Security News > 2022 > August > Russian APT29 hackers abuse Azure services to hack Microsoft 365 users
The state-backed Russian cyberespionage group Cozy Bear has been particularly prolific in 2022, targeting Microsoft 365 accounts in NATO countries and attempting to access foreign policy information.
Mandiant, who has been tracking the activities of Cozy Bear, reports that the Russian hackers have been vigorously targeting Microsoft 365 accounts in espionage campaigns.
Microsoft 365 users on a higher-grade E5 license enjoy a security feature named "Purview Audit".
The Russian hackers performed brute force attacks on usernames and passwords of accounts that had never logged into the domain and enrolled their devices in MFA. Activating MFA fulfills the relevant security prerequisite for using the compromised organization's VPN infrastructure, so APT29 is free to roam on the breached network.
Azure VMs "Contaminate" logs with Microsoft IP addresses, and since Microsoft 365 runs on Azure, it is tough for defenders to discern regular traffic from malicious actions.
APT29 further obfuscates its Azure AD admin activity by mixing malicious actions like backdooring services to collect emails with the addition of benign Application Address URLs.
News URL
Related news
- Microsoft: Hackers steal emails in device code phishing attacks (source)
- Chinese hackers abuse Microsoft APP-v tool to evade antivirus (source)
- Massive botnet hits Microsoft 365 accounts (source)
- Botnet targets Basic Auth in Microsoft 365 password spray attacks (source)
- Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers (source)
- Microsoft names alleged credential-snatching 'Azure Abuse Enterprise' operators (source)
- Microsoft Exposes LLMjacking Cybercriminals Behind Azure AI Abuse Scheme (source)
- Microsoft links recent Microsoft 365 outage to buggy update (source)
- New Microsoft 365 outage impacts Teams, causes call failures (source)
- Microsoft 365 apps will prompt users to back up files in OneDrive (source)