Back to Blog

Demystifying Advanced Microsoft Cloud Attacks

By
Aaron Turner
|
March 1, 2022

For the first time ever, cyberwarfare weapons have been deployed in conjunction with kinetic weapons, as Ukrainian and Russian tensions have boiled over into hot conflict.  And a key takeaway is that organizations that may have historically felt that they were just targets from opportunistic criminals may find themselves facing a motivated, nation-state actor. 

At Vectra, our organizational mission is to make the world a safer and fairer place.  And we have experience protecting organizations against nation state actors.  If because of this conflict your organization is under attack we will help, at no cost. 

As a down payment on that pledge, we’d like to share a bit of what we’ve learned. 

Lessons learned from 2 years of protecting Azure AD and Microsoft 365 services from nation-state actors

In December 2020, the National Security Agency published one of the most-important cybersecurity advisories of the last decade. In it, they outlined how nation-state actors had discovered ways to abuse federated identities to gain privileged access to sensitive information and also manipulate standard user identities to their benefit. This month, the Department of Homeland Security alerted the world that identity compromises were being used to disrupt US defense contractor operations in support of their global operations. 

For security teams within organizations that rely on Microsoft's cloud services for identity, messaging and collaboration with M365 SaaS infrastructure, here are some quick tips to protect your organization from sophisticated attacks. 

  1. Monitor the integrity of Service Principal accounts within your M365 tenant - Many organizations rely on Service Principal accounts for hybrid computing workloads that operate between on-premises systems and the Microsoft cloud. It is critical that compensating controls be used to harden those accounts to reduce the likelihood of their abuse and also optimize auditing and logging for every last bit of activity which involves those accounts. 
  2. Monitor the integrity of Multi-Factor Authentication for elevated privilege users - Conditional access policies are generally deployed to control the use of privileged identities within the Microsoft cloud. Unfortunately, attackers can manipulate configuration options to reduce the effectiveness of MFA. For example, if a privileged account is enabled to allow legacy authentication protocols for PowerShell, then MFA is essentially bypassed. 
  3. Monitor the integrity of mobile devices which are used for Authenticator authorizations - In a recent assessment of an organization who perceived themselves as having an excellent security posture, over 60% of the iPhones associated with Microsoft Authenticators were vulnerable to remote exploitation and cloning of the Microsoft Authenticator by an attacker. Mobile device hygiene is critical when you are relying on it for a second factor of authentication. 

Key Takeaways regarding Microsoft Cloud Attacks

The above checks are in no means exhaustive – effective password policies, verifying users against leaked-credentials lists, and managing risks related to user ability to consent to third-party apps are all valuable steps for organizations to take to limit their exposure.  

But these three attack paths constitute major highways that both sophisticated and opportunistic cyber-attack actors will follow to gain unauthorized access to identities, sensitive data, and systems. By managing and monitoring them, network defenders not only have an opportunity to increase the difficulty of an attack but also uncover indicators that an attack is underway.

If your organization is struggling on these fronts, contact us – we can help. Our Siriux team has extensive experience with threat hunting in M365 tenants and our hardening guidance has been developed based upon scanning some of the most-attacked tenants in the world.

Join Aaron on Thursday, March 03, at 16:00 GMT on the Vectra Webinar: Protecting Microsoft 365 from Advanced Threats.

Tags: