Your Microsoft 365 account has been compromised by hackers in a new method.
Cozy Bear ( APT29 or Nobelium ), a state-sponsored threat actor operating out of Russia, is using new strategies to access Microsoft 365 accounts.
A recent analysis from the cybersecurity company Mandiant indicates that Cozy Bear is employing three approaches.
Before communicating with a hijacked email account, they disable Purview Audit.
Microsoft 365 credentials that haven't yet been multi-factor authenticated via brute force (MFA)
Using hacked accounts to access Azure Virtual Machines or paying for the service to conceal their activity
A high-level security feature, the researchers remind you, keeps track of all accesses to email accounts made outside of the software.
Mandiant stated: "This is a vital log source to ascertain if a threat actor is accessing a certain mailbox."
APT29 is aware of this feature, though, and always turns it off before viewing any email.
By brute-forcing accounts that have not yet enrolled in the advanced cybersecurity feature, threat actors are attempting to get around this feature.
Finally, since Microsoft 365 runs on Azure, the virtual machines there already have Microsoft IP addresses.
By fusing legitimate Application Address URLs with malicious activity, Cozy Bear can further conceal its Azure AD activities.
Regular users are probably not very likely to be targeted by the threat group
However, large companies will need to be on guard against the attack vector
Four Free Windows Tools That Will Improve Your Security And Privacy. To Learn More, Please Click Below