Hackers have found a new way into your Microsoft 365 account

News
By published

Cybercriminals are brute-forcing into Azure AD accounts with no MFA

Microsoft 365
(Image credit: Microsoft)

Russian state-sponsored threat actor Cozy Bear (also known as APT29 or Nobelium) is deploying new tactics to sneak into Microsoft 365 accounts, in an attempt to steal sensitive foreign policy intelligence.

This is according to a new report from cybersecurity firm Mandiant, which claims Cozy Bear is using three techniques to execute (and disguise) the attacks:

  1. Disabling Purview Audit before engaging with a compromised email account
  2. Brute-forcing Microsoft 365 passwords that are yet to enroll in multi-factor authentication (MFA)
  3. Covering their tracks by using Azure Virtual Machines via compromised accounts, or by purchasing the service

New Microsoft 365 attack

Purview Audit, the researchers remind, is a high-level security feature that logs if a person accesses an email account outside the program (either via the browser, Graph API, or through Outlook). That way, IT departments can manage all accounts and make sure there’s no unauthorized access.

"This is a critical log source to determine if a threat actor is accessing a particular mailbox, as well as to determine the scope of exposure," Mandiant wrote. "It is the only way to effectively determine access to a particular mailbox when the threat actor is using techniques like Application Impersonation or the Graph API."

However, APT29 is well aware of this feature, and makes sure to disable it before accessing any email.

Read more

> Office users are really going to hate this annoying new Microsoft 365 intrusion

> Microsoft 365 may finally make Outlook actually pleasant to use

> Our list of the best antivirus services

The researchers also found Cozy Bear abusing the self-enrollment process for MFA in Azure Active Directory (AD). When a user tries to log in for the first time, they’ll first need to enable MFA on the account. 

The threat actors are looking to work around this feature by brute-forcing accounts that are yet to enroll in the advanced cybersecurity feature. Then, they complete the process in the victim’s stead, granting unabated access to the target organization’s VPN infrastructure, and thus, the entire network and its endpoints.

Finally, Azure’s virtual machines already hold Microsoft IP addresses, and due to the fact that Microsoft 365 runs on Azure, IT teams struggle to differentiate regular and malicious traffic. Cozy Bear can further hide its Azure AD activity by blending regular Application Address URLs with malicious activity.

The likelihood of regular users being targeted by the threat group is presumably relatively small, but large businesses will need to be alert to the attack vector, which might be used to target high-profile executives and others with access to sensitive information.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A padlock resting on a keyboard.
Massive botnet is targeting Microsoft 365 accounts across the world
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft authentication system spoofed via phishing attack
Phishing
Russian cyberattackers spotted hitting Microsoft Teams with new phishing campaign
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
Russia
Major Russian hacking group shifts focus to US and UK targets
Latest in Security
Close up of a person touching an email icon.
Criminals are using CSS to get around filters and track email usage
DeepSeek on a mobile phone
More US government departments ban controversial AI model DeepSeek
Ransomware
Fortinet firewall bugs are being targeted by LockBit ransomware hackers
Trojan
Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease
NordProtect logo
Standalone identity theft protection from Nord Security is now available
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
Ofcom cracks down on UK tech firms, will issue sanctions for illegal content
Latest in News
Frank Grimes confronts Homer Simpson in The Simpsons' Homer's Enemy episode
Disney+ adds a new continuous Simpsons stream, so you no longer have to spend ages choosing an episode
Helly and Mark standing on an artificial hill surrounded by goats in Severance season 2 episode 3
New Apple teaser for Severance season 2 finale suggests we might finally find out what Lumon is doing with those goats, and I don't think it's anything good
Foldable iPhone
Apple’s first foldable iPhone could beat the Samsung Galaxy Z Fold 7 in one key way
Marvel Rivals
Marvel Rivals' next update will add two new hero skins for Iron Man and Spider-Man mains this week
Nvidia Isaac GROOT N1
“The age of generalist robotics is here" - Nvidia's latest GROOT AI model just took us another step closer to fully humanoid robots
Lego Pokemon
Pokemon and Lego announce the most electrifying collaboration of all time and I’m going to be first in line
More about security
Robotic hand clicking on captcha 'I am not a robot'.

Fake CAPTCHAs are being used to spread malware - and we only have ourselves to blame
Close up of a person touching an email icon.

Criminals are using CSS to get around filters and track email usage
Frank Grimes confronts Homer Simpson in The Simpsons' Homer's Enemy episode

Disney+ adds a new continuous Simpsons stream, so you no longer have to spend ages choosing an episode
See more latest
Most Popular
Frank Grimes confronts Homer Simpson in The Simpsons' Homer's Enemy episode
Disney+ adds a new continuous Simpsons stream, so you no longer have to spend ages choosing an episode
Foldable iPhone
Apple’s first foldable iPhone could beat the Samsung Galaxy Z Fold 7 in one key way
Robotic hand clicking on captcha 'I am not a robot'.
Fake CAPTCHAs are being used to spread malware - and we only have ourselves to blame
Nvidia DGX Station
Nvidia’s DGX Station brings 800Gbps LAN, the most powerful chip ever launched in a desktop workstation PC
NVIDIA RTX PRO 6000 Blackwell Server Edition
Nvidia launches its fastest GPU ever: Nvidia RTX Pro 6000 Blackwell Workstation Edition is an enhanced version of the RTX 5090 with more of everything
A still from the movie She Will
Everything leaving Hulu in April 2025
Nvidia Blackwell Ultra
Nvidia GTC 2025: New Blackwell Ultra GPU series is the most powerful AI hardware yet
Nvidia Isaac GROOT N1
“The age of generalist robotics is here" - Nvidia's latest GROOT AI model just took us another step closer to fully humanoid robots
TeamGroup D500R ISD WORM SD card
This SD card is the spiritual child of the CD-ROM (and the DVD-ROM) as it can only be written on once
Steve Martin and John Mulaney during the “50th Monologue” sketch on February 16, 2025
Forget Netflix, I tuned into Peacock to watch the SNL 50 special and it went off without a hitch – here’s why it’s built for live-streaming