The most dangerous (and interesting) Microsoft 365 attacks


Government-sponsored hackers, who carry out cyberespionage campaigns, invest more resources than ever to find new ways of attacking the cloud. One of their preferred targets is Microsoft 365, previously called Office 365, a platform used by an increasing number of organizations of all sizes.

From an intelligence collector’s perspective, it makes sense to target it. “Microsoft 365 is a gold mine,” Doug Bienstock, incident response manager at Mandiant, tells CSO. “The vast majority of [an organization’s] data is probably going to be in Microsoft 365, whether it’s in the contents of individual emails, or files shared on SharePoint or OneDrive, or even Teams messages.”

Companies that rely heavily on Microsoft 365 tend to adopt it in almost every aspect of their work, from document writing to project planning, task automation, or data analytics. Some also use Azure Active Directory as the authentication provider for their employees, and attackers know that. “Getting access to [Active Directory] can, by extension, grant you access to other cloud properties,” Josh Madeley, incident response manager at Mandiant, tells CSO.

During their recent talk at Black Hat USA 2021, Madeley and Bienstock presented some of the novel techniques used by nation-state hackers in campaigns targeting data stored within Microsoft 365. The researchers showed how APT groups have evolved to evade detection and extract hundreds of gigabytes of data from their victims.

“These attackers are investing a lot of time and effort into learning about Microsoft 365,” Bienstock says. “They know way more about Microsoft 365 than your admin does. They know more about it than probably some employees at Microsoft.”

Avoiding detection

In the past year, APT groups have become better at avoiding detection, employing a few techniques that were never seen before. “One of those is downgrading user licenses from a Microsoft 365 E5 license to an E3 license,” Madeley says. It typically appears early in an attack.

Originally Appeared Here

Related Articles

Back to top button