Knowledge base

August 27, 2022

Hackers have found a new way into your Microsoft 365 account

Cybercriminals brutally force into Azure AD accounts without MFA

Russian state-sponsored threat actor Cozy Bear (also known as APT29 or Nobelium) is deploying new tactics to sneak into Microsoft 365 accounts in an attempt to steal sensitive foreign policy intelligence.

Microsoft Outlook gets more ads – here’s how to remove them

This is according to a new report from cybersecurity firm Mandiant, which claims that Cozy Bear uses three techniques to carry out (and hide) the attacks:

  1. Disable Purview Audit before using a compromised email account
  2. Brute-forcing Microsoft 365 passwords who have yet to sign up for multi-factor authentication (MFA)
  3. Covering their tracks by using Azure Virtual Machines through compromised accounts or by purchasing the service

New Microsoft 365 attack

Purview Audit, the researchers remind, is a high-level security feature that logs when a person accesses an email account outside the program (via the browser, Graph API or through Outlook). This allows IT departments to manage all accounts and ensure that there is no unauthorized access.

However, APT29 is well aware of this feature and makes sure you disable it before accessing an email.

The researchers also discovered that Cozy Bear was abusing the self-subscription process for MFA in Azure Active Directory (AD). When a user tries to log in for the first time, they must first enable MFA for the account.

Threat actors aim to circumvent this feature by brutally forcing accounts that have yet to enroll in the advanced cybersecurity feature. They then complete the process in place of the victim and grant unabated access to the target organization’s VPN infrastructure and thus the entire network and endpoints.

Finally, Azure’s virtual machines already contain Microsoft IP addresses, and because of the fact that Microsoft 365 runs on Azure, IT teams struggle to distinguish regular from malicious traffic. Cozy Bear can further hide its Azure AD activity by combining ordinary URLs of application addresses with malicious activity.

The likelihood of regular users being targeted by the threat group is probably relatively low, but large companies should be alert to the attack vector, which can be used to target high-profile executives and others with access to sensitive information.

Source: tech radar

Want to know more?

Get in touch

Related
blogs

View all blogs
Governance Microsoft 365
February 13, 2024

I see, I see what you don’t: resources and governance in Microsoft 365

Read more
Een heldere basis voor de uitrol van governance
January 09, 2024

Go Governance or Go Home

Read more
October 03, 2023

Managing Governance and Compliance in Microsoft 365

Read more
microsoft purview
October 02, 2023

Microsoft Purview: Your Solution for Data Protection and Compliance

Read more
October 01, 2023

Improvements in Microsoft Teams: What’s New.

Read more
September 30, 2023

Windows 11 22H2 Adds Key Manager to Windows Hello

Read more
OpenAI-Header-chatgpt-can-now-see-hear-and-speak
September 29, 2023

ChatGPT Can Now Speak, Listen and Analyze Images

Read more
September 28, 2023

End-to-End Encryption comes to Teams Rooms on Android

Read more
Microsoft Intune
September 27, 2023

Is the New Microsoft Intune Suite the Right Step for Your Business?

Read more
September 26, 2023

Microsoft Defender for the Cloud: Increased Multi-Cloud Data Protection

Read more

Tech Updates: Microsoft 365, Azure, Cybersecurity & AI – Weekly in Your Mailbox.