The most dangerous (and interesting) Microsoft 365 attacks

APT groups are developing new techniques that allow them to avoid detection and exfiltrate hundreds of gigabytes of data from emails, SharePoint, OneDrive, and other applications.

1 2 Page 2
Page 2 of 2

An APT group the researchers followed was able to download an impressive amount of data. "Over the course of a month, there were over 350 gigabytes stolen, and the threat actor had access for at least 12 months," Madeley says. "It kind of implies that there is some level of big data analysis on the back end. There's not a single human scrolling through emails."

This big data approach wouldn't be surprising, the two researchers says. They've noticed that advanced threat actors are increasingly relying on automation, building tools that perform many tasks for them. "The fact that they went through the effort of making these automated collection tools suggests that there is automation throughout the lifecycle."

Mitigating Microsoft 365 threats

Bienstock and Madeley expect APT groups to continue to update their skills in the years to come. They also says that some of these popular techniques would likely start to be used by financially motivated gangs.

Madeley recommends admins learn and understand the nuances of third-party cloud integrations. They should know what auditing is available to them and what types of detection capabilities they have depending on the Microsoft 365 license model, he says. The researcher recommends that they establish good change control processes in the cloud, so when a threat actor makes a change to the organization's infrastructure, an admin can detect it.

"It really starts with understanding your environment, understanding what applications you have registered, knowing what mailbox permissions look like on a normal basis, and what your authentication providers look like, and how they're being used within your environment," Madeley says, "and then monitoring changes."

Both researchers says that constant education is a must-have, as things move so much faster in the cloud. Microsoft is putting effort into making its cloud infrastructure resilient, secure, and more auditable, Madeley says, but organizations should also do their part when it comes to security. "It's important that enterprises understand where their blind spots are," the researcher added.

Copyright © 2021 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)