{"id":35600,"date":"2020-06-18T16:00:03","date_gmt":"2020-06-18T16:00:03","guid":{"rendered":"https:\/\/www.microsoft.com\/security\/blog\/?p=91346"},"modified":"2020-06-18T16:00:03","modified_gmt":"2020-06-18T16:00:03","slug":"inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint\/","title":{"rendered":"Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint"},"content":{"rendered":"<p>The increasing pervasiveness of cloud services in today\u2019s work environments, accelerated by a crisis that forced companies around the globe to shift to remote work, is significantly changing how defenders must monitor and protect organizations. Corporate data is spread across multiple applications\u2014on-premises and in the cloud\u2014and accessed by users from anywhere using any device. With traditional surfaces expanding and network perimeters disappearing, novel attack scenarios and techniques are introduced.<\/p>\n<p>Every day, we see attackers mount an offensive against target organizations through the cloud and various other attack vectors with the goal of finding the path of least resistance, quickly expanding foothold, and gaining control of valuable information and assets. To help organizations fend off these advanced attacks, <a href=\"https:\/\/www.microsoft.com\/security\/business\/threat-protection\/integrated-threat-protection\">Microsoft Threat Protection (MTP)<\/a> leverages the Microsoft 365 security portfolio to automatically analyze cross-domain threat data, building a complete picture of each attack in a single dashboard. With this breadth and depth of clarity, defenders can focus on critical threats and hunting for sophisticated breaches across endpoints, email, identities and applications.<\/p>\n<p>Among the wide range of actors that Microsoft tracks\u2014from digital crime groups to nation-state activity groups\u2014HOLMIUM is one of the most proficient in using cloud-based attack vectors. Attributed to a Middle East-based group and active since at least 2015, HOLMIUM has been performing espionage and destructive attacks targeting aerospace, defense, chemical, mining, and petrochemical-mining industries. HOLMIUM\u2019s activities and techniques overlap with what other researchers and vendors refer to as APT33, StoneDrill, and Elfin.<\/p>\n<p>HOLMIUM has been observed using various vectors for initial access, including spear-phishing email, sometimes carrying archive attachments that exploit the <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2018-20250\">CVE-2018-20250<\/a> vulnerability in WinRAR, and password-spraying. Many of their recent attacks, however, have involved the penetration testing tool <a href=\"https:\/\/github.com\/sensepost\/ruler\">Ruler<\/a> used in tandem with compromised Exchange credentials.<\/p>\n<p>The group used Ruler to configure a specially crafted <a href=\"https:\/\/sensepost.com\/blog\/2017\/outlook-home-page-another-ruler-vector\/\">Outlook Home Page<\/a> URL to exploit the security bypass vulnerability <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-11774\">CVE-2017-11774<\/a>, which was <a href=\"https:\/\/portal.msrc.microsoft.com\/en-us\/security-guidance\/advisory\/CVE-2017-11774\">fixed<\/a> shortly after it was discovered. Successful exploitation automatically triggered remote code execution of a script when an Outlook client synced with a mailbox and rendered the profile Home Page URL. These scripts, usually VBScript followed by PowerShell, in turn initiated the delivery of various payloads.<\/p>\n<p>In this blog, the first in the Inside Microsoft Threat Protection series, we will show how MTP provides unparalleled end-to-end visibility into the activities of nation-state level attacks like HOLMIUM. In succeeding blog posts in this series, we will shine a spotlight on aspects of the coordinated defense delivered by Microsoft Threat Protection.<\/p>\n<h2>Tracing an end-to-end cloud-based HOLMIUM attack<\/h2>\n<p>HOLMIUM has likely been running cloud-based attacks with Ruler since 2018, but a notable wave of such attacks was observed in the first half of 2019. These attacks combined the outcome of continuous password spray activities against multiple organizations, followed by successful compromise of Office 365 accounts and the use of Ruler in short sequences to gain control of endpoints. This wave of attacks was the subject of a warning from <a href=\"https:\/\/twitter.com\/CNMF_VirusAlert\/status\/1146130046127681536\">US Cybercom<\/a> in July 2019.<\/p>\n<p>These HOLMIUM attacks typically started with intensive password spray against exposed <a href=\"https:\/\/docs.microsoft.com\/windows-server\/identity\/active-directory-federation-services\">Active Directory Federation Services<\/a> (ADFS) infrastructure; organizations that were not using multi-factor authentication (MFA) for Office 365 accounts had a higher risk of having accounts compromised through password spray. After successfully identifying a few user and password combinations via password spray, HOLMIUM used virtual private network (VPN) services with IP addresses associated with multiple countries to validate that the compromised accounts also had access to Office 365.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-91347 aligncenter\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig1-Password-spray-and-compromised-account.png\" alt width=\"1431\" height=\"629\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig1-Password-spray-and-compromised-account.png 1431w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig1-Password-spray-and-compromised-account-300x132.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig1-Password-spray-and-compromised-account-1024x450.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig1-Password-spray-and-compromised-account-768x338.png 768w\" sizes=\"auto, (max-width: 1431px) 100vw, 1431px\"><\/p>\n<p><em>Figure 1. Password spray and compromised account sign-ins by HOLMIUM as detected in Azure Advanced Threat Protection (ATP) and Microsoft Cloud App Security (MCAS)<\/em><\/p>\n<p>Armed with a few compromised Office 365 accounts and not blocked by MFA defense, the group launched the next step with Ruler and configured a malicious Home Page URL which, once rendered during a normal email session, resulted in the remote code execution of a PowerShell backdoor through the exploitation of a vulnerability like <a href=\"https:\/\/portal.msrc.microsoft.com\/en-us\/security-guidance\/advisory\/CVE-2017-11774\">CVE-2017-11774<\/a>. The two domains abused by HOLMIUM and observed during this 2019 campaign were \u201c<em>topaudiobook.net<\/em>\u201d and \u201c<em>customermgmt.net<\/em>\u201d.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-91348 aligncenter\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig2-HOLMIUM-exploitation-with-ruler.png\" alt width=\"1431\" height=\"629\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig2-HOLMIUM-exploitation-with-ruler.png 1431w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig2-HOLMIUM-exploitation-with-ruler-300x132.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig2-HOLMIUM-exploitation-with-ruler-1024x450.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig2-HOLMIUM-exploitation-with-ruler-768x338.png 768w\" sizes=\"auto, (max-width: 1431px) 100vw, 1431px\"><\/p>\n<p><em>Figure 2. Exploitation of Outlook Home Page feature using Ruler-like tools<\/em><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-91349 aligncenter\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig3-Weaponized-ruler.png\" alt width=\"1126\" height=\"717\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig3-Weaponized-ruler.png 1126w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig3-Weaponized-ruler-300x191.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig3-Weaponized-ruler-1024x652.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig3-Weaponized-ruler-768x489.png 768w\" sizes=\"auto, (max-width: 1126px) 100vw, 1126px\"><\/p>\n<p><em>Figure 3. Weaponized home page and initial PowerShell payload<\/em><\/p>\n<p>This initial foothold allowed HOLMIUM to run their custom PowerShell backdoor (known as <a href=\"https:\/\/attack.mitre.org\/software\/S0371\/\">POWERTON<\/a>) directly from an Outlook process and to perform the installation of additional payloads on the endpoint with different persistence mechanisms, such as <a href=\"https:\/\/attack.mitre.org\/techniques\/T1084\/\">WMI subscription (T1084)<\/a> or <a href=\"https:\/\/attack.mitre.org\/techniques\/T1060\/\">registry autorun keys (T1060)<\/a>. Once the group has taken control of the endpoint (in addition to the cloud identity), the next phase was hours of exploration of the victim\u2019s network, enumerating user accounts and machines for additional compromise, and lateral movement within the perimeter. HOLMIUM attacks typically took less than a week from initial access via the cloud to obtaining unhampered access and full domain compromise, which then allowed the attackers to stay persistent for long periods of time, sometimes for months on end.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-91350 aligncenter\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig4.-Snippets-of-HOMIUM-PowerShell-backdoor.png\" alt width=\"1052\" height=\"1117\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig4.-Snippets-of-HOMIUM-PowerShell-backdoor.png 1052w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig4.-Snippets-of-HOMIUM-PowerShell-backdoor-283x300.png 283w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig4.-Snippets-of-HOMIUM-PowerShell-backdoor-964x1024.png 964w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig4.-Snippets-of-HOMIUM-PowerShell-backdoor-768x815.png 768w\" sizes=\"auto, (max-width: 1052px) 100vw, 1052px\"><\/p>\n<p><em>Figure 4. Snippets of HOLMIUM PowerShell backdoor (POWERTON) implementing two different persistence mechanisms: WMI event subscription (T1084) and Registry run keys or Startup folder (T1060)<\/em><\/p>\n<h2>HOLMIUM attacks as seen and acted upon by Microsoft Threat Protection<\/h2>\n<p>HOLMIUM attacks demonstrate how hybrid attacks that span from cloud to endpoints require a wide range of sensors for comprehensive visibility. Enabling organizations to detect attacks like these by correlating events in multiple domains \u2013 cloud, identity, endpoints \u2013 is the reason why we build products like Microsoft Threat Protection. As we described in our analysis of HOLMIUM attacks, the group compromised identities in the cloud and leveraged cloud APIs to gain code execution or persist. The attackers then used a cloud email configuration to run specially crafted PowerShell on endpoints every time the Outlook process is opened.<\/p>\n<p>During these attacks, many target organizations reacted too late in the attack chain\u2014when the malicious activities started manifesting on endpoints via the PowerShell commands and subsequent lateral movement behavior. The earlier attack stages like cloud events and password spray activities were oftentimes missed or sometimes not linked with activities observed on the endpoint. This resulted in gaps in visibility and, subsequently, incomplete remediation.<\/p>\n<p>While it\u2019s relatively easy to remediate and stop malicious processes and downloaded malware on endpoints using endpoint security solutions, such a conventional approach would mean that the attack is persistent in the cloud, so the endpoint could be immediately compromised again. Remediating identities in the cloud is a different story.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-91367\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig5c-typical-timeline-HOLMIUM.png\" alt width=\"1406\" height=\"528\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig5c-typical-timeline-HOLMIUM.png 1406w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig5c-typical-timeline-HOLMIUM-300x113.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig5c-typical-timeline-HOLMIUM-1024x385.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig5c-typical-timeline-HOLMIUM-768x288.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig5c-typical-timeline-HOLMIUM-1259x472.png 1259w\" sizes=\"auto, (max-width: 1406px) 100vw, 1406px\"><\/p>\n<p><em>Figure 5. The typical timeline of a HOLMIUM attack kill-chain<\/em><\/p>\n<p>In an organization utilizing MTP, multiple expert systems that monitor various aspects of the network would detect and raise alerts on HOLMIUM\u2019s activities. MTP sees the full attack chain across domains beyond simply blocking on endpoints or zapping emails, thus putting organizations in a superior position to fight the threat.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-91365 aligncenter\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig6a-MTP-components-attack-chain.png\" alt width=\"1608\" height=\"907\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig6a-MTP-components-attack-chain.png 1608w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig6a-MTP-components-attack-chain-300x169.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig6a-MTP-components-attack-chain-1024x578.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig6a-MTP-components-attack-chain-768x433.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig6a-MTP-components-attack-chain-1536x866.png 1536w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig6a-MTP-components-attack-chain-539x303.png 539w\" sizes=\"auto, (max-width: 1608px) 100vw, 1608px\"><\/p>\n<p><em>Figure 6. MTP components able to prevent or detect HOLMIUM techniques across the kill chain.<\/em><\/p>\n<p>These systems work in unison to prevent attacks or detect, block, and remediate malicious activities. Across affected domains, MTP detects signs of HOLMIUM\u2019s attacks:<\/p>\n<ul>\n<li>Azure ATP identifies account enumeration and brute force attacks<\/li>\n<li>MCAS detects anomalous Office 365 sign-ins that use potentially compromised credentials or from suspicious locations or networks<\/li>\n<li>Microsoft Defender ATP exposes malicious PowerShell executions on endpoints triggered from Outlook Home Page exploitation<\/li>\n<\/ul>\n<p><em><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-91353 aligncenter\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig7-attack-detected.png\" alt width=\"1848\" height=\"812\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig7-attack-detected.png 1848w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig7-attack-detected-300x132.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig7-attack-detected-1024x450.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig7-attack-detected-768x337.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig7-attack-detected-1536x675.png 1536w\" sizes=\"auto, (max-width: 1848px) 100vw, 1848px\"><\/em><\/p>\n<p><em>Figure 7. Activities detected across affected domains by different MTP expert systems<\/em><\/p>\n<p>Traditionally, these detections would each be surfaced in its own portal, alerting on pieces of the attack but requiring the security team to stitch together the full picture. With Microsoft Threat Protection, the pieces of the puzzle are fused automatically through deep threat investigation. MTP generates a combined <a href=\"https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/security\/mtp\/incidents-overview?view=o365-worldwide\">incident view<\/a> that shows the end-to-end attack, with all related evidence and affected assets in one view.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-91354 aligncenter\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig8.MTP-incident.png\" alt width=\"1920\" height=\"1080\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig8.MTP-incident.png 1920w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig8.MTP-incident-300x169.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig8.MTP-incident-1024x576.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig8.MTP-incident-768x432.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig8.MTP-incident-1536x864.png 1536w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig8.MTP-incident-687x385.png 687w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig8.MTP-incident-1083x609.png 1083w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig8.MTP-incident-767x431.png 767w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig8.MTP-incident-539x303.png 539w\" sizes=\"auto, (max-width: 1920px) 100vw, 1920px\"><\/p>\n<p><em>Figure 8. The MTP incident brings together in one view the entire end-to-end attack across domain boundaries<\/em><\/p>\n<p>Understanding the full attack chain enables MTP to automatically intervene to block the attack and remediate assets holistically across domains. In HOLMIUM attacks, MTP not only stops the PowerShell activity on endpoints but also contains the impact of stolen user accounts by marking them as compromised in Azure AD. This invokes <a href=\"https:\/\/docs.microsoft.com\/azure\/active-directory\/conditional-access\/overview\">Conditional Access<\/a> as configured in Azure AD and applies conditions like MFA or limitations on the user account\u2019s permissions to access organizational resources until the account is remediated fully.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-91355 aligncenter\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig9-MTP-coodinated-automatic-containment.png\" alt width=\"1399\" height=\"787\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig9-MTP-coodinated-automatic-containment.png 1399w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig9-MTP-coodinated-automatic-containment-300x169.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig9-MTP-coodinated-automatic-containment-1024x576.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig9-MTP-coodinated-automatic-containment-768x432.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig9-MTP-coodinated-automatic-containment-687x385.png 687w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig9-MTP-coodinated-automatic-containment-1083x609.png 1083w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig9-MTP-coodinated-automatic-containment-767x431.png 767w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig9-MTP-coodinated-automatic-containment-539x303.png 539w\" sizes=\"auto, (max-width: 1399px) 100vw, 1399px\"><\/p>\n<p><em>Figure 9. Coordinated automatic containment and remediation across email, identity, and endpoints<\/em><\/p>\n<p>Security teams can dig deep and expand their investigation into the incident in Microsoft 365 Security Center, where all details and related activities are available in one place. Furthermore, security teams can hunt for more malicious activities and artifacts through <a href=\"https:\/\/docs.microsoft.com\/microsoft-365\/security\/mtp\/advanced-hunting-overview\">advanced hunting<\/a>, which brings together all the raw data collected across product domains into one unified schema with powerful query constructs.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-91356 aligncenter\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig10-MTP-advanced-hunting.jpg\" alt width=\"1449\" height=\"815\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig10-MTP-advanced-hunting.jpg 1449w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig10-MTP-advanced-hunting-300x169.jpg 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig10-MTP-advanced-hunting-1024x576.jpg 1024w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig10-MTP-advanced-hunting-768x432.jpg 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig10-MTP-advanced-hunting-687x385.jpg 687w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig10-MTP-advanced-hunting-1083x609.jpg 1083w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig10-MTP-advanced-hunting-767x431.jpg 767w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig10-MTP-advanced-hunting-539x303.jpg 539w\" sizes=\"auto, (max-width: 1449px) 100vw, 1449px\"><\/p>\n<p><em>Figure 10. Hunting for activities across email, identity, endpoint and cloud applications<\/em><\/p>\n<p>Finally, when the attack is blocked and all affected assets are remediated, MTP helps organizations identify improvements to their security configuration that would prevent the attacker from returning. The Threat Analytics report provides an exposure view and recommends prevention measures relevant to the threat. For example, the Analytics Report for HOLMIUM recommended, among other things, applying the appropriate security updates to prevent tools like Ruler from operating, as well as completely eliminating this attack vector in the organization.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-91357 aligncenter\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig11-Threat-analytics-HOLMIUM.png\" alt width=\"1497\" height=\"842\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig11-Threat-analytics-HOLMIUM.png 1497w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig11-Threat-analytics-HOLMIUM-300x169.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig11-Threat-analytics-HOLMIUM-1024x576.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig11-Threat-analytics-HOLMIUM-768x432.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig11-Threat-analytics-HOLMIUM-687x385.png 687w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig11-Threat-analytics-HOLMIUM-1083x609.png 1083w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig11-Threat-analytics-HOLMIUM-767x431.png 767w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/Fig11-Threat-analytics-HOLMIUM-539x303.png 539w\" sizes=\"auto, (max-width: 1497px) 100vw, 1497px\"><\/p>\n<p><em>Figure 11. Threat Analytics provides organizational exposure and recommended mitigations for HOLMIUM<\/em><em>&nbsp;<\/em><\/p>\n<h2>Microsoft Threat Protection: Stop attacks with automated cross-domain security<\/h2>\n<p>HOLMIUM exemplifies the sophistication of today\u2019s cyberattacks, which leverage techniques spanning organizational cloud services and on-prem devices. Organizations must equip themselves with security tools that enable them to see the attack sprawl and respond to these attacks holistically and automatically. Protecting organizations from sophisticated attacks like HOLMIUM is the backbone of MTP.<\/p>\n<p>Microsoft Threat Protection harnesses the power of Microsoft 365 security products and brings them together into an unparalleled coordinated defense that detects, correlates, blocks, remediates, and prevents such attacks across an organization\u2019s Microsoft 365 environment. Existing Microsoft 365 <a href=\"https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/security\/mtp\/prerequisites?view=o365-worldwide\">licenses<\/a> provide access to Microsoft Threat Protection features in Microsoft 365 security center without additional cost. Learn how Microsoft Threat Protection can help your organization to <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/threat-protection\/integrated-threat-protection\">stop attacks with coordinated defense<\/a>.<\/p>\n<p> READ MORE <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2020\/06\/18\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the first blog in the Inside Microsoft Threat Protection series, we will show how MTP provides unparalleled end-to-end visibility into the activities of nation-state level attacks like HOLMIUM.<br \/>\nThe post Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint appeared first on Microsoft Security. READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":35601,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[8726,347,8727,8728,4620,6717,7221,4952,8729,353,6578],"class_list":["post-35600","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-secure","tag-azure-atp","tag-cybersecurity","tag-holmium","tag-inside-microsoft-threat-protection","tag-microsoft-cloud-app-security","tag-microsoft-defender-atp","tag-microsoft-security-intelligence","tag-microsoft-threat-protection","tag-mtp","tag-office-365-atp","tag-threat-protection"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.9 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2020-06-18T16:00:03+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1431\" \/>\n\t<meta property=\"og:image:height\" content=\"629\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint\",\"datePublished\":\"2020-06-18T16:00:03+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint\\\/\"},\"wordCount\":1678,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/06\\\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint.png\",\"keywords\":[\"Azure ATP\",\"Cybersecurity\",\"HOLMIUM\",\"Inside Microsoft Threat Protection\",\"Microsoft Cloud App Security\",\"Microsoft Defender ATP\",\"Microsoft security intelligence\",\"Microsoft Threat Protection\",\"MTP\",\"Office 365 ATP\",\"Threat protection\"],\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint\\\/\",\"name\":\"Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/06\\\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint.png\",\"datePublished\":\"2020-06-18T16:00:03+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/06\\\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/06\\\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint.png\",\"width\":1431,\"height\":629},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Azure ATP\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/azure-atp\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint\/","og_locale":"en_US","og_type":"article","og_title":"Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2020-06-18T16:00:03+00:00","og_image":[{"width":1431,"height":629,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint.png","type":"image\/png"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint","datePublished":"2020-06-18T16:00:03+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint\/"},"wordCount":1678,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint.png","keywords":["Azure ATP","Cybersecurity","HOLMIUM","Inside Microsoft Threat Protection","Microsoft Cloud App Security","Microsoft Defender ATP","Microsoft security intelligence","Microsoft Threat Protection","MTP","Office 365 ATP","Threat protection"],"articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint\/","url":"https:\/\/www.threatshub.org\/blog\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint\/","name":"Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint.png","datePublished":"2020-06-18T16:00:03+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint.png","width":1431,"height":629},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Azure ATP","item":"https:\/\/www.threatshub.org\/blog\/tag\/azure-atp\/"},{"@type":"ListItem","position":3,"name":"Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/35600","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=35600"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/35600\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/35601"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=35600"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=35600"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=35600"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}