- Advanced persistent threat (APT) actors are using novel techniques to target Microsoft 365 users in the enterprise space, which nation-state actors see as a valuable target for espionage campaigns because of the confidential emails, SharePoint data and other information it contains, according to Mandiant researchers who presented a panel on these techniques at Black Hat 2021.
- To target Microsoft 365, threat actors are disabling mailbox audit logs, using older techniques like abusing mailbox folder permissions and new techniques like abusing enterprise applications, said Josh Madeley, manager of professional services at Mandiant.
- "If you're an espionage-motivated threat actor, Microsoft 365 is the holy grail," Madeley said.
Microsoft 365 has increasingly become the focus of nation-state actors because the application is a highly sought repository of valuable data. The switch from traditional office work to collaborative work-from-home has changed the way many companies use and store company data.
To execute the campaign, attackers identify an existing service principal inside of a tenant that they want to hijack. They add the MS Graph Application Permissions, specifically the file.read and mail.read permissions that allow them to read mail and read files within the tenants.
In order to authenticate, attackers then add new credentials, which can be either secrets or certificates, according to the Mandiant researchers. They add the credentials to act as their API keys. Once they have done this they have remote access to make API calls to the MS Graph. Every day an attacker would login and access the last 24 hours of emails from a set group of mailboxes.
Some organizations have what are called conditional access policies, which limit how people access a particular environment. Madeley warns that those policies don't apply to applications, which means a threat actor can authenticate to the Graph from anywhere in the world.
Service Principal sign-in logs weren't even available until mid-2020, Madeley said.
Despite all these concerns, Microsoft is paying attention to where applications are authenticating from on the back end, which makes access a little more difficult, Madeley said.
Attackers are also targeting Active Directory Federation Services token sign-in keys to gain access to SAML tokens, according to Doug Bienstock, manager professional services at Mandiant.
Mandiant previously documented that the threat actor behind the SolarWinds campaign had gained access to Microsoft 365 by modifying permission using the Golden SAML technique. This involved stealing the AD FS sign-in certificate and using it to forge tokens for arbitrary users.