Identity-First Intrusions Dominate: DFIR takeaways from Microsoft’s 2025 Digital Defense Report and the Oct 22 DFIR Round‑Up

Forensic Focus’ Oct 22, 2025 roundup spotlights Microsoft’s new Digital Defense Report (MDDR) and a wave of DFIR-relevant updates. Microsoft reports that more than half of attacks with known motives are driven by extortion or ransomware, with 80% of investigated incidents targeting data theft for financial gain. Microsoft also processes ~100 trillion security signals daily, blocks ~4.5M new malware attempts, and analyzes 38M identity risk detections. Critically, over 97% of identity attacks are password attacks—and phishing‑resistant MFA can block >99% of them. (Forensic Focus roundup; Microsoft On the Issues article; MDDR 2025 overview). (forensicfocus.com)

The report period (July 2024–June 2025) underscores a reality many investigators already see: adversaries aren’t “breaking in,” they’re signing in—via password spray, infostealer-harvested cookies/tokens, and replayed sessions. (Microsoft On the Issues). (blogs.microsoft.com)

---

Practitioner’s snapshot of the threat landscape

• Extortion/ransomware is the leading motive among incidents with identified intent; espionage accounts for a much smaller slice. (Microsoft On the Issues; MDDR 2025 overview). (blogs.microsoft.com)
• Identity is the primary battleground: >97% of identity attacks are password-based; phishing‑resistant MFA is highly effective (>99% of identity attacks blocked). (Microsoft On the Issues). (blogs.microsoft.com)
• Infostealers feed identity abuse: Microsoft and partners disrupted “Lumma Stealer,” seizing ~2,300 domains; telemetry indicated >394k infected Windows hosts pre-disruption. (Microsoft DCU Lumma action). (blogs.microsoft.com)

What this means for the DFIR workflow: Start every suspected intrusion with identity-centric scoping, then pivot to endpoint/process evidence and data-access auditing.

---

Evidence and artefact collection guide

1) Cloud identity (Microsoft Entra ID)

Prioritize sign-in telemetry, risk signals, and conditional access outcomes.

Key locations and how to access:

• Microsoft Entra Sign‑in logs (interactive, non‑interactive, service principal, managed identity) via Entra admin center or Log Analytics/Graph. (Sign‑ins overview; Basic info fields; Access activity logs). (learn.microsoft.com)
• Risk detections (e.g., impossible travel, anonymized IP, anomalous tokens) in Entra ID Protection. (Risk detections reference). (learn.microsoft.com)

Hunting starting points (Microsoft Defender XDR Advanced Hunting tables):

// Password spray from a single IP across many users in last 24h
AADSignInEventsBeta
| where Timestamp > ago(24h)
| where ResultType != 0  // failed sign-ins
| summarize UsersTargeted=dcount(UserPrincipalName), Failures=count() by IPAddress
| where UsersTargeted >= 20 and Failures >= 200
| order by Failures desc

• Tune thresholds to your tenant’s baseline and combine with ISP / UserAgent patterns (see Microsoft’s Storm‑0940 guidance for additional hunting pivots). (Storm‑0940 blog and queries). (microsoft.com)

Detection content to (re)enable:

• Microsoft Sentinel analytics templates for password spray and identity anomalies; deploy from “Rule templates” and Content Hub. (Sentinel rule templates). (learn.microsoft.com)

2) Microsoft 365 data access (Unified Audit Log)

Use Purview Audit for scoping data theft, mailbox access, file exfil, OAuth app consent, and risky searches.

Key references and retention realities:

• “Search the audit log” (Purview portal) and PowerShell/API options. (Search the audit log; Audit solutions overview). (learn.microsoft.com)
• Retention: Audit (Standard) now defaults to 180 days; Audit (Premium) provides 1‑year default for Entra/Exchange/SharePoint/OneDrive with options up to 10 years via add‑on. (Security blog on retention change; Audit solutions overview). (microsoft.com)

Helpful audit pivots:

// MailItemsAccessed & anomalous downloads (requires Audit Premium for some events)
CloudAppEvents
| where Timestamp > ago(7d)
| where Application == "Office 365"
| where ActionType in ("MailItemsAccessed", "FileDownloaded")
| summarize by AccountUpn, ActionType, IPAddress, bin(Timestamp, 1h)

• Ensure Unified Audit Logging is on and appropriate roles (Audit Reader/Manager) are assigned; export results for long‑term retention where licensing doesn’t cover your needs. (Search the audit log; Get started with auditing solutions). (learn.microsoft.com)

3) Endpoint artefacts (Windows)

Focus on ransomware “pre‑stage” behaviors and evidence‑wiping attempts.

Log/event sources to capture:

• Security Event Log IDs: 4688 (new process), 4625 (failed logon), 1102 (audit log cleared). (4688; 4625; 1102). (learn.microsoft.com)
• Sysmon Event ID 1 (process creation) and related events for richer command‑line, hash, and parent-child context. (Sysmon). (learn.microsoft.com)

High‑signal pre‑encryption commands to watch (and alert on):

• vssadmin.exe Delete Shadows, wmic.exe shadowcopy delete, wbadmin.exe delete catalog, bcdedit.exe recoveryenabled no, wevtutil cl, cipher.exe /w, fsutil.exe behaviors. (Microsoft ransomware hunting cheatsheet; CISA detection for shadow copy deletion). (learn.microsoft.com)

Sample hunting (Defender XDR):

DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("vssadmin.exe","wmic.exe","wbadmin.exe","bcdedit.exe","wevtutil.exe","cipher.exe","fsutil.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

---

Responding to identity‑led intrusions

1. Immediately revoke cloud sessions/tokens and force re‑authentication

• Use Microsoft Graph revokeSignInSessions or AzureAD PowerShell to revoke refresh tokens; note that access tokens are short‑lived and can’t be revoked directly. (CISA eviction strategy CM0077; Microsoft Q&A on revocation). (cisa.gov)

2. Contain affected identities and workloads

• Reset passwords, invalidate persistent sessions, and review/disable suspicious app consents and service principals as needed. (CISA eviction CM0076). (cisa.gov)

3. Raise the floor on auth strength

• Require phishing‑resistant MFA (FIDO2/passkeys or Windows Hello for Business) for admins first, then high‑risk user populations. (Policy guidance; What is FIDO2; Windows Hello for Business). (learn.microsoft.com)

4. Preserve and extend auditability

• Verify Purview Audit is enabled, export or retain logs per investigation/regulatory needs (180‑day default; 1‑year for core services on Audit Premium; up to 10 years with add‑on). (Audit search; Audit solutions/retention; Security blog on retention change). (learn.microsoft.com)

---

Tooling updates you can use this week

• Amped FIVE adds JSON‑based filter presets, Project Snapshots (branch/rollback with auditability), and compression analysis overlays that can improve your chain‑of‑custody reproducibility and courtroom explainability on video evidence. (Forensic Focus news post with details). (forensicfocus.com)
• MSAB’s Q3 2025 release introduces BruteStorm Surge (GPU‑accelerated brute‑force add‑on for XRY Pro) plus XAMN and UNIFY enhancements, which can materially reduce device access delays and centralize mixed‑tool extractions. Validate any time‑to‑crack claims in your lab. (Forensic Focus summary). (forensicfocus.com)

---

Infostealers and session theft: where to look

MDDR emphasizes cookie/token theft fueling identity compromise. Microsoft has observed malvertising and phishing chains that drop infostealers (e.g., Lumma) to harvest credentials and browser tokens at scale. Investigate endpoints for browser credential store access and DPAPI usage; correlate with sudden sign‑in spikes and atypical locations. (Microsoft On the Issues; Microsoft TI malvertising → infostealers). (blogs.microsoft.com)

---

Quick checks and detections (copy/paste)

• Sentinel: enable “Password spray attempts” (template) and identity anomaly rules; confirm data connectors for Entra Sign‑in Logs are active. (Sentinel templates). (learn.microsoft.com)
• Defender XDR – find risky mass failures per ISP:

AADSignInEventsBeta
| where Timestamp > ago(7d) and ResultType != 0
| summarize Fails=count(), Users=dcount(UserPrincipalName) by ISP, IPAddress
| where Users >= 10 and Fails >= 100
| order by Fails desc

• Defender XDR – ransomware pre‑stage on endpoints:

DeviceProcessEvents
| where Timestamp > ago(48h)
| where ProcessCommandLine has_any ("Delete Shadows","shadowcopy delete","bcdedit /set","wevtutil cl","cipher /w","wbadmin delete")
| project Timestamp, DeviceName, AccountSid, FileName, ProcessCommandLine

References for these behaviors: (Microsoft ransomware hunting guide; CISA CM0097 – shadow copy deletion detection). (learn.microsoft.com)

---

Takeaways

• Lead with identity: triage Entra sign‑ins, risky sign‑ins, and Conditional Access outcomes first. (Entra sign‑ins; Risk detections). (learn.microsoft.com)
• Hunt early ransomware stages: alert on vssadmin/wmic/bcdedit/wevtutil/wbadmin/cipher/fsutil to interrupt encryption timelines. (Microsoft ransomware hunting). (learn.microsoft.com)
• Evict sessions, then raise auth strength: revoke refresh tokens and require phishing‑resistant MFA for admins and high‑risk users. (CISA CM0077; Phishing‑resistant MFA policy). (cisa.gov)
• Preserve evidence: ensure Purview Audit is enabled and plan retention/export now; don’t discover a 180‑day ceiling mid‑investigation. (Audit search; Audit solutions/retention). (learn.microsoft.com)
• Apply tool updates that improve reproducibility and speed: Amped FIVE’s snapshots/presets for video workflows; MSAB’s XRY/XAMN features for mobile access/analysis. (Amped FIVE update; MSAB Q3 release). (forensicfocus.com)