Credit: Dreamstime
Government-sponsored hackers, who carry out cyberespionage campaigns, invest more resources than ever to find new ways of attacking the cloud. One of their preferred targets is Microsoft 365, previously called Office 365, a platform used by an increasing number of organisations of all sizes.
From an intelligence collector's perspective, it makes sense to target it. "Microsoft 365 is a gold mine," Doug Bienstock, incident response manager at Mandiant, tells CSO. "The vast majority of [an organisation's] data is probably going to be in Microsoft 365, whether it's in the contents of individual emails, or files shared on SharePoint or OneDrive, or even Teams messages."
Companies that rely heavily on Microsoft 365 tend to adopt it in almost every aspect of their work, from document writing to project planning, task automation, or data analytics.
Some also use Azure Active Directory as the authentication provider for their employees, and attackers know that. "Getting access to [Active Directory] can, by extension, grant you access to other cloud properties," Josh Madeley, incident response manager at Mandiant, tells CSO.
During their recent talk at Black Hat USA 2021, Madeley and Bienstock presented some of the novel techniques used by nation-state hackers in campaigns targeting data stored within Microsoft 365. The researchers showed how APT groups have evolved to evade detection and extract hundreds of gigabytes of data from their victims.
"These attackers are investing a lot of time and effort into learning about Microsoft 365," Bienstock says. "They know way more about Microsoft 365 than your admin does. They know more about it than probably some employees at Microsoft."
Avoiding detection
In the past year, APT groups have become better at avoiding detection, employing a few techniques that were never seen before. "One of those is downgrading user licenses from a Microsoft 365 E5 license to an E3 license," Madeley says. It typically appears early in an attack.
The E5 licence offers identity and app management, information protection, as well as threat protections. This helps organisations detect and investigate threats and notice malicious activity both on-premises and in the cloud environment, features the E3 license lacks.
"A lot of the advanced telemetry that more mature organisations rely on for detection comes with that E5 license," Madeley says. "So, while the threat actor may be saving the victim organisations money, they're actually really easily disabling the most effective detection mechanisms that organisations have."
Mailbox folder permission abuse
The two researchers saw APT groups use licence downgrading together with an older technique that has been around since 2017, mailbox folder permission abuse, first described by Beau Bullock at Black Hills Information Security in the context of red teaming.
"There's an analogy between folder permissions on your desktop and folder permissions in a mailbox," Madeley says. "You can assign permissions to users for specific mailboxes or specific folders within your mailbox."
A person can, for instance, have read access to another person's special projects mailbox folder if the two are working on those projects together. Or, someone could give their colleagues read access to their calendar folder to schedule meetings more efficiently.
Mailbox folder permissions can be assigned as individual permissions or as roles, which are essentially collections of folder permissions. The threat actors will be after roles that have read permission, such as author, editor, owner, publishing author, or reviewer. They will try to apply them to users they control.
One threat actor leveraged the concept of the default user. If the default permission level is set to anything other than "none," then every user in that organisation can potentially access that folder or mailbox. The same goes for another special user, anonymous, which is designed for external, unauthenticated users.
Madeley saw a threat actor assigning the default user reviewer role, which has read permission. Once this modification is made, any authenticated user can access that mailbox folder. This technique, while not new, is still leveraged by at least one APT group because it's difficult to detect. It can be effective in the context of license downgrading.
"If you don't have that mailbox auditing that comes with your Microsoft 365 E5 license, you're not going to see the corresponding mailbox access of these random users on the network," Madeley says.
"To detect that, you have to enumerate the mailbox folder permissions on every mailbox in the environment, which sounds great if you have 50 people in a company, but if you have a tenant of 210,000 users, that can take weeks of running scripts."
A few other methods can detect this. For example, admins could look for EWS sign-ins that are used to access the modified folders. "In Azure Active Directory, these are going to be coded as non-interactive sign-ins," Madeley says. Alternatively, if MailItemsAccessed auditing is enabled, admins can look for any patterns on non-owner access to their high-value mailboxes.
Hijacking enterprise applications and app registrations
Another technique recently adopted by APT groups is the abuse of applications. Both app registrations (initial instance of an application -- apps local to the organisation) and enterprise applications (a "copy" of the app registration that lives in the consuming tenant -- global apps that can be used within an organisation) are called applications.
"Microsoft gives you this idea of registering an application that can then make API calls to the Graph API," Madeley says. "That can be simple things like create a new user, read a message. Say you want to build a third-party mail application that you can read and write messages with. All the API calls are there for you to interact with a mailbox."
When threat actors attempt to hijack enterprise applications, they would first look for an existing application that was legitimately configured. "Then, they would add credentials; they would add their own API keys to these applications that they could then use to authenticate to Microsoft 365," Madeley says.
Next, they would ensure that that application has the permissions to access the resources they wanted, such as reading mail. "If they didn't find an application that satisfied that requirement, they would then go ahead and add the permissions," Madeley says.
Once they did that, they were in. "We would see them authenticate every single day, Monday to Friday, read the last 24 hours of a particular user's mailbox," the researcher says. "Then log into the next user, read the last 24 hours of mailbox and then ship it off to their own servers where they can then review the contents and see what's interesting to them."
Read more on the next page...
