Huntress MDR for Microsoft 365

MSP | 0 comments

Edit: it’s definitely a SOC.

This post is from the live webinar put on by Huntress on August 30th, 2023. The style is half product, half attack stories, similar to the endpoint marketing.

About This Article

None of this is confidential, a point Huntress (Rich) made explicitly during the webinar. Quotes are best effort, I’m typing them up as they go, so they might not be exact. Some quotes have been cleaned up for grammar and spelling. Finally, the post isn’t chronological, I ordered things so that it fits into understandable narrative.

Panelists: Kyle Hanslovan, Nadya Duke Boone, Josh Lambert (Sr. Project Manager), Chris Bisnett (CTO and Founder), Kyle Hanslovan (CEO). 400+ attendees.

Early access pricing, good through end of September. Lock in price for 2 years.

An interesting tidbit, Huntress is a fully remote company. I assume that they bring this up to demonstrate why they are in a unique place to create MDR for 365.

“We’re providing real fucking value.”

Kyle Hanslovan

Kyle and Chris think that there is not another product that does something like this. Chris: I ” feel like we’re pretty big, but there has to be some other MSSPs consuming a lot of data.”


This is like Huntress for M365 instead of for endpoints: it is a “fully managed” MDR tool. It looks at events inside M365 and flags them for human review at the Huntress SOC. Remediations can be taken from there, either by the SOC or the MSP.

Those are the two primary selling points: it’s managed, and there is a human looking at it.

It is clearly a competitor to SaaS Alerts and probably RocketCyber as well. I don’t see why most MSPs would use more than one of three of these. (It isn’t clear where Augmentt fits in)

You can skip to the questions and get the jist of the rest of it.

“Why did we build this?”

“We’re gonna go where the hackers go.”

Kyle: “If you wait [to launch a product] until you [have everything perfect] you waited to long… this was our approach to endpoints.”

Is this an MVP? “This is a Huntress-ready product… remember that V in MVP… a product that will take care of your ass.”

Chris: When we [originally] started, Huntress noticed that everyone had antivirus but it wasn’t preventing attacks. Context helped solve that, files that weren’t clearly malicious in the temp directories, etc. [I.e., this is the same idea]

History of Huntress product development:

Kyle: “You can see what we built and released in 2015 isn’t anything like what we’re offering in 2023”

Kyle: [Even] Microsoft is experiencing their own issues. [See post/tweet to the right here]

Hacker tradecraft is changing, shift towards identity theft.

“The tradecraft is still really immature.”

[I think Kyle said that they started going after mid-market and enterprise? not sure]

Huntress even went to Blackhat — sounds like to go after enterprise customers.

Product Demo

Chris: “We really believe in building for the future.”

Use CSP to add tenants. A second account is required to implement. An Exchange license needed for a smooth implementation, to handle inbox rules and “a tighter integration.

The CSP account needs… basically permissions to everything.

“We require a bunch of roles. You can see the exact roles we need via our KB:

Huntress pulls all of your tenants in CSP and lets you map them to Huntress customers. You can only integrate a single CSP at a time.

You can MFA report across all users.

What is Huntress Seeing?

Kyle: “When you build an early product, you don’t always see what you were expecting.”

This is a fully managed MDR product.” The third incident would not have been captured without humans looking at it. “Managed teams and managed security can really be a win.”

Event Data

730,000 users monitored already, 486 incidents reported. [That seems really, really low to me]

Sample Incident — Huntress Says This Was Real

Attacker gets in

Chris says this was happening over ExpressVPN

Foothold established

Attacker able to regain access [until huntress kicks them out]

Second Incident Example – Weird Rules

RSS rules are created, but travel is all over the place, changed from Windows to macOS

Third Incident – Shadow Workflows

Huntress has even seen attackers create their own MFA inside M365.


Uses Microsoft Graph to pull in data. On a per-user basis, expects that to change this year [so per user licenses aren’t needed?]

Chris: Other products that came before us use polling and try to see what changed between polls, that has its own limitations, it doesn’t scale.

Chris: This is MDR today, but we’re going in a direction for Managed Microsoft 365. You’ll see us adding configuration among other things.

Kyle: The Three Best AVs

[Kyle takes a brief left turn here]

These change up, management is key: S1, Defender and high-end version of CrowdStrike. “I’d say Huntress managing Microsoft Defender will crush it all day… you’re not going to get a better offer. [A number of] our partners run huntress and S1 side-by-side [so you can do that].”

James: “…we definitely can be used in tandem with SentinelOne, however there is a lot of crossover with between us, we definitely should chat, I’d get in touch with your Channel Account Manager to help with that decision further”

M365 Licensing

No topic had more questions than what licensing is required. Currently, P1 is required per user. This is expected to change in September with a change in how Microsoft handles logging and licensing.

How does this compare to SaaS Alerts?

Huntress doesn’t hold any punches here, which is appreciated.

So, is a product like SaaS Alerts a competitor? If I am about to sign a multiyear contract with SA or Huntress, do I need or want both?

SaaS Alerts would be a competitor to MDR for Microsoft 365 – if you’d like some information on how we differ to help you decide which to use, please do reach out to your Channel Account Manager

Can Huntress MDR for 365 work with tools like SaaS Alerts?

We do not currently have an integration planned with SaaS Alerts. [There is no reason that they would, this is clearly a competing product at the core.]

Is there any other selling points as far as differences between you guys and SaaS Alerts?

Everybody is looking at the same data! We think the human element between you and those alerts is REALLY REALLY important!

Do you plan on having recommended conditional access policies, similar to SaaS Alerts? Also we’re finding DNS filtering being important does Huntress recommend any products on this or may have something in the pipeline?

“This is definitely on the roadmap. Stay tuned, we should get to talking about this soon.” [Unclear if this is about SaaS Alerts or DNS filtering]”

What Isn’t On The Roadmap

  • Email filtering
  • …other products… Chris Bisnett says that for other products, “you can expect a similar path,” but I didn’t hear him give us any specific answers.
  • Email analysis: “We do not analyze email content with this product”
  • DLP


Pricing & Billing Questions

Is Pax8 on the roadmap?

If we went through Pax8, it would be 20% more expensive than buying direct to make up for the margin they charge us to sell through Pax8. Even though we love the Pax8 team, our partners have given us the feedback that paying 20% more isn’t worth the benefit of consolidated billing Pax8 provides.

Kyle Hanslovan

How much?

No real answer: “[W]e currently have Early Adopter pricing available. If you have a Huntress account manager already, reach out to them for more details.”

Will the pricing information and documentation be sent to us after this meeting?

It won’t be sent as part of the webinar follow-up email, but it also isn’t a secret! Feel free to reach out to feedback, sales, or your account manager for more info.

is there an NFR program for internal use?


What is a billed user? a m365 with any m365 license or only licenses with email? Unlicensed users? Shared Mailboxes?

We do our very best to ONLY bill you for actual user identities. It’s a little more difficult to discern that with something on the order of 3000 different license types out there. If you see a license type listed as “billable” that you think shouldn’t be, you can always reach out to Support to get some clarification.”

Feature Questions

Can you push MFA and verify that it’s enforced?

“We do not currently make config changes to your Microsoft tenants.”

Is there a push button baseline config that automatically gets activated upon turning this on?

“Not yet! Stay tuned.” [But see the previous question]

If MDR has been connected after a breach, will this still show detection, etc. after the fact?

We will detect and report existing malicious inbox rules after you enable the integration.

I use MS365 without email, in other words email carrier is a different company. Would MDR work in this case?


MDR Response Questions

How far behind real-time does huntress detect and report an event?

We’re at the mercy of Microsoft here but generally a few minutes

Could you filter based on IP Adress registration? Example: If the IP used to login is from a known VPN host then it is blocked.

We do not block logins. If an analyst believes that a login is coming from a malicious actor (via a compromised IP), they can lock out the account

Does Huntress/can Huntress block accounts that are found to be compromised? / What are some remediation steps that Huntress can take in M365?

A Huntress analyst can disable and lock an account without partner intervention. We can also provide an assisted remediation to remove malicious inbox rules. We also provide manual remediation steps beyond that to kick out threat actors.

Can Huntress Geofence M365 logins?

Not at present

Kyle and Josh both pile on that geofencing provides limited value.

Will Huntress flag [not block] a suspicious login if it comes from a “legitimate” (Proto, etc.) VP service?

Potentially. If our SOC analysts deem that the legit VPN is being used maliciously, they will issue a report

I see that you guys are detecting events, does a ticket get generated for intervention with the MSP’s ticketing system or does this have automated responses?

We have integrations into some of the most common MSP ticketing tools out there, some of our remediation steps can/will have a ‘One Click’ button to remediate issues without the need of additional steps

Technical “How Does this Work” and Compliance Questions

Can we connect to GCC High tenant?

“..we currently don’t have GCC High tenant support…”

Is this GPDR compliant?

No, we do not have the ability to segment our data in that way. We do our best to comply with as much of GDPR as we can.

How long are logs kept?

2 weeks. [It sounds like they don’t want to be a SIEM. Not sure how they can export to partners without excessive egress bandwidth costs.]

Huntress Gets Push Notifications?

“Correct, we leverage a webhook so Microsoft pushes us data.”

Does this use CPV AppConsent API to configure CSP customer permissions on GDAP agreements, or is it a per-tenant permission acceptance?

“MDR for Microsoft 365 can do both :)”

Are you scraping/streaming Microsoft Defender for Office 365 and Microsoft Advisor recommendations as part of the MDR?

Not yet. We are ingesting events directly from the Azure logs

Other Questions

Are you guys seeing any weird reporting based on users using personal VPN services?

“We’re seeing a shit ton of personal VPN and odd nonsense when examining at scale.”

I currently use Datto for email protection and backup. Will Huntress play nice with that?

We shouldn’t interfere with any service you have for email filtering, backup, etc. We do not alter the contents of emails or look at email contents at all.


What's your $0.02?

This site uses Akismet to reduce spam. Learn how your comment data is processed.