Security News > 2022 > August > Russian APT29 hackers abuse Azure services to hack Microsoft 365 users

Russian APT29 hackers abuse Azure services to hack Microsoft 365 users
2022-08-19 15:10

The state-backed Russian cyberespionage group Cozy Bear has been particularly prolific in 2022, targeting Microsoft 365 accounts in NATO countries and attempting to access foreign policy information.

Mandiant, who has been tracking the activities of Cozy Bear, reports that the Russian hackers have been vigorously targeting Microsoft 365 accounts in espionage campaigns.

Microsoft 365 users on a higher-grade E5 license enjoy a security feature named "Purview Audit".

The Russian hackers performed brute force attacks on usernames and passwords of accounts that had never logged into the domain and enrolled their devices in MFA. Activating MFA fulfills the relevant security prerequisite for using the compromised organization's VPN infrastructure, so APT29 is free to roam on the breached network.

Azure VMs "Contaminate" logs with Microsoft IP addresses, and since Microsoft 365 runs on Azure, it is tough for defenders to discern regular traffic from malicious actions.

APT29 further obfuscates its Azure AD admin activity by mixing malicious actions like backdooring services to collect emails with the addition of benign Application Address URLs.


News URL

https://www.bleepingcomputer.com/news/security/russian-apt29-hackers-abuse-azure-services-to-hack-microsoft-365-users/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 365 50 1369 2820 161 4400