Threat Management

APT29’s new Microsoft 365 hacking techniques examined

Share

Russian state-sponsored hacking group APT29, also known as Cozy Bear and Nobelium, has been leveraging new tactics, techniques, and procedures in cyberespionage operations targeted at compromising Microsoft 365 accounts, BleepingComputer reports. Mandiant researchers discovered that APT29 has been working on deactivating the Purview Audit feature available to Microsoft 365 users with the E5 license in an effort to prevent compromised account audits. "[Purview Audit] is a critical log source to determine if a threat actor is accessing a particular mailbox, as well as to determine the scope of exposure. It is the only way to effectively determine access to a particular mailbox when the threat actor is using techniques like Application Impersonation or the Graph API," said Mandiant. APT29 has also been exploiting Azure Active Directory's self-enrollment process for multi-factor authentication, which has enabled brute force attacks on account usernames and passwords that were not logged in the domain, according to researchers. The report also showed that compromised accounts have also been used by APT29 to conceal their operations.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.