logo
allArticlesConferencesPresentations

My Cloud is APT's Cloud: Investigating and Defending Office 365

Conference:  BlackHat USA 2020

2020-08-06

Summary

The presentation discusses the increasing threat of targeted attacks on Microsoft Office 365 and the need for organizations to understand and defend against these attacks.
  • Office 365 is becoming a popular target for threat actors due to the large volume of data stored in it
  • Attackers use both unsophisticated and sophisticated techniques to gain access to Office 365
  • Forensic artifacts and best practices can help defend against these attacks
  • Organizations need to invest time and effort into understanding and defending against Office 365 attacks
The presenters shared a case study of an attacker who used the Graph API to read mailbox content for a user they were interested in. The attacker made repeated API requests for almost 90 days before being detected.

Abstract

As organizations increase their adoption of cloud services, we see attackers following them to the cloud. Microsoft Office 365 is becoming the most common email platform in enterprises across the world and it is also becoming an increasingly interesting target for threat actors. Office 365 encompasses not only Exchange, but also Teams, SharePoint, OneDrive, and more. The sheer volume of data stored in Office 365 means that in many cases an attacker need not compromise the on-premise network to complete their mission.In this talk, we walk through a number of case studies taken from real APT intrusions that we've been a part of. We will begin with relatively unsophisticated techniques that are used by small-time actors and have been widely discussed. From there, we work our way up to the most sophisticated and stealthy techniques that we have only observed in the wild on a few occasions. These techniques utilize parts of Office 365 that are often poorly understood and not closely monitored.Along the way, we will provide insight into the various forensic artifacts available to an investigator and their many nuances. We will discuss some important gotchas that can trip up inexperienced analysts. Lastly, we will also discuss important best practices for administrators to defend their tenants against these increasingly sophisticated threats.
Materials:
Slides
Tags:

Post a comment

Related work

Cloudy with a Chance of APT: Novel Microsoft 365 Attacks in the Wild

Conference:  BlackHat USA 2021
Authors:
2021-08-04

From Feature to Weapon: Breaking Microsoft Teams and SharePoint Integrity

Conference:  Defcon 31
Authors: Dr Nestori Syynimaa Senior Principal Security Researcher, Secureworks
2023-08-01

New Phishing Attacks Exploiting OAuth Authentication Flows

Conference:  Defcon 29
Authors:
2021-08-01

Don't Dare to Exploit - An Attack Surface Tour of SharePoint Server

Conference:  Defcon 29
Authors:
2021-08-01

It's not FINished: The Evolving Maturity in Ransomware Operations

Conference:  BlackHat EU 2020
Authors:
2020-12-09

Abusing Azure Active Directory: From MFA Bypass to Listing Global Administrators

Conference:  Black Hat Asia 2023
Authors: Nestori Syynimaa, Sravan Akkaram
2023-05-12