Researchers observe attackers altering mailbox folders to assign read-only permissions to any authenticated user on a target machine.

Dark Reading Staff, Dark Reading

March 19, 2021

1 Min Read

Mandiant security researchers have observed UNC2452, the group they're tracking in association with the SolarWinds attacks, using a new tactic targeting Microsoft 365 mailboxes. 

Mandiant began tracking UNC2452 in December 2020 when it discovered the global cyberattack that infected SolarWinds Orion software updates to infect some 18,000 organizations around the world. In some, but not all, of the intrusions they observed, researchers noticed attackers were using on-premise network access to enter a victim's Microsoft 365 environment unauthorized.

This week, the research team reported attackers, in some instances, are modifying the mailbox folder permissions of individual Microsoft 365 mailboxes to maintain persistent access to the target users' emails.

"This stealthy technique is not usually monitored by defenders and provides threat actors a way to access the desired email messages using any compromised credentials," Mandiant researchers wrote in an updated blog post.

They have also updated their Azure AD Investigator tool, as well as their whitepaper on UNC2452, to include this new technique.

Read more details here and the full whitepaper with remediation strategies here.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights