TH0.2 The Dwell Time Gap

Fourteen days — and rising

Mandiant's M-Trends 2026 report, drawn from over 500,000 hours of incident response investigations conducted in 2025, found that global median dwell time rose to 14 days — up from 11 days the year before and 10 days the year before that. After a decade of improvement, the trend reversed.

The headline number tells a partial story. Internal detection (where the organization discovered the breach itself) actually improved to a median of 9 days. The overall increase was driven by external notification cases, where dwell time jumped to 25 days, pulled up by two specific categories: cyber espionage campaigns and North Korean IT worker operations, both of which achieved median dwell times of 122 days. Some espionage intrusions persisted undetected for over a year — far beyond standard 90-day log retention policies.

The Microsoft Digital Defense Report 2025 adds additional context specific to M365 environments. Average dwell time across Microsoft incident response engagements was 12 days, with an average "threat actor activity length" of 58 days — meaning some actors return intermittently over extended periods. Data collection or staging activity was observed in 80% of reactive engagements. In 46% of cases, the organization detected the threat actor within 48 hours, but the gap between detection and decisive response is where damage accumulates.

These numbers represent investigated incidents. The intrusions that were never detected at all — the BEC operator who intercepted one wire transfer and vanished, the data theft operator who exfiltrated a customer database without leaving obvious traces — never appear in any dwell time statistic. The actual median dwell time, including undetected compromise, is unknowable and certainly higher.

Figure TH0.2 — Dwell time progression in an M365 compromise. The first five days establish persistence and reconnaissance. Days 5–14 execute the attacker's objective. After day 14, the compromise escalates to organizational crisis. Hunting intervenes in the left half of this timeline — where the attacker is still preparing and containment is still possible.

Hours 0–24: the persistence window

The attacker has a valid session obtained through AiTM phishing, credential stuffing, an access broker purchase, or a compromised partner account. Their first priority is not data theft. It is survival. They need to ensure that when someone resets the compromised password or revokes the session, they can return.

In the first 24 hours, a competent M365 attacker typically does four things. They register a new MFA method — an authenticator app, a phone number, or a FIDO key on the compromised account. Entra ID logs this in AuditLogs as "User registered security info." It generates no alert because users register MFA methods every day: new employees, device replacements, app reinstalls. The attacker's registration is invisible in that noise.

They create inbox rules that redirect emails containing "password reset," "security alert," "suspicious," "unauthorized," or "verify your identity" to Deleted Items or a hidden folder. When the security team sends a verification email or Entra ID sends a sign-in notification, the legitimate user never sees it.

They consent to an OAuth application with Mail.ReadWrite and Files.ReadWrite.All permissions that accesses data through the Graph API without requiring the user's password. This access path survives password resets, session revocation, and MFA re-enrollment. The application authenticates with its own credentials.

They enumerate the directory. Who has Global Admin? What groups control access to sensitive resources? What conditional access policies are enforced? Where are the gaps? This enumeration uses standard Graph API calls — the same calls legitimate applications make thousands of times daily.

None of this generated a high-confidence alert. Every action was a legitimate M365 operation. The attacker is now persistent, informed, and invisible.

Days 2–5: the reconnaissance phase

With persistence established, the attacker maps the environment's value. They read targeted email — financial conversations, executive communications, vendor contracts, customer lists. In a BEC operation, they search for an active financial transaction they can intercept. In a data theft operation, they build a target list. In an espionage operation, they read everything from specific executives.

They explore SharePoint and OneDrive document libraries. Engineering specifications, customer databases, HR files, financial reports. The exploration uses normal file access APIs. A detection rule that alerts on "user accessed SharePoint" would fire thousands of times per hour. The attacker's access is statistically identical to legitimate access unless you analyze the pattern: a single user accessing dozens of document libraries across multiple sites within a few hours is behavioral deviation that no static rule encodes.

In hybrid environments, they probe the boundary between cloud and on-premises. Can the compromised cloud credentials access the VPN? Is Azure AD Connect synchronizing passwords bidirectionally? The pivot from cloud to on-premises crosses a monitoring boundary that many SOCs have not bridged.

M-Trends 2026 reported that the median time from initial access to handoff inside compromised networks has dropped to 22 seconds — meaning access brokers are transferring entry within seconds of obtaining it. The reconnaissance and objective execution phases are where the actual operational actors spend their dwell time.

Days 5–14: objective execution

By day five, the attacker has persistent access, a map of the environment, and a target list. Now they execute.

For BEC operators, this is when they insert themselves into financial conversations. They have read invoice threads for days. They know vendor names, payment amounts, approval chains. They send an email with updated bank details or create a forwarding rule that copies incoming invoices to an external address, modifies the bank details, and forwards the modified version to finance. The FBI's IC3 has consistently reported BEC losses exceeding $2.7 billion annually. Every dollar required dwell time — the attacker needed days inside the mailbox to understand the organization's financial processes well enough to execute convincingly.

For data theft operators, this is the exfiltration window. They download SharePoint document libraries using sync or bulk download, export mailbox contents, or use OneDrive sync to copy files. The exfiltration uses Microsoft's own services — SharePoint APIs, OneDrive sync, email forwarding. Network monitoring sees traffic to Microsoft-owned domains on standard ports. There is nothing to block at the network level because the destination is legitimate. The use of the destination is not. M-Trends 2026 found data collection or access activity in 80% of reactive engagements — even when full exfiltration was not confirmed.

For ransomware affiliates, days 5–14 are staging. They have already escalated privileges, mapped Active Directory, identified backup systems, and begun disabling or corrupting backup processes. The encryption event is the last step, not the first. By the time the ransom note appears, every domain-joined system may be compromised and backups may already be destroyed.

Measuring your own dwell time

Your Sentinel incident data contains dwell time information. The query below calculates the gap between earliest attacker activity and first detection.

// Calculate dwell time from Sentinel incident data
// First evidence to first detection — your actual detection lag
SecurityIncident
| where TimeGenerated > ago(180d)
| where Status == "Closed"
| extend FirstActivity = todatetime(
    parse_json(AdditionalData).firstActivityTimeUtc)
| extend FirstDetection = CreatedTime
| extend DwellDays = datetime_diff('day', FirstDetection, FirstActivity)
| where DwellDays >= 0
| summarize
    Median = percentile(DwellDays, 50),
    P75 = percentile(DwellDays, 75),
    P90 = percentile(DwellDays, 90),
    IncidentCount = count()

The P90 is the number that should concern you most. It represents the long tail — the intrusions where the attacker had extended undetected access. If your P90 exceeds 30 days, your detection layer has a significant responsiveness gap that hunting directly addresses. Compare your median to the M-Trends 2026 benchmark (14 days global median). If yours is higher, your detections are slower than the industry average. If yours is lower, your detection engineering is effective for the threats it covers — but the undetected intrusions, the ones not in this dataset, may have dwell times far longer.

This is the shape of a hunting hypothesis. You form it before running a single query. It specifies what you expect to find, where you will look, and what the result means. The hypothesis above is exactly the kind of hunt TH4 (Hunting Identity Compromise) teaches you to execute. The dwell time data tells you why it matters: every day between when the persistence was established and when you discover it is a day the attacker has unmonitored access. Compressing that window from 14 days to 3 days does not just find one compromise. It changes the scope of damage, the cost of remediation, and the regulatory exposure for every future incident.

The intrusions you will never measure

There is a category of compromise that never appears in any dwell time statistic: the ones where the attacker achieved their objective and left without being detected. The BEC operator who intercepted one wire transfer and disappeared. The data theft operator who exfiltrated a customer database and sold it on a dark web marketplace months later. The competitor who read executive emails about an upcoming acquisition.

These intrusions are discovered months or years later through downstream consequences — the customer data appears in a breach notification from another source, the wire transfer is flagged during an audit, the competitor's suspiciously well-timed market move triggers an investigation. By then, forensic evidence may be beyond your log retention window. M-Trends 2026 found that some espionage-linked intrusions achieved dwell times approaching 400 days. At that duration, standard 90-day log retention policies leave the organization completely blind to the initial access vector and the full scope of the intrusion.

Hunting does not guarantee you will find these intrusions. But it is the only operational activity that proactively looks for them. Detection rules wait for a pattern. Hunting goes looking.