Advanced nation-state backed threat actors are increasingly investing their time and money to develop novel ways to access Microsoft 365 and extract data. In this talk, the speaker breaks down a number of novel techniques that have been observed used in the past year by APT groups to persistently access Microsoft 365 and extract data.
- Attackers are targeting Microsoft 365 to steal data, especially for threat groups with intelligence collection requirements
- Attackers are disabling security features like auditing and logging to avoid detection
- Abusing mailbox folder permissions is an older technique that attackers still use to access folder contents
- Threat actors are automating data theft through old techniques like mailbox folder permissions and some newer techniques like abusing enterprise applications
- Maintaining persistent access by abusing SAML and ADFS is another technique used by threat actors
Threat actors have been observed using the 'set mailbox audit bypass association commandlet' to prevent any and all mailbox actions for specific users from being logged. This allows attackers to access a particular mailbox and not generate a mail items access log. Another technique used by threat actors is to downgrade critical users from an E5 to an E3 license, which disables mail item access logging without degrading any of the features that the majority of users are taking advantage of on a daily basis.