Micrsosoft 365 continues to be a target for the Russian-based threat group known as Cozy Bear, according to researchers at Mandiant.
Also known as APT29 by some analysts and believed to be supported by Russia’s foreign intelligence service, the group continues to show “exceptional operational security and advanced tactics targeting Microsoft 365,” Mandiant said in a background blog.
That includes getting around multifactor authentication (MFA). Threat actors — including APT29 –take advantage of the self-enrollment process for MFA in Microsoft’s Azure Active Directory and other platforms, the report says.
“When an organization first enforces MFA, most platforms allow users to enroll their first MFA device at the next login. This is often the workflow chosen by organizations to roll out MFA. In Azure AD and other platforms’ default configurations, there are no additional enforcements on the MFA enrollment process,” Mandiant says. “In other words, anyone with knowledge of the username and password can access the account from any location and any device to enroll MFA, so long as they are the first person to do it.”
In one incident, the report says, APT29 conducted a password guessing attack against a list of mailboxes they had somehow obtained. They successfully guessed the password to an account that had been setup, but never used. Because the account was dormant, Azure AD prompted APT29 to enroll in MFA. Once enrolled, the attacker was able to use the account to access the organization’s’ VPN infrastructure, which was using Azure AD for authentication and MFA.
Mandiant recommends that organizations ensure all active accounts have at least one MFA device enrolled, and work with their platform vendor to add additional verifications to the MFA enrollment process.
Microsoft Azure AD recently rolled out a feature to allow organizations to enforce controls around specific actions such as MFA device enrollment, the report says. Using conditional access, IT administrators can restrict the registration of MFA devices to only trusted locations, such as the internal network, or to trusted devices.
Admins can also choose to require MFA to enroll MFA. To avoid the chicken-and-egg situation this creates, help desk employees can issue Temporary Access Passes to employees when they first join or if they lose their MFA device, the report says. The pass can be used for a limited time to login, bypass MFA, and register a new MFA device.
APT29 also tries to take advantage of Microsoft 365’s multiple licencing plans, including disabling its Purview Audit, formerly Advanced Audit. This feature, available with E5 licenses and certain add-ons, enables the Mail Items Accessed audit. Mail Items Accessed records the user-agent string, timestamp, IP address, and user each time a mail item is accessed. The audit, says Mandiant, records any type of mail access, whether it is using the Graph API, Outlook, a browser, or other methodology. “This is a critical log source to determine if a threat actor is accessing a particular mailbox, as well as to determine the scope of exposure. Further, it is the only way to effectively determine access to a particular mailbox when the threat actor is using techniques like Application Impersonation or the Graph API,” the report says.
APT29 has been found disabling Purview Audit on targeted accounts in a compromised tenant. Once it is disabled, they begin targeting the inbox for email collection. At this point, there is no logging available to the organization to confirm which accounts the threat actor targeted for email collection and when. “Given APT29’s targeting and TTPs (tactics, techniques and procedures), Mandiant believes that email collection is the most likely activity following disablement of Purview Audit.”
Mandian has updated its white paper, Remediation and Hardening Strategies for Microsoft 365, to include more details on this technique as well as detection and remediation advice. It has also updated the Azure AD Investigator with a new module to report on users with advanced auditing disabled.