- Security researchers have observed a threat actor linked to the SolarWinds campaign accessing targeted emails in Microsoft 365 by modifying individual mailbox permissions, according to an white paper from FireEye’s Mandiant unit.
- The method allows the attacker to assign read-only permissions to any authenticated users in the targeted M365 tenant. The threat actor can then use any compromised account to sign into M365 and read the email of targeted user mailboxes, according to Mandiant officials. The technique often goes unnoticed because security organizations do not typically monitor folder permission modifications, according to Mandiant.
- "This technique allows the threat actor to access the email messages contained in the mailbox folders they modify," Douglas Bienstock, manager, incident response at Mandiant, said via email. "This aligns with what FireEye has observed, in some cases, as the threat actor’s goal is to persistently access email of targeted individuals in an organization."
Mandiant in December disclosed a campaign by the threat group, which it calls UNC 2452, to gain access to on-premise networks and move laterally into Microsoft 365 cloud environments. Mandiant linked the threat actor to the Sunburst malware used during the SolarWinds campaign.
The techniques included stealing the Active Directory Federation Services token signing certificate and using it to forge tokens for arbitrary users, according to Mandiant, a technique often called the Golden SAML. The technique allows a user to authenticate Microsoft 365 without the need for a password or multifactor authentication.
Another technique through an Azure AD backdoor allows an attacker to add or modify trusted domains in Azure AD, which allows the attacker to add a federated identity provider that he or she controls.
Among the more recently seen techniques, Mandiant observed the modification of mailbox folder permissions. Other threat actors have used the technique and security researchers have discussed the technique since 2017, Bienstock said.
This particular threat actor has targeted a variety of organizations, including government, non-government organizations, software, security, telecommunications, higher education and business and IT services companies, he said.
Microsoft, when asked about the new Mandiant findings, said the "technique requires accounts to already have been compromised in order to function as described."
The whitepaper outlines a few steps that organizations can use to prevent the attack and Bienstock said Mailbox Auditing should be enabled on mailboxes. Security information and event management (SIEM) or other log analytics platforms should also have signatures to monitor for this activity.
Mandiant released a tool on its GitHub repository that can be used to check for compromise.