Mandiant: Russian Hackers are Targeting Microsoft 365 Accounts
In a blog post, Mandiant highlights some tactics, techniques, and procedures (TTPs) the APT29 espionage group is using to target Microsoft 365 accounts. The hackers, who have ties to Russia’s government, have been observed disabling licenses, taking over dormant accounts, and focusing on operational security.
Not just Russian hackers, but pretty much anybody in the cybercrime game is going after Microsoft 365 accounts. Just like for any cloud-based service, 2FA is a must and accounts as well as account configurations need to be carefully audited, even if you are not in the cross hairs of nation state attackers.
They are disabling logging, such as Purview Audit (formerly Advanced Audit) which is required to enable the Mail Items Accessed audit which is a very effective tool for determining specific accesses to Mail items. Make sure that you've enabled MFA for _ALL_ accounts, including dormant/disabled accounts. Make sure the MFA self-enrollment process leverages features such as conditional access to ensure an adversary who guesses credentials isn’t able to self-enroll before the legitimate user can. When considering MS 365 security, don’t underestimate the skills of possible attackers.
Read more in
Bleeping Computer: Russian APT29 hackers abuse Azure services to hack Microsoft 365 users
Gov Infosecurity: Russia's APT29 targeting Microsoft 365 Users