Threat Hunting for Business Email Compromise Through User Agents

Keypoints

• Threat hunting framed around whether anomalous user agents in Microsoft 365 telemetry can signal business email compromise (BEC).
• User agents themselves are not inherently malicious, and many tools default to their own agents, complicating detection.
• Huntress focused on rare, contextually anomalous user agents and correlated them with login events to flag potential abuse.
• The rare agent AZURECLI/2.47.0 (DEB) azsdk-python-azure-mgmt-resource was linked to suspicious activity, including four successful logins across June 2023.
• Telemetry showed 85 hits for this agent, with the majority being login failures and only a few successful authentications, prompting deeper investigation.
• Found cross-territory patterns (e.g., Belgium → Korea; an Indonesian IP attempting many sign-ins) supporting malicious use of credentials.
• The team issued true-positive BEC reports and remediation guidance to the Huntress community, demonstrating value of human-assisted threat detection.
• Detection logic emerged: event.action: UserLoggedIn AND user_agent.original.text:”azsdk-python”, which was then pushed to production.
• Prevention emphasis centered on MFA and complex conditional access to curb early-stage compromise in cloud environments.