Russian state-sponsored threat actor Cozy Bear (also known as APT29 or Nobelium) is deploying new tactics to sneak into Microsoft 365 accounts, in an attempt to steal sensitive foreign policy intelligence.
This is according to a new report from cybersecurity firm Mandiant, which claims Cozy Bear is using three techniques to execute (and disguise) the attacks:
- Disabling Purview Audit before engaging with a compromised email account
- Brute-forcing Microsoft 365 passwords that are yet to enroll in multi-factor authentication (MFA)
- Covering their tracks by using Azure Virtual Machines via compromised accounts, or by purchasing the service
New Microsoft 365 attack
Purview Audit, the researchers remind, is a high-level security feature that logs if a person accesses an email account outside the program (either via the browser, Graph API, or through Outlook). That way, IT departments can manage all accounts and make sure there’s no unauthorized access.
“This is a critical log source to determine if a threat actor is accessing a particular mailbox, as well as to determine the scope of exposure,” Mandiant wrote. “It is the only way to effectively determine access to a particular mailbox when the threat actor is using techniques like Application Impersonation or the Graph API.”
However, APT29 is well aware of this feature, and makes sure to disable it before accessing any email.
The researchers also found Cozy Bear abusing the self-enrollment process for MFA in Azure Active Directory (AD). When a user tries to log in for the first time, they’ll first need to enable MFA on the account.
The threat actors are looking to work around this feature by brute-forcing accounts that are yet to enroll in the advanced cybersecurity feature. Then, they complete the process in the victim’s stead, granting unabated access to the target organization’s VPN infrastructure, and thus, the entire network and its endpoints.
Finally, Azure’s virtual machines already hold Microsoft IP addresses, and due to the fact that Microsoft 365 runs on Azure, IT teams struggle to differentiate regular and malicious traffic. Cozy Bear can further hide its Azure AD activity by blending regular Application Address URLs with malicious activity.
The likelihood of regular users being targeted by the threat group is presumably relatively small, but large businesses will need to be alert to the attack vector, which might be used to target high-profile executives and others with access to sensitive information.
