How Ransomware Groups Got In: @rapid7 MDR’s Top Initial Access Vectors from Q1 2025.

Top Initial Access Vectors
- Account Compromise (No MFA)
- Vuln Exploitation (all known, patchable)
- Brute Forcing
- Exposed RDP
- SEO Poisoning

What our #MDR team saw in real-world ransomware intrusions in Q1—and what you can do to reduce risk 🧵

1. Account Compromise (No MFA)
Over 50% of ransomware-related intrusions started with compromised credentials.

What we saw:
- Single-factor sign-ins (VPNs, email, portals)
- Accounts that should’ve had MFA, but didn’t—usually due to misconfigurations

✅ Action:
- MFA all of the things. All of them.
Go with phishing-resistant MFA (like FIDO2 or security keys) if you can.
- If you're using push-based MFA, make sure number matching and location-based checks are turned on to stop push fatigue abuse.
- Also, audit your IdP—misconfigured policies and exceptions are more common than you think.

2. Vulnerability Exploitation

These were all known vulnerabilities with patches available—but still got hit in the wild.

Targets included:
Fortinet (FortiOS / FortiProxy):
- CVE-2024-55591 – Auth bypass via WebSocket → super-admin
- CVE-2025-24472 – CSF proxy bypass → super-admin

SimpleHelp:
- CVE-2024-57726 to -28 – Privilege escalation, path traversal, and remote code execution via zip slip and config theft

✅ Action:
- Patch with purpose. Start with the CVEs actively exploited in the wild—use feeds like the CISA KEV catalog.
- If you can’t patch right away, apply virtual patching, segment affected services, or limit external access.
- Run authenticated vuln scans, and if you’ve got a BAS tool, simulate exploitation to test controls.
- For anything internet-facing, aim for a 24–48 hour patching SLA.

Top 3 #M365 Account Takeover (ATO) actions spotted by our SOC in Q1:

1. New-inbox rule creation to hide attacker emails
2. Register new MFA device for persistence
3. Create mailbox forwarding rules to monitor victim comms and intercept sensitive info

More details in 🧵...

50% of ATO activity in M365 we identified was for New-inbox rules created by an attacker to automatically delete certain emails from a compromised account. By deleting specific emails, an attacker can reduce the chance of the victim or email admins spotting unusual activity.

25% percent of ATO activity we identified was for the registration of a new MFA device in Azure. Registering a new MFA device allows an attacker to maintain persistence.

We're seeing more and more M365 session cookie theft for initial access....

BEC threat actors favorite #M365 Inbox-rule names:

'.'
'..'
'.;'
'l'
'r'

By deleting specific emails, an attacker can reduce the chance of the victim spotting unusual activity.

You can build high quality detections to spot this activity. A 🧵with real-world examples...

Account takeover (ATO) activity in M365 can involve various unauthorized actions performed by an attacker who has gained control over the account.

Of the ATO activity we identified in M365 in Q1 '23:

50% of all ATO in M365 we identified was for New-inbox rules created by the attacker to automatically delete or hide certain emails from the compromised account.

A #SOC analyst picks up an alert and decides not to work it.

In queuing theory, this is called “work rejection”–and it’s quite common in a SOC.

TL;DR - “Work rejection” is not always bad, but it can be measured and the data can help improve performance. More details in the 🧵..

A couple of work rejection plays out in the SOC. The most common:

An analyst picks up an alert that detects a *ton* of benign activity. Around the same time, an alert enters the queue that almost *always* finds evil. A decision is made...

The analyst rejects the alert that is likely benign for an alert that is more likely to find evil.

Let’s assume the analyst made the right call. They rejected an alert that was likely benign to work an alert that was evil. Work rejection resulted in effective #SOC performance.

A good detection includes:
- Clear aim (e.g, remote process exec on DC)
- Unlocks end-to-end workflow (not just alert)
- Automation to improve decision quality
- Response (hint: not always contain host)
- Volume/work time calcs
- Able to answer, “where does efficacy need to be?”

On detection efficacy:
⁃ As your True Positive Rate (TPR) moves higher, your False Negative Rate moves with it
⁃ Our over arching detection efficacy goal will never be 100% TPR (facts)
⁃ However, TPR targets are diff based on classes of detections and alert severities

Math tells us there is a sweet spot between combating alert fatigue and controlling false negatives. Ours kind of looks like a ROC curve.

This measure becomes the over arching target for detection efficacy.

“Detection efficacy is an algebra problem not calculus.” - Matt B.

There’s no more strategic thing than defining where you want to get to and measuring it.

Strategy informs what "great" means, daily habits get you started (and keep you going) and measurements tell you if you’re there or not.

A 🧵 on #SOC strategy / metrics:

Before we hired our first #SOC analyst or triaged our first alert, we defined where we wanted to get to; what great looked like.

Here’s [some] of what we wrote:

We believe that a highly effective SOC:

1. leads with tech; doesn’t solve issues w/ sticky notes
2. automates repetitive tasks
3. responds and contains incidents before damage
4. has a firm handle on capacity v. loading
5. is able to answer, “are we getting better, or worse?”