2022-08-24

APT29's TTPs Against Microsoft 365

Level: 
Strategic
  |  Source: 
Mandiant
Government
Share:

APT29's TTPs Against Microsoft 365

Mandiant's research of the Russian espionage group, APT29 has discovered the group targeting Microsoft 365 with high competency as seen with their recent TTPs. To evade detection and blind defenders from reviewing their tracks, APT29 disable Purview Audit. Mail Items Accessed Audit is enabled under Purview Audit containing helpful logging features for mail item access. "This is a critical log source to determine if a threat actor is accessing a particular mailbox, as well as to determine the scope of exposure. Further, it is the only way to effectively determine access to a particular mailbox when the threat actor is using techniques like Application Impersonation or the Graph API." By removing the audit feature, defenders are not able to trace accounts targeted and accessed by attackers. Another area for attack by APT29 is the MFA enrollment process. Specifically, the attacker targets the first implementation of the MFA, when rollout users are prompted during their next login to register the MFA device. With knowledge of usernames and passwords, they hijack the enrollment process due to enrollment not being enforced with additional security measures. Alternatively, through password guessing attacks, attackers can leverage active accounts never properly set up. Another example of stealth demonstrated by APT29 involves the use of residential proxies and Azure Virtual Machines. The IP address used by the virtual machines can help the attackers evade detection "Sourcing their last-mile access from trusted Microsoft IP addresses reduces the likelihood of detection. Because Microsoft 365 itself runs on Azure, the Azure AD Sign-In and Unified Audit Logs already contain many Microsoft IP addresses and it can be hard to quickly determine if an IP address belongs to a malicious VM or a backend M365 service." Mandiant's tracking of APT29 identified in 2022, the group to have a focus against "organizations responsible for influencing and crafting the foreign policy of NATO countries."

Get trending threats published weekly by the Anvilogic team.

Sign Up Now