Release Notes - November 2025 - #2

New
  • Updated on Nov 23, 2025
  • Published on May 16, 2024
Prev Next


Detectors

New detectors

Possible AWS SES Enumeration

Amazon Simple Email Service (SES) is an email platform that provides an easy, cost-effective way for users to send and receive emails. 

Attackers have always targeted email systems for the purpose of spreading phishing campaigns and other malicious messages to continue to gain access through a potentially trusted entity. 

Due to the potential for abuse, AWS SES has several built-in protections. For example, when SES is first spun up, the account is placed into a “sandbox” environment (which applies restrictions on the account’s sending rate, quota, and recipients).

In case an adversary manages to compromise a user, they won’t be able to just start sending emails due to the restrictions mentioned above. Attackers know about these restrictions, so they check for the status of the compromised user they achieved (and they use legit AWS APIs to check that status). This discovery technique is referred to as AWS SES Enumeration.

The relevant APIs are: ListServiceQuotas, GetSendQuota, GetAccount, ListIdentities, GetIdentityVerificationAttributes, GetAccountSendingEnabled, and UpdateAccountSendingEnabled.

Deprecated detectors

The following detector will be deprecated:

Execution of WHOAMI as local system

As part of an ongoing quality monitoring, this detector was found to be very noisy and inaccurate.

There are many applications that behave that way, which makes this logic irrelevant.

The deprecation time is planned for Nov 27, 2025.


As mentioned in the previous release notes, the following two detectors have been deprecated recently:

Suspicious execution from %ProgramData% (deprecated)

The detector was very noisy and doesn’t necessarily indicate suspicious activity, unless there is any other indication. 

The detector was replaced by a scoring model that runs on the relevant EDR-based detectors and increases score in case the target process was executed from %ProgramData%.

Possible use of a stolen or forged user ticket (TGT) (deprecated)

The detector was very inaccurate and noisy.

The detector aimed to detect a Golden Ticket attack. However, it becomes more and more common for adversaries to use more advanced techniques such as Diamond/Sapphire Ticket. Those techniques won’t be detected by the aforementioned detector.

As for now, there are no effective ways to detect Diamond/Sapphire Ticket techniques. Hunters’ Team Axon will keep evaluating possible detections for those and develop a detector if it would be possible and accurate enough.

Enrichments

Potential download origin URL found

Identifies potential download origins by analyzing Mark-of-the-Web (MOTW) events generated when a file is tagged as originating from the Internet. 

The drilldown enriches the investigation with details about potential sources of the download, including Referrer and Host URLs, providing visibility into where the file may have been obtained from.

The drilldown is based on Crowdstrike’s event MotwWritten, and hence relevant only in cases where Crowdstrike EDR logs exist.

 

Microsoft 365 users who accessed mailbox owned by this user

Presents all users that accessed the mailbox owned by a given user.

This drilldown can be useful in understanding whether a given mailbox is a shared mailbox or not.

This drilldown is mainly useful for the detector “Microsoft 365 Abnormal Mail Access by Unusual ClientAppId” - in case multiple non-owner users have been accessing the mailbox, it increases the chances it’s a shared mailbox and that decreases the likelihood the abnormal mail access is a malicious activity. 

Integrations

New Integrations Releases:

  1. DataDog - added webhook integration

  2. Delinea-audit-logs (Suite Cloud) - S3 integration

  3. Beyondtrust-remote-support-session - API integration

  4. FortiDLP-logs - API integration

  5. Genesys-audit-logs - API integration