Cybersecurity firm Mandiant has waned that Russian hacking group APT29, also known as Cozy Bear or Nobelium, has targeted several Microsoft 365 accounts in the US and NATO countries.
The firm says that it has been tracking the cyberespionage group since at least 2014.
Microsoft 365 uses a variety of licensing models to control a user’s access to the suite of products. The licenses are also used for security purposes and compliance settings such as log retention and Mail Items Accessed logging Purview Audit. The most common licenses are E1, E3 and E5.
Users on the E5 license could use Purview Audit to enable the Mail Items Access audit. Mail Items Accessed records the user-agent string, timestamp, IP address, and username each time a mail item is accessed.
In its report, Mandiant said, “Once (Purview Audit) disabled, they begin targeting the inbox for email collection. At this point, there is no logging available to the organisation to confirm which accounts the threat actor targeted for email collection and when. Given APT29’s targeting and TTPs Mandiant believes that email collection is the most likely activity following the disablement of Purview Audit.”
The report also said that multi-factor authentication (MFA) is a crucial tool that organizations can deploy to thwart account takeover attacks by threat actors. By requiring users to provide both something they know and something they have, organizations can significantly reduce the risk of account compromise.
Mandiant is expecting APT29 to stay apace with the development of techniques and tactics to access Microsoft 365 in novel and stealthy ways.
Check out our in-depth Market Coverage, Business News & get real-time Stock Market Updates on CNBC-TV18. Also, Watch our channels CNBC-TV18, CNBC Awaaz and CNBC Bajar Live on-the-go!
Stampede-like situation disrupts Rahul Gandhi, Akhilesh Yadav's joint rally in Uttar Pradesh
May 19, 2024 4:26 PM
Ladakh Lok Sabha election: With Independent candidate's entry, it's now a 3-way contest for BJP and Congress
May 19, 2024 4:01 PM