Getty Images

Mandiant: Microsoft 365 the 'Holy Grail' for nation-state hackers

Mandiant researchers discussed mailbox compromises, app registration abuse and new extensions of the Golden SAML attack technique against Microsoft 365 at Black Hat 2021.

Mandiant called Microsoft 365 the "Holy Grail" for espionage-motivated threat actors during a Wednesday Black Hat 2021 session that detailed new attack techniques against the popular cloud service.

The session, titled "Cloudy with a Chance of APT: Novel Microsoft 365 Attacks in the Wild," was presented by Mandiant professional services managers Doug Bienstock and Josh Madeley. The session offered a technical overview of advanced persistent threats (APTs) observed against Microsoft 365, a suite many organizations rely on for cloud-based services that includes Outlook, OneDrive, SharePoint and more.

The appeal of the cloud to threat actors, Madeley told SearchSecurity, is due to more and more organizations moving to the cloud and the large amounts of data being stored in services like Microsoft 365 as a result. Attackers are aware of this, he said, and are dedicating significant resources to figuring out how to extract said data. The accessibility of the cloud is also a factor.

"I think attackers really focus on the cloud because they can access it from anywhere in the world," Madeley said. "It's designed to be globally accessible via the internet. So, once you circumvent the authentication mechanisms, as an attacker, you can access data from anywhere in the world. You don't need to have advanced backdoors that are bypassing EDRs [extended detection and response] that are continually improving and getting better and better at detecting things."

Recent attack techniques Mandiant has observed include tactics for evading detection, automating data theft and gaining persistent access via means beyond the scope of credential theft. More specifically, the duo described techniques such as disabling important security features, such as auditing and logging to stay hidden longer, as well as abusing mailbox permissions.

Application changes tend to be outside the purview of what infosec thinks they should be looking at [or] what red or blue team should be looking at, so they get largely ignored by defenders.
Josh MadeleyPrincipal consultant, Mandiant

Mailbox auditing is problematic for attackers trying to exfiltrate data, and if it's enabled by default in the cloud tenant, it cannot be disabled for individual mailboxes. Unfortunately, Madeley said, Microsoft introduced a cmdlet called Set-MailboxAuditBypassAssociation, which exempts specific accounts from having their activity logged.

"I'm not entirely sure why this feature exists," Madeley said during the presentation, "but there is some reference to administrators trying to limit noise in their logs so they bypass a couple different users."

Nevertheless, he said, the cmdlet can be abused by nation-state threat actors trying to conceal their activity, so organizations should monitor for its execution within their tenant.

Mail permissions abuse is an older technique in which a threat actor who has the proper access level to one user in an organization can grant mailbox folder privileges to others. Madeley told a story during the session about an APT threat actor who lost access to multiple environments in the midst of using a sophisticated means of targeting mailboxes. The actor then pivoted to "this old-school method of abusing mailbox folder permissions."

"I think what was even more fascinating is that when they fell back on this method, there were no modifications made to the environment to enable it during the time of our investigation, which meant that those changes had been made a long time before," Madeley said.

The consequences of mailbox compromises can be devastating. Madeley said Mandiant observed a case where threat actors in a cyberespionage campaign had gained discrete access to a couple hundred mailboxes inside a target organization.

"Every day, an attacker would log in and extract the last 24 hours of emails from a set group of mailboxes," he said during the presentation.

Golden SAML and app registration abuse

One of the more notable techniques discussed during the session is Golden SAML, which was developed by CyberArk in 2017 and is now used by threat actors to bypass SAML authentication and gain long-term persistent access over an organization's cloud systems. While not new, its most recent claim to fame was the SolarWinds supply chain attack disclosed in December.

Bienstock told SearchSecurity that the technique creates a situation where "it's almost as if the threat actor stole a passport machine from the State Department." While this technique has come into prominence in recent months, Bienstock said certain Microsoft 365 features could allow a threat actor to change the secret key for authentication tokens and gain an even longer period of persistent access.

Another attack technique discussed was a theoretical multi-tenant attack in which a threat actor compromises a Microsoft 365 customer's app registration, which Madeley called the "master copy" of an app linked to all tenants underneath an enterprise. Once compromised, attackers could use this to gain access to any tenant who has a copy and conduct mass exportation of data from a Microsoft 365 environment without setting off any alerts.

Mandiant Black Hat 2021 Microsoft 365
Mandiant's Josh Madeley spoke at Black Hat 2021 about how nation-state threat actors could abuse app registrations for Microsoft 365.

Madeley said app registration abuse is more suited for nation-state threat actors than those attempting to extort money from enterprises, but there's opportunity for the technique to branch out. While multi-tenant attacks against Microsoft 365 using this technique haven't been observed in the wild yet, "that's one of those extensions that we think we're going to start seeing," he said.

"Once you have administrative credentials to Microsoft 365, it's trivial to take advantage of," Madeley said. "And it's trivial largely because these app registrations for enterprise applications are designed to be used this way. They're designed for keys to be added. They're designed for API calls to be made. And these types of application changes tend to be outside the purview of what infosec thinks they should be looking at [or] what red or blue team should be looking at, so they get largely ignored by defenders."

Madeley said Microsoft is monitoring for the attack on the back end. And overall, he said, Microsoft has "put in a considerable amount of effort" to make these kinds of attacks harder to carry out and to detect abuse across their cloud infrastructure; he specifically praised the tech giant's monitoring and logging capabilities, as well as its efforts in providing defenders with detection tools.

"I think Microsoft's doing a great job, and they're continually improving," he said. "There's always going to be nitpicks here and there, but as a whole, I'm pretty impressed with what they've done."

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing