protection) identifies account\r\nenumeration and brute force attacks\r\nMicrosoft Defender for Cloud Apps (previously Microsoft Cloud App Security) detects anomalous Office\r\n365 sign-ins that use potentially compromised credentials or from suspicious locations or networks\r\nMicrosoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection) exposes\r\nmalicious PowerShell executions on endpoints triggered from Outlook Home Page exploitation\r\nFigure 7. Activities detected across affected domains by different Microsoft 365 Defender expert systems\r\nTraditionally, these detections would each be surfaced in its own portal, alerting on pieces of the attack but\r\nrequiring the security team to stitch together the full picture. With Microsoft 365 Defender, the pieces of the\r\npuzzle are fused automatically through deep threat investigation. Microsoft 365 Defender generates a\r\ncombined incident view that shows the end-to-end attack, with all related evidence and affected assets in one view.\r\nhttps://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/\r\nPage 6 of 9\n\nFigure 8. The Microsoft 365 Defender incident brings together in one view the entire end-to-end attack across\r\ndomain boundaries\r\nUnderstanding the full attack chain enables Microsoft 365 Defender to automatically intervene to block the attack\r\nand remediate assets holistically across domains. In HOLMIUM attacks, Microsoft 365 Defender not only stops\r\nthe PowerShell activity on endpoints but also contains the impact of stolen user accounts by marking them as\r\ncompromised in Azure AD. This invokes Conditional Access as configured in Azure AD and applies conditions\r\nlike MFA or limitations on the user account’s permissions to access organizational resources until the account is\r\nremediated fully.\r\nFigure 9. Coordinated automatic containment and remediation across email, identity, and endpoints\r\nhttps://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/\r\nPage 7 of 9\n\nSecurity teams can dig deep and expand their investigation into the incident in Microsoft 365 Security Center,\r\nwhere all details and related activities are available in one place. Furthermore, security teams can hunt for more\r\nmalicious activities and artifacts through advanced hunting, which brings together all the raw data collected across\r\nproduct domains into one unified schema with powerful query constructs.\r\nFigure 10. Hunting for activities across email, identity, endpoint and cloud applications\r\nFinally, when the attack is blocked and all affected assets are remediated, Microsoft 365 Defender helps\r\norganizations identify improvements to their security configuration that would prevent the attacker from returning.\r\nThe Threat Analytics report provides an exposure view and recommends prevention measures relevant to the\r\nthreat. For example, the Analytics Report for HOLMIUM recommended, among other things, applying the\r\nappropriate security updates to prevent tools like Ruler from operating, as well as completely eliminating this\r\nattack vector in the organization.\r\nhttps://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/\r\nPage 8 of 9\n\nFigure 11. Threat Analytics provides organizational exposure and recommended mitigations for HOLMIUM \r\nMicrosoft 365 Defender: Stop attacks with automated cross-domain security\r\nMicrosoft 365 Defender harnesses the power of Microsoft 365 security products to deliver unparalleled\r\ncoordinated defense that detects, correlates, blocks, remediates, and prevents attacks across an organization’s\r\nMicrosoft 365 environment. Existing Microsoft 365 licenses provide access to Microsoft 365 Defender features in\r\nMicrosoft 365 security center without additional cost. To start using Microsoft 365 Defender, go\r\nto security.microsoft.com.\r\nLearn how Microsoft 365 Defender can help your organization to stop attacks with coordinated defense. Read\r\nthese blog posts in the Inside Microsoft 365 Defender series:\r\nInside Microsoft 365 Defender: Attack modeling for finding and stopping lateral movement\r\nInside Microsoft 365 Defender: Correlating and consolidating attacks into incidents\r\nInside Microsoft 365 Defender: Solving cross-domain security incidents through the power of correlation\r\nanalytics\r\nTalk to us\r\nQuestions, concerns, or insights on this story? Join discussions at the Microsoft 365 Defender tech community.\r\nRead all Microsoft security intelligence blog posts.\r\nFollow us on Twitter @MsftSecIntel.\r\nSource: https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoin\r\nt/\r\nhttps://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "references": [ "https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/" ], "report_names": [ "inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint" ], "threat_actors": [ { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b938e2e3-3d1b-4b35-a031-ddf25b912557", "created_at": "2022-10-25T16:07:23.35582Z", "updated_at": "2026-04-10T02:00:04.55531Z", "deleted_at": null, "main_name": "APT 33", "aliases": [ "APT 33", "ATK 35", "Cobalt Trinity", "Curious Serpens", "Elfin", "G0064", "Holmium", "Magnallium", "Peach Sandstorm", "Refined Kitten", "TA451", "Yellow Orc" ], "source_name": "ETDA:APT 33", "tools": [ "Atros2.CKPN", "AutoIt backdoor", "Breut", "CinaRAT", "DROPSHOT", "DarkComet", "DarkKomet", "DistTrack", "EmPyre", "EmpireProject", "FYNLOS", "FalseFont", "Filerase", "Fynloski", "JuicyPotato", "Krademok", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Mimikatz", "Nancrat", "NanoCore", "NanoCore RAT", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Notestuk", "POWERTON", "PoshC2", "PowerBand", "PowerShell Empire", "PowerSploit", "PsList", "Pupy", "PupyRAT", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "SHAPESHIFT", "Shamoon", "Socmer", "StoneDrill", "TURNEDUP", "Tickler", "Yggdrasil", "Zurten", "klovbot", "pupy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434671, "ts_updated_at": 1775792043, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5aa3c1e9c8647fa4e3b9df306a6c98a86bbf47a7.pdf", "text": "https://archive.orkl.eu/5aa3c1e9c8647fa4e3b9df306a6c98a86bbf47a7.txt", "img": "https://archive.orkl.eu/5aa3c1e9c8647fa4e3b9df306a6c98a86bbf47a7.jpg" } }