Security News > 2022 > August > Russian APT29 hackers abuse Azure services to hack Microsoft 365 users
The state-backed Russian cyberespionage group Cozy Bear has been particularly prolific in 2022, targeting Microsoft 365 accounts in NATO countries and attempting to access foreign policy information.
Mandiant, who has been tracking the activities of Cozy Bear, reports that the Russian hackers have been vigorously targeting Microsoft 365 accounts in espionage campaigns.
Microsoft 365 users on a higher-grade E5 license enjoy a security feature named "Purview Audit".
The Russian hackers performed brute force attacks on usernames and passwords of accounts that had never logged into the domain and enrolled their devices in MFA. Activating MFA fulfills the relevant security prerequisite for using the compromised organization's VPN infrastructure, so APT29 is free to roam on the breached network.
Azure VMs "Contaminate" logs with Microsoft IP addresses, and since Microsoft 365 runs on Azure, it is tough for defenders to discern regular traffic from malicious actions.
APT29 further obfuscates its Azure AD admin activity by mixing malicious actions like backdooring services to collect emails with the addition of benign Application Address URLs.
News URL
Related news
- Azure, Microsoft 365 MFA outage locks out users across regions (source)
- Hackers use FastHTTP in new high-speed Microsoft 365 password attacks (source)
- Phishing-as-a-Service "Rockstar 2FA" Targets Microsoft 365 Users with AiTM Attacks (source)
- New Rockstar 2FA phishing service targets Microsoft 365 accounts (source)
- Wanted Russian Hacker Linked to Hive and LockBit Ransomware Arrested (source)
- North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Microsoft dangles $10K for hackers to hijack LLM email service (source)
- Microsoft: “Hack” this LLM-powered service and get paid (source)