Microsoft 365 accounts are hacked
According to researchers at Mandiant, Russian state-backed hacking group APT29, also known as Cozy Bear or Nobelium, has been actively espionaging U.S. and NATO-affiliated organizations using Microsoft 365 accounts to steal sensitive information.
In attacks that demonstrate exceptional operational security and evasion, Mandiant, which tracks APT29 since 2014, pointed out that the Russian espionage group uses new tactics and aggressively targets Microsoft 365.
In a report published on Thursday, the company highlighted some of APT29’s new advanced tactics, techniques, and procedures.
One of the most troublesome security features in the Microsoft 365 suite for threat actors is Purview Audit. E5 licenses and certain add-ons enable the audit of Mail Items Accessed. Each time a mail item is accessed, the Mail Items Accessed logs the user-agent string, timestamp, IP address, and user.
In order to target the inbox for email collection, Mandiant observed that APT29 was able to disable Purview Audit on targeted accounts in a compromised tenant.
Upon disabling, they begin collecting emails from the inbox. At this point, the organization cannot confirm which accounts the threat actor targeted for email collection and when. “Mandiant believes that email collection is the most likely activity following the disablement of Purview Audit, based on APT29’s targeting and TTPs.” states the report.
We have updated our whitepaper Remediation and hardening strategies for Microsoft 365 with more details on this technique, as well as detection and remediation advice. A new module has also been added to the Azure AD Investigator to report on users with advanced auditing disabled.”
Moreover, the researchers found another advanced new tactic being used by APT29, which uses the self-enrollment process in Azure Active Directory (AD) for multi-factor authentication.
Azure AD default configuration does not enforce strict rules on new MFA enrollments, so anyone with the username and password can enroll MFA from any location and on any device, as long as they are the first person to do so, by abusing this method.
APT29 was observed to use Azure Virtual Machines (VMs) by Mandiant. It is assumed that the virtual machines used by APT29 reside in Azure subscriptions outside of the victim organization. These subscriptions may have been compromised or purchased by the threat actor group.
Also Read this