Russia-linked Cozy Bear uses evasive techniques to target Microsoft 365 users

Pierluigi Paganini August 19, 2022

Russia-linked APT group Cozy Bear continues to target Microsoft 365 accounts in NATO countries for cyberespionage purposes.

Mandiant researchers reported that the Russia-linked Cozy Bear cyberespionage group (aka APT29, CozyDuke, and Nobelium), has targeted Microsoft 365 accounts in espionage campaigns.

The experts pointed out that APT29 devised new advanced tactics, techniques, and procedures to evade detection.

Microsoft 365 users on a higher-grade E5 license could use a security feature named “Purview Audit” (formerly Advanced Audit), enabling the Mail Items Access audit. Mail Items Accessed records the user-agent string, timestamp, IP address, and username each time a mail item is accessed.

Mandiant confirmed that APT29 was able to disable the Purview Audit feature on targeted accounts in a compromised tenant.

“Once disabled, they begin targeting the inbox for email collection. At this point, there is no logging available to the organization to confirm which accounts the threat actor targeted for email collection and when. Given APT29’s targeting and TTPs Mandiant believes that email collection is the most likely activity following disablement of Purview Audit.” reads the report published by Mandiant.

The researchers also reported another trend where multiple threat actors, including the APT29 group, are taking advantage of the self-enrollment process for MFA in Azure Active Directory and other platforms.

“This is a critical log source to determine if a threat actor is accessing a particular mailbox, as well as to determine the scope of exposure,” warns Mandiant in an APT 29 whitepaper.

When an organization first enforces MFA, platforms like Azure Active Directory allow users to enroll their first MFA device at the next login. Anyone with knowledge of the username and password can access the account from any location and any device to enroll MFA, so long as they are the first user to do it.

The APT29 group was spotted brute forcing usernames and passwords of accounts that had never logged into the domain and enrolled their devices in MFA.

“In one instance, APT29 conducted a password guessing attack against a list of mailboxes they had obtained through unknown means. The threat actor successfully guessed the password to an account that had been setup, but never used. Because the account was dormant, Azure AD prompted APT29 to enroll in MFA.” continues the report. “Once enrolled, APT29 was able to use the account to access the organization’s’ VPN infrastructure that was using Azure AD for authentication and MFA.”

The researchers highlighted the exceptional operational security and evasion tactics adopted by APT29. Mandiant has observed APT29 using Azure Virtual Machines, the experts pointed out that the virtual machines used by the APT group exist in Azure subscriptions outside of the victim organization. It is unclear if the nation-state actors have compromised or purchased these subscriptions.

The researchers explained that Microsoft 365 runs on Azure, for this reason, the Azure AD Sign-In and Unified Audit Logs already contain many Microsoft IP addresses and it can be hard for administrators to quickly inspect the logs and understand if an IP address belongs to a malicious VM or a backend M365 service

Mandiant has also observed threat actors mixing benign administrative actions with their malicious ones.

“For example, in a recent investigation APT29 gained access to a global administrator account in Azure AD. They used the account to backdoor a service principal with ApplicationImpersonation rights and start collecting email from targeted mailboxes in the tenant.” continues the report.

Experts believe that APT29 will continue to develop stealthy techniques and tactics to access Microsoft 365.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Cozy Bear)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment