Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

End of Bibblio RCM includes -->
06:15 PM
Connect Directly

Incident Responders Explore Microsoft 365 Attacks in the Wild

Mandiant experts discuss the novel techniques used to evade detection, automate data theft, and achieve persistent access.

BLACK HAT 2021 – Microsoft 365 is a hot target for cybercriminals, who constantly seek new ways to bypass its safeguards to access corporate data. And as defenders step up their game, attackers do the same.

"This past year has proved the point that nation-state-backed threat actors are increasingly investing time and money to develop novel ways to access data in Microsoft 365," said Josh Madeley, manager of professional services at Mandiant, in a briefing entitled "Cloud with a Chance of APT: Novel Microsoft 365 Attacks in the Wild" during this year's Black Hat USA.

These attackers are especially interested in Microsoft 365 because it's where more and more organizations store their data and collaborate, Madeley continued. Applications such as email, SharePoint, OneDrive, and Power BI can hold a wealth of information invaluable to attackers.

"If you're an espionage-motivated threat actor, Microsoft 365 is the holy grail," he said.

In the talk, Madeley and co-presenter Doug Bienstock, incident response manager at Mandiant, walked through lessons learned from large-scale espionage campaigns they've observed over the past year. Techniques they saw helped attackers disable security features like auditing and logging, automate data theft with old tactics, and abuse enterprise applications with new ones. They also maintained their access by abusing SAML and Active Directory Federation Services.

Madeley kicked off the talk with methods for evading detection. Attackers aren't interested in modifying data, he said. They want to steal the data, review it, and understand it. There are stealthy ways to do this, but attackers want to improve on their tactics and make it harder for defenders to catch them – "especially if they want to perpetrate data theft over years," he said.

One way they do this is by disabling security features. All domain admins have access to the audit logs in Microsoft 365, though organizations that pay for an E5 subscription have access to advanced auditing. This comes with MailItemsAccessed, a feature that records any interactions with mail item objects within a 24-hour period, after which it's throttled.

It's a problematic feature for attackers looking to steal from corporate mailboxes, Madeley noted. They needed to find a way around it.

"Fortunately, Microsoft handed it to them in the Set-MailboxAuditBypassAssociation cmdlet," he continued. This prevents the logging of mailbox actions for specific users. When configured, any mailbox owner actions made by specified users who have the bypass configuration aren't going to be logged. Delegate actions performed by specified users on other target mailboxes are not logged, and certain admin actions are also not going to be logged, Madeley explained.

"You'd be well-served to monitor for the execution of this cmdlet in your tenant," he said of Set-MailboxAuditBypassAssociation. If an organization is monitoring for data theft, it may miss malicious activity if an attacker's target inbox isn't being logged.

A more efficient way to bypass logging is to downgrade critical users' licenses from E5 to E3, Madeley said. This disables MailItemsAccessed logging without affecting any of the features most people will use on a daily basis.

"These are really simple techniques, once you give admin access to a tenant, to make these changes to enable long term data theft," he added.

Mailbox Folder Permission Abuse
Another technique discussed was the abuse of mailbox folder permissions, which act as an alternative to mailbox delegations. Within a mailbox, an owner, admin, or account with full access permissions can grant permissions to other users that allow them to access specific folders within a mailbox. There are many legitimate use cases for this: sharing calendars, having team mailboxes, or allowing admin assistants to access particular folders.

"Just like administrators, attackers who have acquired sufficient permissions to a mailbox or a tenant can modify these permissions to allow them to access the folder contents," Madeley said. It's an older technique first documented by Black Hills Security in 2017 but is still effective.

The incident response team recently saw an APT actor lose access to multiple environments using a sophisticated means of targeting mailboxes, only to fall back on this method of abusing mailbox folder permissions.

"What was even more fascinating is, when they fell back on this method, there were no modifications made to the environment to enable it during the time of our investigation, which meant that those changes had been made a long time before," he noted.

Attackers will ultimately be after roles with ReadItems permissions, as this grants access to read mail items in a specific folder. There are several roles with this permission: Author, Editor, NonEditingAuthor, Owner, PublishingEditor, PublishingAuthor, and Reviewer. Madeley said that Reviewer, specifically, is the one his team has seen attackers use.

In addition to users within the tenant, there are two special users: an anonymous user, or any external unauthenticated user, and the default, or "everyone" user. The latter includes any internal and authenticated users. By default the access for both user types is set to None.

However, an attacker can take advantage. Madeley has seen attackers assign a default user to the Reviewer role, which would allow any authenticated user access to the mailbox folder. Permissions don't cascade down from "child" to "parent" for existing folders, but newly created folders will inherit the permission. This can be "trivially done" using the Set-MailboxFolderPermission cmdlet, he noted.

The attacker will still need to maintain some level of access through a valid account; however, with this modification, they don't need to maintain access to a specific account they want to target on a daily or weekly basis. Instead, they can use one compromised account to access 10 mailboxes with modified folder permissions.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file