logo
allArticlesConferencesPresentations

Cloudy with a Chance of APT: Novel Microsoft 365 Attacks in the Wild

Conference:  BlackHat USA 2021

2021-08-04

Summary

Advanced nation-state backed threat actors are increasingly investing their time and money to develop novel ways to access Microsoft 365 and extract data. In this talk, the speaker breaks down a number of novel techniques that have been observed used in the past year by APT groups to persistently access Microsoft 365 and extract data.
  • Attackers are targeting Microsoft 365 to steal data, especially for threat groups with intelligence collection requirements
  • Attackers are disabling security features like auditing and logging to avoid detection
  • Abusing mailbox folder permissions is an older technique that attackers still use to access folder contents
  • Threat actors are automating data theft through old techniques like mailbox folder permissions and some newer techniques like abusing enterprise applications
  • Maintaining persistent access by abusing SAML and ADFS is another technique used by threat actors
Threat actors have been observed using the 'set mailbox audit bypass association commandlet' to prevent any and all mailbox actions for specific users from being logged. This allows attackers to access a particular mailbox and not generate a mail items access log. Another technique used by threat actors is to downgrade critical users from an E5 to an E3 license, which disables mail item access logging without degrading any of the features that the majority of users are taking advantage of on a daily basis.

Abstract

This past year has proved the point that advanced nation-state backed threat actors are increasingly investing their time and money to develop novel ways to access the cloud. These actors are especially interested in Microsoft 365, where more and more organizations are collaborating and storing some of their most confidential data. Especially for threat groups with intelligence collection requirements, Microsoft 365 can be their holy grail.In this talk, we will break down a number of novel techniques that we've observed used in the past year by APT groups to persistently access Microsoft 365 and extract data. This talk will detail the technical underpinnings that are key to understanding and realizing these techniques. We will also cover new extensions or facets of these techniques that have not yet been observed or discussed but are natural extensions of the techniques that organizations should be prepared for.
Materials:
Slides
Tags:

Post a comment

Related work

My Cloud is APT's Cloud: Investigating and Defending Office 365

Conference:  BlackHat USA 2020
Authors:
2020-08-06

From Feature to Weapon: Breaking Microsoft Teams and SharePoint Integrity

Conference:  Defcon 31
Authors: Dr Nestori Syynimaa Senior Principal Security Researcher, Secureworks
2023-08-01

APTs Go Teleworking: The Rise of VPN Exploits

Conference:  BlackHat USA 2021
Authors:
2021-11-11

Attacking and Defending the Microsoft Cloud (Office 365 & Azure AD) 

Conference:  BlackHat USA 2019
Authors:
2019-08-07

Abusing Azure Active Directory: From MFA Bypass to Listing Global Administrators

Conference:  Black Hat Asia 2023
Authors: Nestori Syynimaa, Sravan Akkaram
2023-05-12

New Phishing Attacks Exploiting OAuth Authentication Flows

Conference:  Defcon 29
Authors:
2021-08-01