Security News > 2022 > August > Russian APT29 hackers abuse Azure services to hack Microsoft 365 users
The state-backed Russian cyberespionage group Cozy Bear has been particularly prolific in 2022, targeting Microsoft 365 accounts in NATO countries and attempting to access foreign policy information.
Mandiant, who has been tracking the activities of Cozy Bear, reports that the Russian hackers have been vigorously targeting Microsoft 365 accounts in espionage campaigns.
Microsoft 365 users on a higher-grade E5 license enjoy a security feature named "Purview Audit".
The Russian hackers performed brute force attacks on usernames and passwords of accounts that had never logged into the domain and enrolled their devices in MFA. Activating MFA fulfills the relevant security prerequisite for using the compromised organization's VPN infrastructure, so APT29 is free to roam on the breached network.
Azure VMs "Contaminate" logs with Microsoft IP addresses, and since Microsoft 365 runs on Azure, it is tough for defenders to discern regular traffic from malicious actions.
APT29 further obfuscates its Azure AD admin activity by mixing malicious actions like backdooring services to collect emails with the addition of benign Application Address URLs.
News URL
Related news
- Azure, Microsoft 365 MFA outage locks out users across regions (source)
- Hackers use FastHTTP in new high-speed Microsoft 365 password attacks (source)
- HPE notifies employees of data breach after Russian Office 365 hack (source)
- Microsoft: Russian-Linked Hackers Using 'Device Code Phishing' to Hijack Accounts (source)
- Severe Security Flaws Patched in Microsoft Dynamics 365 and Power Apps Web API (source)
- Russian ISP confirms Ukrainian hackers "destroyed" its network (source)
- US Treasury hack linked to Silk Typhoon Chinese state hackers (source)
- Microsoft Sues Hacking Group Exploiting Azure AI for Harmful Content Creation (source)
- Microsoft MFA outage blocking access to Microsoft 365 apps (source)
- Microsoft: macOS bug lets hackers install malicious kernel drivers (source)