Russian threat actor Cozy Bear (also known as APT29 or Nobelium) is deploying new tactics to infiltrate Microsoft 365 accounts, with the goal of stealing sensitive foreign policy information.
That's according to a new report from cybersecurity firm Mandiant, which claims that Cozy Bear uses three techniques to execute (and disguise) attacks:
New Microsoft 365 attack
Purview Audit, the researchers remind, is a high-level security feature that logs whether someone accesses an email account outside of the program (either through the browser, Graph API, or Outlook). In this way, IT departments can manage all accounts and ensure that there is no unauthorized access.
"This is a critical log source to determine if a malicious actor is accessing a particular mailbox, as well as to determine the extent of the exposure," Mandiant wrote. "It's the only way to effectively determine access to a particular mailbox when the threat actor uses techniques like application spoofing or the Graph API."
However, APT29 is well aware of this feature and makes sure to disable it before accessing any email.
The researchers also discovered that Cozy Bear abused the self-registration process for MFA in Azure Active Directory (AD). When a user tries to sign in for the first time, they must first enable MFA on the account.
Threat actors seek to bypass this feature by brute-forcing accounts that are not yet registered for the advanced cybersecurity feature. They then complete the process on behalf of the victim, granting unrestricted access to the target organization's VPN infrastructure, and thus the entire network and its endpoints.
Lastly, Azure virtual machines already have Microsoft IP addresses, and since Microsoft 365 runs on Azure, IT teams struggle to differentiate between normal and malicious traffic. Cozy Bear can further mask your Azure AD activity by mixing regular app URLs with malicious activity.
The probability of regular users being targeted by the threat group is relatively low, but large enterprises will need to be aware of the attack vector, which could be used to target high-level executives and others with access to sensitive information.