Huntress

In a recent incident, the Huntress SOC observed high-confidence indicators of compromise, including an AitM login using "axios/1.8.2", followed by inbox rule manipulation and an OAuth app install that caught our eye: SigParser. Is SigParser malicious? No. Is it abused by threat actors? Constantly. Like a crowbar, a tool in the wrong hands is a problem. Matt Kiely breaks down the full incident, the growing problem of “Traitorware,” and why detection alone won’t cut it when it comes to rogue OAuth apps. 👉https://bit.ly/4mOuGmC

Identity isn’t just an entry point. And attackers know it. 🔐 67% of orgs say identity threats are climbing 📬 51% got hit with BEC last year ⏱️ Most don’t catch it until the bad guys are already rooted in While teams double down on endpoints and MFA, attackers are quietly slipping through OAuth approvals, session tokens, and cloud misconfigs at scale. The Huntress 2025 Managed ITDR Report pulls back the curtain with real-world tradecraft from the front lines. Get the key takeaways on what’s changing, what’s breaking, and what defenders need to know: https://lnkd.in/evHS_Htq

A threat actor infiltrated a medical facility and threw everything they had at the network. Here’s a breakdown of what went down 👇 ✅ Netscan used for enumeration ✅ Malicious drivers deployed to disable Windows Defender ✅ Lateral movement via PSExec ✅ Mimikatz to extract cleartext credentials ✅ User accounts created for persistence ✅ Registry modifications using NPPSPY (malicious DLL) Our 24/7 Human SOC isolated the network for the partner, stopping further damage and lateral movement. Tips to protect your network: ➡️ Block local admin rights for day-to-day accounts ➡️ Use the Windows Firewall to prevent lateral movement ➡️ Always keep Windows instances fully patched Want to know more about NPPSPY and how it works? Check out Cleartext Shenanigans on our blog: https://lnkd.in/e_B9G6g6

Big win in the news this week against one of the most active InfoStealers out there: Europol and Microsoft coordinated a takedown of Lumma Stealer, with Microsoft seizing or blocking over 2,300 malicious domains tied to its infrastructure. The DOJ also disrupted Lumma’s command servers and the marketplaces where it was sold. From our vantage point, Lumma Stealer has been no small threat. It’s been around since 2022, targeting browser creds, cookies, crypto wallets, you name it. In fact, it was the second most common InfoStealer our SOC encountered last year. This kind of coordinated takedown forces threat actors to retool, but let’s be clear: these are disruptions, not death blows. As we've seen with other malware takedowns in the past, the threat doesn't disappear. It evolves. According to our 2025 Cyber Threat Report, InfoStealers made up nearly 25% of all incidents Huntress investigated last year. It’s one of the most persistent threats businesses face today. We covered this in our May Tradecraft Tuesday, including how these takedowns impact the real-world threat landscape. Worth a watch https://lnkd.in/gNm3pujM

You don't wanna miss today's Product Lab—live stream in 2hrs! 📺 Huntress' founders Kyle & Chris are hitting four segments related to Autonomous Security Operations ✨ https://lnkd.in/e-ZxPSu6

Got an email that looks like it came from Google? It might be a phish. Our Staff Product Researcher (and the evil genius behind Huntress' Managed Security Awareness Training simulated demos and phishing simulations), Truman Kain is posting short, sweet, and easy-to-understand videos daily to help people spot scams fast. Give him a follow, learn how to read between the lines (and headers), and stay one step ahead of even the sneakiest phish.

“The attacker only accessed the VPN client and never made it into the network.” Here’s how Managed SIEM turns raw logs into clear wins for proactive defense. We recently stopped a threat actor that was targeting multiple partner environments. They racked up nearly 11,000 failed login attempts before landing a single hit. As seen below, this brute-force attack was captured through SIEM logs, quickly triggering an investigation and a business-saving response from our 24/7 security team. Our SOC experts blocked the malicious IP address across the network and immediately sent an actionable report to the partner, which included step-by-step remediation guidance. SIEMs shouldn’t just be about collecting data, it's about making use of it.

Rogue apps. VPN misuse. Business email compromise. Identity-based threats are evolving fast, and many teams are struggling to keep up. According to our latest survey: 📬 51% faced BEC ☁️ 45% dealt with malicious cloud apps 🔐 43% saw VPN misuse

Hackers aren’t breaking in, they’re logging in. And rogue cloud apps are one of the stealthiest ways they do it. Here’s the problem: ➡️ Any Microsoft 365 user can install apps by default ➡️ Malicious OAuth apps can bypass MFA and lurk for months ➡️ Most orgs don’t even realize they’re exposed Rogue Apps, the latest addition to our Managed ITDR suite, solves this by: ✅ Detecting malicious OAuth apps before they cause damage ✅ Automatically removing risky apps hiding in your tenant ✅ Closing critical cloud visibility gaps to stop threats before they escalate Learn why identity-based threats are rising and how Rogue Apps flips the script on cloud-based compromise: https://bit.ly/3ZgyNxq

Deploying Managed EDR during an active intrusion? That’s the hard way to find out what it’s capable of. A metals manufacturer deployed the Huntress agent during an active intrusion. Here’s what our SOC uncovered 👇 ✅ PSExec was used to tweak registry & firewall settings for RDP access. ✅ Mimikatz.exe was hiding in C:\PerfLogs dumping credentials. ✅ Legit tools (TNIWINAGEN) were abused to scan the network, then a malicious Atera agent was deployed. ✅ A scheduled task ("MSTR tsk") was beaconing to a malicious IP. Unfortunately, not all endpoints had the Huntress agent installed. The ones we were protecting? Isolated fast—safe from ransomware. The rest? Not so lucky. Keep your business secure: ➡️ Threat actors exploit blind spots. Fully deploying Managed EDR across all endpoints reduces exposure and turns meaningless alerts into action ➡️ If your RMM tools aren’t in use, block them. ➡️ Always be ready for worst-case scenarios with a tested disaster recovery plan.