Russian Hackers Hijack Microsoft 365 Accounts by Exploiting Azure Directory

Mandiant researchers have spotted a new campaign from APT29, the Russian state-backed hackers who constantly aim at their target’s Microsoft 365 accounts for reconnaissance and stealing data.

In their latest campaign, threat actors are seen exploiting Microsoft Azure Directory to seek access into the target’s network and hide their malicious activities with several other techniques.

Taking Over Azure Directory

Microsoft 365 is a productivity office suite running on Azure Cloud and aimed at enterprises. With them having special security tools to safeguard the accounts and data within, hackers targeting them need to be really skillful.

And APT29 is just that, who are using Azure Directory to get into the target’s network and process their operations by several anti-detection methods. As noted by the Mandiant researchers, APT29 (also known as Cozy Bear or Nobelium) has been targeting Microsoft 365 accounts in a new method.

As per their latest campaign, the threat actors are seen brute-forcing the accounts of Microsoft 365 users who had never accessed a domain through Azure Directory.

And since Azure asks self-enrolling users to set up an MFA alongside the first-time access – they will be formed as a part of the trusted accounts to be allowed later on. And users satisfying this basic security prerequisite are allowed to access the company’s VPN infrastructure.

So the threat actors achieving this feat will be able to roam within the breached network without any suspicion. They’re then disabling the Purview Audit – a security feature in Microsoft 365 suite to log in user agents, IP addresses, timestamps, and usernames each time an email is accessed through other independent programs.

This would be of great help to analysts in understanding the malicious access later on. But threat actors disabling will let them move silently. Further, they use Azure VMs to “contaminate” the logs with Microsoft IP addresses – which are legitimate and make it harder for antivirus software to differentiate and flag them.

Other Trending News:-  News

LEAVE A REPLY

Please enter your comment!
Please enter your name here