The most dangerous (and interesting) Microsoft 365 attacks

Government-sponsored hackers, who carry out cyberespionage campaigns, invest more resources than ever to find new ways of attacking the cloud. One of their preferred targets is Microsoft 365, previously called Office 365, a platform used by an increasing number of organisations of all sizes.

From an intelligence collector's perspective, it makes sense to target it. "Microsoft 365 is a gold mine," Doug Bienstock, incident response manager at Mandiant, tells CSO. "The vast majority of [an organisation's] data is probably going to be in Microsoft 365, whether it's in the contents of individual emails, or files shared on SharePoint or OneDrive, or even Teams messages."

Companies that rely heavily on Microsoft 365 tend to adopt it in almost every aspect of their work, from document writing to project planning, task automation, or data analytics.

Some also use Azure Active Directory as the authentication provider for their employees, and attackers know that. "Getting access to [Active Directory] can, by extension, grant you access to other cloud properties," Josh Madeley, incident response manager at Mandiant, tells CSO.

During their recent talk at Black Hat USA 2021, Madeley and Bienstock presented some of the novel techniques used by nation-state hackers in campaigns targeting data stored within Microsoft 365. The researchers showed how APT groups have evolved to evade detection and extract hundreds of gigabytes of data from their victims.

"These attackers are investing a lot of time and effort into learning about Microsoft 365," Bienstock says. "They know way more about Microsoft 365 than your admin does. They know more about it than probably some employees at Microsoft."

Avoiding detection

In the past year, APT groups have become better at avoiding detection, employing a few techniques that were never seen before. "One of those is downgrading user licenses from a Microsoft 365 E5 license to an E3 license," Madeley says. It typically appears early in an attack.

The E5 licence offers identity and app management, information protection, as well as threat protections. This helps organisations detect and investigate threats and notice malicious activity both on-premises and in the cloud environment, features the E3 license lacks.

"A lot of the advanced telemetry that more mature organisations rely on for detection comes with that E5 license," Madeley says. "So, while the threat actor may be saving the victim organisations money, they're actually really easily disabling the most effective detection mechanisms that organisations have."

Mailbox folder permission abuse

The two researchers saw APT groups use licence downgrading together with an older technique that has been around since 2017, mailbox folder permission abuse, first described by Beau Bullock at Black Hills Information Security in the context of red teaming.

"There's an analogy between folder permissions on your desktop and folder permissions in a mailbox," Madeley says. "You can assign permissions to users for specific mailboxes or specific folders within your mailbox."

A person can, for instance, have read access to another person's special projects mailbox folder if the two are working on those projects together. Or, someone could give their colleagues read access to their calendar folder to schedule meetings more efficiently.

Mailbox folder permissions can be assigned as individual permissions or as roles, which are essentially collections of folder permissions. The threat actors will be after roles that have read permission, such as author, editor, owner, publishing author, or reviewer. They will try to apply them to users they control.

One threat actor leveraged the concept of the default user. If the default permission level is set to anything other than "none," then every user in that organisation can potentially access that folder or mailbox. The same goes for another special user, anonymous, which is designed for external, unauthenticated users.

Madeley saw a threat actor assigning the default user reviewer role, which has read permission. Once this modification is made, any authenticated user can access that mailbox folder. This technique, while not new, is still leveraged by at least one APT group because it's difficult to detect. It can be effective in the context of license downgrading.

"If you don't have that mailbox auditing that comes with your Microsoft 365 E5 license, you're not going to see the corresponding mailbox access of these random users on the network," Madeley says.

"To detect that, you have to enumerate the mailbox folder permissions on every mailbox in the environment, which sounds great if you have 50 people in a company, but if you have a tenant of 210,000 users, that can take weeks of running scripts."

A few other methods can detect this. For example, admins could look for EWS sign-ins that are used to access the modified folders. "In Azure Active Directory, these are going to be coded as non-interactive sign-ins," Madeley says. Alternatively, if MailItemsAccessed auditing is enabled, admins can look for any patterns on non-owner access to their high-value mailboxes.

Hijacking enterprise applications and app registrations

Another technique recently adopted by APT groups is the abuse of applications. Both app registrations (initial instance of an application -- apps local to the organisation) and enterprise applications (a "copy" of the app registration that lives in the consuming tenant -- global apps that can be used within an organisation) are called applications.

"Microsoft gives you this idea of registering an application that can then make API calls to the Graph API," Madeley says. "That can be simple things like create a new user, read a message. Say you want to build a third-party mail application that you can read and write messages with. All the API calls are there for you to interact with a mailbox."

When threat actors attempt to hijack enterprise applications, they would first look for an existing application that was legitimately configured. "Then, they would add credentials; they would add their own API keys to these applications that they could then use to authenticate to Microsoft 365," Madeley says.

Next, they would ensure that that application has the permissions to access the resources they wanted, such as reading mail. "If they didn't find an application that satisfied that requirement, they would then go ahead and add the permissions," Madeley says.

Once they did that, they were in. "We would see them authenticate every single day, Monday to Friday, read the last 24 hours of a particular user's mailbox," the researcher says. "Then log into the next user, read the last 24 hours of mailbox and then ship it off to their own servers where they can then review the contents and see what's interesting to them."

Read more on the next page...

Page Break

The APT groups the Mandiant researchers followed only targeted a handful of relevant users, not all of them. In most cases, there were between six to ten highly valuable people that were monitored. The largest number of targeted mailboxes the researchers saw in an organisation was 93.

Madeley says, putting things into context, that this technique can have a broad impact.

"If I develop an enterprise application that I share with you, or I create a blueprint of that application that other companies can use and might buy, and that application gets compromised, it also means that the threat actor can access your tenant," he says. "So, it's not just protecting your own data. You also have to worry about the source of the enterprise applications that you're getting, making sure that your vendors' security is on par."

Golden SAML

Advanced nation-state actors who carry out cyber-espionage campaigns are not just interested in getting into an environment. They also want to do it stealthily and maintain access for as long as possible.

Here's where the technique called Golden SAML comes in. It was used by several APT groups, including UNC2452/DarkHalo, which was responsible for the supply chain attack that Trojanised the SolarWinds Orion software updated to distribute the SUNBURST malware. The attack, of which FireEye was one of the many victims, was disclosed in December 2020.

SAML stands for Security Assertion Markup Language and is an open standard used for exchanging authentication and authorisation between parties. It was designed to simplify the authentication process, enabling single sign-on (SSO), allowing access to multiple web applications with just one set of login credentials.

"Golden SAML is basically a way for the threat actor to be able to log into Microsoft 365 as any user that they want," Bienstock says. "They can bypass any additional security requirements that the organisation might have."

To explain how powerful this technique is, he used an analogy. "If you want to make a passport, you need something very specific that is locked down by the government in some office," he says.

"But once you get your passport machine, there's nothing stopping you from making a passport for anyone that you want. The Golden SAML is very similar to that. The threat actors are going after a particular system on the network; they're stealing a private key. Then once they have that private key, they can create authentication tokens for any user that they want."

In the Golden SAML technique, attackers steal the Active Directory Federation Services (AD FS) token-signing key. (AD FS is a feature for Windows Servers that enables federated identity and access management.) The technique is handy for an attacker when they are after specific users, and they want to access things that only those users may have, like specific files on their SharePoint or OneDrive.

Traditionally, to do the Golden SAML technique, hackers need to compromise the AD FS server in the environment where this private key is, which could be difficult because that server should be well protected, but Bienstock and Madeley says there's a way to steal it remotely.

Attackers still need to be on the company's private network, but with the right level of privilege, they don't necessarily need to compromise that specific server. Instead, they can carry out their attack from anywhere.

To keep the analogy, it's "like using magic to teleport the passport machine out of the office," Bienstock says.

"You can now do it without actually needing to step inside the passport office or needing to run code on the AD FS server," he added. "[This technique] is potentially valuable because it lowers the barrier for success by a bit, and it's a good deal more stealthy to carry out."

This type of attack, which allows an attacker to steal the key remotely, has not been seen in the wild yet, but the two researchers says it's a "natural extension" of the current technique, and organisations should prepare to defend against it.

Active Directory Federation Services replication

Large organisations that are geographically dispersed can have more than one AD FS server. They might have two, three or four in a farm configuration. By default, all the farm nodes use the same configurations and the same token signing certificate.

"Each server is going to have a private key -- the passport machine -- but they need a way of keeping that in sync," Bienstock says. "To do that, there's a replication service. That service operates over the network. Different servers can talk to each other."

The attackers could pretend to be the AD FS server that is performing replication, which is the primary AD FS server. "In some ways, [this technique is] very similar to a DCSync attack," Bienstock says.

"[In a DCSync attack], you are pretending to be a domain controller to get authentication information on the domain. In this technique, we are pretending to be another AD FS server to obtain sensitive information from the legitimate servers on the network."

Madeley says that he and his colleague have focused on AD FS because it's one of the more common SAML providers used by organisations targeted by APT threat actors.

Yet, they've seen other SAML providers being targeted, too. "It's important to note that the principle of the Golden SAML attack is not limited to AD FS," Madeley says. "If you compromise the signing certificates for any of the SAML providers, you're going to have the same issue."

Big data exfiltration

In the past, ATP groups that targeted Microsoft 365/Office 365 mostly searched for specific keywords and then downloaded files and emails that matched their request. Now, the researchers noticed that they tend to exfiltrate hundreds of gigabytes of data.

"Threat actors are, for the most part, just downloading everything in that person's mailbox," Bienstock says. "The speculation that I have personally is: This, maybe, speaks to a big data approach. Rather than performing the searches where the data lives, why not just download as much data as possible, and then they'll do the searches later, because maybe their collection requirements change, they need new keywords."

This approach would allow them to make the most of a collection of data. They won't need to compromise an organisation again if they have to get new information related to another keyword or another secret project.

An APT group the researchers followed was able to download an impressive amount of data. "Over the course of a month, there were over 350 gigabytes stolen, and the threat actor had access for at least 12 months," Madeley says. "It kind of implies that there is some level of big data analysis on the back end. There's not a single human scrolling through emails."

This big data approach wouldn't be surprising, the two researchers says. They've noticed that advanced threat actors are increasingly relying on automation, building tools that perform many tasks for them. "The fact that they went through the effort of making these automated collection tools suggests that there is automation throughout the lifecycle."

Mitigating Microsoft 365 threats

Bienstock and Madeley expect APT groups to continue to update their skills in the years to come. They also says that some of these popular techniques would likely start to be used by financially motivated gangs.

Madeley recommends admins learn and understand the nuances of third-party cloud integrations. They should know what auditing is available to them and what types of detection capabilities they have depending on the Microsoft 365 licence model, he says. The researcher recommends that they establish good change control processes in the cloud, so when a threat actor makes a change to the organisation's infrastructure, an admin can detect it.

"It really starts with understanding your environment, understanding what applications you have registered, knowing what mailbox permissions look like on a normal basis, and what your authentication providers look like, and how they're being used within your environment," Madeley says, "and then monitoring changes."

Both researchers says that constant education is a must-have, as things move so much faster in the cloud. Microsoft is putting effort into making its cloud infrastructure resilient, secure, and more auditable, Madeley says, but organisations should also do their part when it comes to security. "It's important that enterprises understand where their blind spots are," the researcher added.