Skip to main content
close search
site logo
Dive Brief

APT actors target Microsoft 365 using novel techniques

Published Aug. 6, 2021
David Jones's headshot
Reporter
A lit Microsoft log seen above a group of people in shadow.
Jeenah Moon via Getty Images

Dive Brief: 

  • Advanced persistent threat (APT) actors are using novel techniques to target Microsoft 365 users in the enterprise space, which nation-state actors see as a valuable target for espionage campaigns because of the confidential emails, SharePoint data and other information it contains, according to Mandiant researchers who presented a panel on these techniques at Black Hat 2021. 
  • To target Microsoft 365, threat actors are disabling mailbox audit logs, using older techniques like abusing mailbox folder permissions and new techniques like abusing enterprise applications, said Josh Madeley, manager of professional services at Mandiant.
  • "If you're an espionage-motivated threat actor, Microsoft 365 is the holy grail," Madeley said.

Dive Insight:

Microsoft 365 has increasingly become the focus of nation-state actors because the application is a highly sought repository of valuable data. The switch from traditional office work to collaborative work-from-home has changed the way many companies use and store company data. 

To execute the campaign, attackers identify an existing service principal inside of a tenant that they want to hijack. They add the MS Graph Application Permissions, specifically the file.read and mail.read permissions that allow them to read mail and read files within the tenants. 

In order to authenticate, attackers then add new credentials, which can be either secrets or certificates, according to the Mandiant researchers. They add the credentials to act as their API keys. Once they have done this they have remote access to make API calls to the MS Graph. Every day an attacker would login and access the last 24 hours of emails from a set group of mailboxes. 

Some organizations have what are called conditional access policies, which limit how people access a particular environment. Madeley warns that those policies don't apply to applications, which means a threat actor can authenticate to the Graph from anywhere in the world.

Service Principal sign-in logs weren't even available until mid-2020, Madeley said.

Despite all these concerns, Microsoft is paying attention to where applications are authenticating from on the back end, which makes access a little more difficult, Madeley said.

Attackers are also targeting Active Directory Federation Services token sign-in keys to gain access to SAML tokens, according to Doug Bienstock, manager professional services at Mandiant. 

Mandiant previously documented that the threat actor behind the SolarWinds campaign had gained access to Microsoft 365 by modifying permission using the Golden SAML technique. This involved stealing the AD FS sign-in certificate and using it to forge tokens for arbitrary users. 

Filed Under: Threats

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Threats
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell