Mandiant security researchers have observed UNC2452, the group they're tracking in association with the SolarWinds attacks, using a new tactic targeting Microsoft 365 mailboxes.
Mandiant began tracking UNC2452 in December 2020 when it discovered the global cyberattack that infected SolarWinds Orion software updates to infect some 18,000 organizations around the world. In some, but not all, of the intrusions they observed, researchers noticed attackers were using on-premise network access to enter a victim's Microsoft 365 environment unauthorized.
This week, the research team reported attackers, in some instances, are modifying the mailbox folder permissions of individual Microsoft 365 mailboxes to maintain persistent access to the target users' emails.
"This stealthy technique is not usually monitored by defenders and provides threat actors a way to access the desired email messages using any compromised credentials," Mandiant researchers wrote in an updated blog post.
They have also updated their Azure AD Investigator tool, as well as their whitepaper on UNC2452, to include this new technique.