Updated on 2022-11-10
Researchers found that the Russia-linked APT29 cyberespionage gang abused Credential Roaming, a Windows feature, to phish a European diplomatic entity earlier this year. Read more: They See Me Roaming: Following APT29 by Taking a Deeper Look at Windows Credential Roaming
Updated on 2022-11-09: APT29
Mandiant has a technical report out on how the Russian state-sponsored group APT29 has abused a feature called Windows Credential Roaming in a recent attack against a European diplomatic entity. Read more:
- They See Me Roaming: Following APT29 by Taking a Deeper Look at Windows Credential Roaming
- Certs On Wheels: Understanding Credential Roaming
Overview: Mandiant: Russian Hackers are Targeting Microsoft 365 Accounts
In a blog post, Mandiant highlights some tactics, techniques, and procedures (TTPs) the APT29 espionage group is using to target Microsoft 365 accounts. The hackers, who have ties to Russia’s government, have been observed disabling licenses, taking over dormant accounts, and focusing on operational security.
- Not just Russian hackers, but pretty much anybody in the cybercrime game is going after Microsoft 365 accounts. Just like for any cloud-based service, 2FA is a must and accounts as well as account configurations need to be carefully audited, even if you are not in the cross hairs of nation state attackers.
- They are disabling logging, such as Purview Audit (formerly Advanced Audit) which is required to enable the Mail Items Accessed audit which is a very effective tool for determining specific accesses to Mail items. Make sure that you’ve enabled MFA for _ALL_ accounts, including dormant/disabled accounts. Make sure the MFA self-enrollment process leverages features such as conditional access to ensure an adversary who guesses credentials isn’t able to self-enroll before the legitimate user can. When considering MS 365 security, don’t underestimate the skills of possible attackers.