Cyber Intelligence Briefing: 25 July 2025. Security breach at Swiss health care provider Ameos

Assured’s CISO reacts:

A number of large data breaches in the news recently. For Philadelphia Insurance (US), the cause seems to be part of Scattered Spider’s focus on the insurance industry. For Ameos , there are reports of unauthorised 3^rd party access, while for Allianz (via a third-party, cloud-based CRM system – which is unknown but its public knowledge Allianz use D365 among others), its believed to be a social engineering attack, possibly by the group ShinyHunters, to which Mandiant warned last month were targeting SalesForce customers.

Here are some protection measures, specific to their TTPs (they’re largely Intune focussed):

1. M1018) Multi‑Factor Authentication (to block credential reuse & phishing):

• Intune conditional access rule: Enforce MFA for all Office 365 and Azure role.
  • powershell
    CopyEdit
    New-AzureADMSConditionalAccessPolicy -DisplayName "Require MFA for O365" `
 -Conditions @{Users=@{Include="All"}; ClientApp=@{Include="Browser","ModernAuth"} } `
 -GrantControls @{BuiltInControls=@("mfa")} `
 -State "enabled"
• Intune device compliance policy: Block sign‑ins from unmanaged devices
  • Set requireDeviceCompliance=true in Azure AD sign‑in risk conditional access, ensuring only managed and compliant endpoints can log in.

2. M1026) Credential Exposure Monitoring (detect exposed OAuth/access keys):

• Intune compliance script: Deployed to endpoints scanning code repos for exposed AWS access keys/OAuth tokens:
  • powershell
    CopyEdit
    Get-ChildItem -Path "C:\repos","C:\Users\*" -Recurse -Include *.env,*.json,*.yaml |
 Select-String -Pattern "AKIA[0-9A-Z]{16}" | Out-File C:\Intune\exposed_keys.log

• Custom detection rule in Microsoft Defender for Cloud Apps:
  • Create alert on upload events containing AWS access key patterns or GitHub OAuth tokens and auto-block sharing.

3. M1042) Cloud Logging and Monitoring (detect misuse of S3 Browser, WinSCP tools):

• Enable AWS CloudTrail and S3 access logging via Intune‑managed AWS CLI runs:
  • powershell
    CopyEdit
    aws cloudtrail update-trail --name primaryTrail --s3-bucket my-trail-bucket --is-multi-region-trail aws s3api put-bucket-logging --bucket sensitive-bucket \  --bucket-logging-status '{"LoggingEnabled":{"TargetBucket":"log-bucket","TargetPrefix":"s3/"}}'

• Deploy fixed analytics rules within AWS Security Hub via AWS CloudFormation (triggered by Intune-run CloudFormation):
  • yaml

    CopyEdit

    Resources:
 S3BrowserUseAlert:
   Type: AWS::SecurityHub::Insight
   Properties:
     Name: "S3Browser or WinSCP usage"
     Filters:
       - Field: AwsCloudTrail.EventName
         Values: ["ListBuckets","GetBucketObject","GetBucketLocation"]

4. M1033) Repository Hardening & IaC Secrets Scanning:

• Intune-lifted installation of a local pre-commit filter on DevOps workstations:
  • Deploy .pre-commit-config.yaml:
    yaml
    CopyEdit
    repos:
 - repo: https://github.com/Yelp/detect-secrets
   rev: v1.0.3
   hooks:
     - id: detect-secrets
• Enforce blocking commits via Azure DevOps policy:
  • Add branch policy to disallow pushes where detect-secrets scan returns results, using Intune-installed hook with preReceive hook script checking detect-secrets.

5. M1050) Username/Password Spray and Brute‑Force Protection:

• Configure Azure AD Smart Lockout via Intune (Intune-managed AD settings):
  • powershell

    CopyEdit

    Set-AzureADPolicy -Id "SmartLockoutPolicy" `
 -Definition @('{"LockoutThreshold":5,"duration":"00:15:00","observationWindow":"00:15:00"}')


    • Set LockoutThreshold=5, LockoutDuration=900 seconds, ObservationWindow=900 seconds in tenant settings:
• Deploy Intune custom firewall rule to restrict outgoing access to known mass‑credential‑stuffing services (e.g., block TOR exit nodes IP lists via regularly updated IP set).

6. M1017) Least‑Privilege and Permission Boundaries in Cloud:

• Intune‑triggered automation to ensure all IAM roles have scoped policies:
  • Run a script that fetches aws iam list-policies and flags any roles with AmazonS3FullAccess, automatically replacing with granular S3-only read access:

    powershell

    CopyEdit

    aws iam detach-role-policy --role-name DevOps --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess
aws iam attach-role-policy --role-name DevOps --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
• Deploy permission boundary enforcement via Organizational SCP:
  • json
    CopyEdit
    {
 "Version": "2012-10-17",
 "Statement": [{
   "Effect": "Deny",
   "Action": "s3:*",
   "Resource": "*",
   "Condition": {
     "StringEquals": {
       "aws:PrincipalTag/role":"third-party"
     }
   }
 }]
}
    • Use JSON SCP template applied via Intune push: