My Cloud is APT's Cloud: Investigating and Defending Office 365

Conference:  BlackHat USA 2020



The presentation discusses the increasing threat of targeted attacks on Microsoft Office 365 and the need for organizations to understand and defend against these attacks.
  • Office 365 is becoming a popular target for threat actors due to the large volume of data stored in it
  • Attackers use both unsophisticated and sophisticated techniques to gain access to Office 365
  • Forensic artifacts and best practices can help defend against these attacks
  • Organizations need to invest time and effort into understanding and defending against Office 365 attacks
The presenters shared a case study of an attacker who used the Graph API to read mailbox content for a user they were interested in. The attacker made repeated API requests for almost 90 days before being detected.


As organizations increase their adoption of cloud services, we see attackers following them to the cloud. Microsoft Office 365 is becoming the most common email platform in enterprises across the world and it is also becoming an increasingly interesting target for threat actors. Office 365 encompasses not only Exchange, but also Teams, SharePoint, OneDrive, and more. The sheer volume of data stored in Office 365 means that in many cases an attacker need not compromise the on-premise network to complete their mission.In this talk, we walk through a number of case studies taken from real APT intrusions that we've been a part of. We will begin with relatively unsophisticated techniques that are used by small-time actors and have been widely discussed. From there, we work our way up to the most sophisticated and stealthy techniques that we have only observed in the wild on a few occasions. These techniques utilize parts of Office 365 that are often poorly understood and not closely monitored.Along the way, we will provide insight into the various forensic artifacts available to an investigator and their many nuances. We will discuss some important gotchas that can trip up inexperienced analysts. Lastly, we will also discuss important best practices for administrators to defend their tenants against these increasingly sophisticated threats.



Post a comment