In an effort to obtain critical foreign policy intelligence, the state-sponsored threat actor Cozy Bear from Russia (also known as APT29 or Nobelium) is using new approaches to breach Microsoft 365 accounts.
According to a recent analysis from cybersecurity company Mendicant, Cozy Bear employs three methods to carry out (and mask) the attacks:
Before communicating with a hijacked email account, disable Purview Audit.Microsoft 365 credentials that haven’t yet been multi-factor authenticated via brute force (MFA)
Utilizing hacked accounts to access Azure Virtual Machines or paying for the service to conceal their activity
New Microsoft 365 attack
The researchers point out that Purview Audit is a high-level security function that keeps track of when someone visits an email account outside of the application (either via the browser, Graph API, or through Outlook). In this manner, IT teams can control every account and guarantee that no one is gaining illegal access.
According to Mandiant, “this is a vital log source to assess if a threat actor is accessing a specific mailbox, as well as to assess the breadth of exposure.” When a threat actor employs methods like application impersonation or the Graph API, it is the only way to accurately verify access to a specific mailbox.
APT29 is aware of this function, though, and always turns it off before viewing any email.
Additionally, the researchers discovered Cozy Bear misusing Azure Active Directory’s MFA self-enrollment procedure (AD). A user must first enable MFA on their account before they may log in for the first time.
By brute-forcing accounts that have not yet signed up for the advanced cybersecurity feature, threat actors hope to get around this feature. Then they finish the operation in place of the victim, allowing unrestricted access to the VPN infrastructure of the target company and, therefore, the whole network and its endpoints.
Finally, because Microsoft 365 runs on Azure and because Azure’s virtual machines already have Microsoft IP addresses, IT teams find it difficult to distinguish between legitimate and fraudulent traffic. By fusing legitimate Application Address URLs with malicious activity, Cozy Bear may further conceal its Azure AD activities.
Regular users are probably not among the threat group’s primary targets, but major corporations nonetheless need to be aware of the attack vector in case it is used to target prominent executives or other individuals with access to important data.
These are currently the top services for preventing identity theft (opens in new tab).