Skip to main content
close search
site logo
Dive Brief

SolarWinds threat actors accessing Microsoft 365 by altering permissions

Published March 22, 2021
David Jones's headshot
Reporter

Dive Brief:

  • Security researchers have observed a threat actor linked to the SolarWinds campaign accessing targeted emails in Microsoft 365 by modifying individual mailbox permissions, according to an white paper from FireEye’s Mandiant unit. 
  • The method allows the attacker to assign read-only permissions to any authenticated users in the targeted M365 tenant. The threat actor can then use any compromised account to sign into M365 and read the email of targeted user mailboxes, according to Mandiant officials. The technique often goes unnoticed because security organizations do not typically monitor folder permission modifications, according to Mandiant.
  • "This technique allows the threat actor to access the email messages contained in the mailbox folders they modify," Douglas Bienstock, manager, incident response at Mandiant, said via email. "This aligns with what FireEye has observed, in some cases, as the threat actor’s goal is to persistently access email of targeted individuals in an organization."

Dive Insight:

Mandiant in December disclosed a campaign by the threat group, which it calls UNC 2452, to gain access to on-premise networks and move laterally into Microsoft 365 cloud environments. Mandiant linked the threat actor to the Sunburst malware used during the SolarWinds campaign.

The techniques included stealing the Active Directory Federation Services token signing certificate and using it to forge tokens for arbitrary users, according to Mandiant, a technique often called the Golden SAML. The technique allows a user to authenticate Microsoft 365 without the need for a password or multifactor authentication. 

Another technique through an Azure AD backdoor allows an attacker to add or modify trusted domains in Azure AD, which allows the attacker to add a federated identity provider that he or she controls. 

Among the more recently seen techniques, Mandiant observed the modification of mailbox folder permissions. Other threat actors have used the technique and security researchers have discussed the technique since 2017, Bienstock said. 

This particular threat actor has targeted a variety of organizations, including government, non-government organizations, software, security, telecommunications, higher education and business and IT services companies, he said.

Microsoft, when asked about the new Mandiant findings, said the "technique requires accounts to already have been compromised in order to function as described."

The whitepaper outlines a few steps that organizations can use to prevent the attack and Bienstock said Mailbox Auditing should be enabled on mailboxes. Security information and event management (SIEM) or other log analytics platforms should also have signatures to monitor for this activity. 

Mandiant released a tool on its GitHub repository that can be used to check for compromise.

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell