Understanding the Dark Halo M365 Attack

How the Complexity of Cloud-Based Enterprise SaaS Systems Allows Attackers to Hide in Plain Sight

Late 2020 saw the emergence of Dark Halo, a series of sophisticated and extreme assaults on more than 18,000 companies and the first global Microsoft 365 (M365) incident. This is just one of the recent breaches that have shown misconfigurations in M365 are fast becoming the favoured channel through which unauthorised use of identities and access to data occurs without alerting security teams.  

This breach analysis report looks at the anatomy of the Dark Halo attack; and explores how attackers used M365’s complexity to hide in plain sight, and how reconnaissance and data exfiltration activities were accomplished using poorly-documented M365 administrative interfaces. 

Dark Halo & M365 Breach Analysis Report 2021

Protect Your M365 Investment With a Free Dark Halo Security Scan

Understand if your M365 tenant is vulnerable to attacks like Dark Halo with a free M365 Security Scan.

Developed with the team of international M365 security experts at Siriux, this scan highlights configurations that are known to be used by attackers after initial breach. Unlike other scans available, whose tools are primarily forensics-oriented, the Dark Halo Quick Scan helps you manage future risk by assessing more vulnerabilities within your SaaS product than any other.

The scan includes an assessment report that provides additional information on how to configure the controls to improve your M365 security posture and prevent reconnaissance and data exfiltration.


How Microsoft’s SaaS Configuration Helped Attackers Hide in Plain Sight

Join us on Wednesday 21, April at 3PM as we explain what’s changed within the hacker community and why M365 is fast becoming the target.

The session will cover:

  • Recent breaches of M365 (including the Dark Halo breach) and their implications on Microsoft 365
  • How they achieved their target undetected
  • The impact and probability of the risk occurring and what we need to do to detect and mitigate the risk

We are honoured to have Microsoft expert, multi-decade veteran of the InfoSec community and Siriux founder Aaron Turner presenting with us.

Aaron Turner, Founder and CEO, Siriux

Aaron started working at Microsoft in 1999, during the days before the company had formal security teams. He helped start many of Microsoft’s security initiatives and eventually was responsible for all interactions between Microsoft and its customers’ CISOs.

 Register for the Webinar

*Required Fields
Note: It is our responsibility to protect your privacy and we guarantee that your data will be completely confidential.

One of our expert partners, Siriux has a unique perspective into the real-world threats and vulnerabilities which SaaS customers are currently dealing with. Using their experiences of proactive consulting and incident response associated with Global Administrator Account Takeover attacks, Siriux developed a set of automated data gathering capabilities which rely on Microsoft 365 APIs to facilitate consistent and measurable analysis of M365 security settings.