BOOK THIS SPACE FOR AD
ARTICLE ADRead the original article: Obscured by Clouds: Insights into Office 365 Attacks and How Mandiant
Managed Defense Investigates
With Business Email Compromises (BECs) showing no signs of
slowing down, it is becoming increasingly important for security
analysts to understand Office 365 (O365) breaches and how to properly
investigate them. This blog post is for those who have yet to dip
their toes into the waters of an O365 BEC, providing a crash course on
Microsoft’s cloud productivity suite and its assortment of logs and
data sources useful to investigators. We’ll also go over common
attacker tactics we’ve observed while responding to BECs and provide
insight into how Mandiant Managed Defense analysts approach these
investigations at our customers using PowerShell and the FireEye Helix platform.
Office 365
Office 365 is Microsoft’s cloud-based subscription service for the
Microsoft Office suite. It is built from dozens of applications
tightly embedded into the lives of today’s workforce, including:
portals and document sharing Teams and Skype for Business,
for instant messaging OneDrive, for file sharing Microsoft Stream, for recorded meetings and presentations
As more and more organizations decide to adopt Microsoft’s
cloud-based offering to meet their needs, unauthorized access to these
O365 environments, or tenants in Microsoft’s parlance, has
become increasingly lucrative to motivated attackers. The current high
adoption rate of O365 means that attackers are getting plenty of hands
on experience with using and abusing the platform. While many tactics
have remained largely unchanged in the years since we’ve first
observed them, we’ve also witnessed the evolution of techniques that
are effective against even security-conscious users.
In general, the O365 compromises we’ve responded to have fallen into
two categories:
state-sponsored intrusions
Based on our experience, BECs are a common threat to any
organization’s O365 tenant. The term “BEC” typically refers to a type
of fraud committed by financially motivated attackers. BEC actors
heavily rely on social engineering to carry out their schemes,
ultimately defrauding organizations and even personnel.
One common BEC scheme involves compromising a C-suite executive’s
account via phishing. Once the victim unwittingly enters their
credentials into a web form masquerading as the legitimate Office 365
login portal, attackers log in and instruct others in the organization
to conduct a wire transfer, perhaps under the guise of an upcoming
acquisition that has yet to be publicly announced. However, we’ve also
observed more effective schemes where attackers compromise those in
financial positions and patiently wait until an email correspondence
has begun about a due payment. Attackers seize this opportunity by
sending a doctored invoice (sometimes based on a legitimate invoice
that had been stolen earlier) on behalf of the compromised user to
another victim responsible for making payments. These emails are
typically hidden from the compromised user due to attacker-created
Outlook mailbox rules. Often times, by the time the scheme is
inevitably discovered and understood days or weeks later, the money is
unrecoverable—highlighting the importance of contacting law
enforcement immediately if you’ve fallen victim to a fraud.
The personal finances of staff aren’t off limits to attackers
either. We’ve observed several cases of W-2 scams, in which attackers
send a request to HR for W-2 information from the victim’s account.
Once obtained, this personally identifiable information is later used
to conduct tax fraud.
Conversely, APT intrusions are typically more sophisticated and are
conducted by state-sponsored threat actors. Rather than for financial
gain, APT actors are usually tasked to compromise O365 tenants for
purposes of espionage, data theft, or destruction. Given the wealth of
sensitive information housed in any given organization’s O365 tenant,
APT actors may not even need to touch a single endpoint to complete
their mission, sidestepping the many security controls organizations
have implemented and invested in.
O365 Logs and Data Sources
In this section, we’ll touch on the multitude of logs and portals
containing forensic data relevant to an O365 investigation.
Before we can begin investigating an O365 case, we’ll work with our
clients to get an “Investigator” account provisioned with the roles
required to obtain the forensic data we need. For the purposes of this
blog post, we’ll quickly list the roles needed for an Investigator
account, but during an active Managed Defense investigation, a
designated Managed Defense consultant will provide further guidance on
account provisioning.
At a minimum, the Investigator account should have the following roles:
Exchange Admin Roles
View-only audit logs View-only configuration View-only recipients Mailbox Search MessageTracking
eDiscovery Rights
eDiscovery Manager roleAzure Active Directory Roles
Global ReaderUnified Audit Log (UAL)
The Unified Audit Log records activity from various applications
within the Office 365 suite, and can be considered O365’s main log
source. Entries in the UAL are stored in JSON format. We recommend
using the PowerShell cmdlet Search-UnifiedAuditLog to query the
UAL as it allows for greater flexibility, though it can also be
acquired from the Office 365 Security & Compliance Center located
at protection.office.com.
In order to leverage this log source (and the Admin Audit Log), ensure
that the Audit Log Search feature is enabled.
The UAL has a few nuances that are important to consider. While it
provides a good high-level summary of activity across various O365
applications, it won’t log comprehensive mailbox activity (for that,
acquire the Mailbox Audit Log). Furthermore, the UAL has a few
limitations, namely:
up to 24 hours before they are searchable
Mailbox Audit Log (MAL)
The Mailbox Audit Log, part of Exchange Online, will capture
additional actions performed against objects within a mailbox. As
such, it’s a good idea acquire and analyze the MAL for each affected
user account with the PowerShell cmdlet Search-MailboxAuditLog.
Note that entries in the MAL will be retained for 90 days (by default)
and timestamps will be based on the user’s local time zone. The MAL’s
retention time can always be increased with the PowerShell cmdlet
Set-Mailbox along with the AuditLogAgeLimit parameter.
At the time of writing this post, Microsoft has recently released
information about enhanced auditing functionality that gives
investigators insight into which emails were accessed by attackers.
This level of logging for regular user accounts is only available for
organizations with an Office 365 E5 subscription. Once Advanced
Auditing is enabled, mail access activity will be logged under the
MailItemsAccessed operation in both the UAL and MAL.
Administrator Audit Log
If the Audit Log Search feature is enabled, this supplemental
data source logs all PowerShell administrative cmdlets (including
command-line arguments) executed by administrators. If you suspect
that an administrator account was compromised, don’t overlook this
log! The PowerShell cmdlet
Search-AdminAuditLog is used to query these logs, but
note that the Audit Log Search feature must be enabled and the
same 90 day retention limit will be in place.
Azure AD Logs
Azure AD logs can be accessed from the Azure portal (portal.azure.com) under the Azure
Active Directory service. Azure AD Sign-in logs contain detailed
information about how authentications occur and O365 application
usage. Azure AD audit logs are also a valuable source of information,
containing records of password resets, account creations, role
modifications, OAuth grants, and more that could be indicative of
suspicious activity. Note that Azure AD logs are only available for 30 days.
Cloud App Security Portal
For cases where OAuth abuse has been observed, information about
cloud applications can be found in Microsoft’s Cloud App Security
portal (portal.cloudappsecurity.com).
Access to this portal requires an E5 license or a standalone Cloud App
license. For more background on OAuth abuse, be sure to check out our
blog post:
Shining
a Light on OAuth Abuse with PwnAuth.
Message Traces
Message traces record the emails sent and received by a user. During
an investigation, run reports on any email addresses of interest. The
message trace report will contain detailed mail flow information as
well as subject lines, original client IP addresses, and message
sizes. Message traces are useful for identifying emails sent by
attackers from compromised accounts, and can also aid in identifying
initial phishing emails if phishing was used for initial access. To
obtain the actual emails, use the Content Search tool.
Only the past 10 days of activity is available with the
Get-MessageTrace PowerShell cmdlet. Historical searches for
older messages can be run with the Get-HistoricalSearch cmdlet
(up to 90 days by default), but historical searches typically take
hours for the report to be available. Historical reports can also be
generated within the Security and Compliance Center.
eDiscovery Content Searches
The Content Search tool allows investigators to query for emails,
documents, and instant message conversations stored in an Office 365
tenant. We frequently run Content Search queries to find and acquire
copies of emails sent by attackers. Content searches are limited to
what has been indexed by Microsoft, so recent activity may not
immediately appear. Additionally, only the most recent 1000 items will
be shown in the preview pane.
Anatomy of an O365 BEC
As mentioned earlier, BECs are one of the more prevalent threats to
O365 tenants seen by Managed Defense today. Sometimes, Mandiant
analysts respond to several BEC cases at our customers within the same
week. With this frontline experience, we’ve compiled a list of
commonly observed tactics and techniques to advise our readers about
the types of activities one should anticipate. Please note that this
is by no means a comprehensive list of O365 attacks, rather a focus on
the usual routes we’ve seen BEC actors take to accomplish their objective.
Phase 1: Initial Compromise
Phishing: Emails with links to credential harvesting formssent to victims, sometimes from the account of a compromised
business partner. Brute force: A large dictionary of passwords attempted
against an account of interest. Password spray: A dictionary of commonly used passwords
attempted against a list of known user accounts. Access to credential dump: Valid credentials used from a
previous compromise of the user. MFA bypasses: Use of mail clients leveraging legacy
authentication protocols (e.g. IMAP/POP), which bypass MFA policies.
Attackers may also spam push notifications to the victim by
repeatedly attempting to log in, eventually leading to the victim
mistakenly accepting the prompt.
Phase 2: Establish Foothold
More phishing: Additional phishing lures sent tointernal/external contacts from Outlook’s global address list. More credible lures: New phishing lures uploaded to the
compromised user’s OneDrive or SharePoint account and shared with
the victim’s coworkers. SMTP forwarding: SMTP forwarding enabled in the victim’s
mailbox to forward all email to an external address. Forwarding mailbox rules: Mailbox rules created to forward
all or certain mail to an external address. Mail client usage: Outlook or third-party mail clients used
by attackers. Mail will continue to sync for a short while after a
password reset occurs.
Phase 3: Evasion
Evasive mailbox rules: Mailbox rules created to delete mailor move some or all incoming mail to uncommonly used folders in
Outlook, such as “RSS Subscriptions”. Manual evasion: Manual deletion of incoming and sent mail.
Attackers may forego mailbox rules entirely. Mail forwarding: Attackers accessing emails without logging
in if a mechanism to forward mail to an external address was set up
earlier. Mail client usage: Outlook or third-party mail clients used
by attackers. Mail can be synced locally to the attacker’s machine
and accessed later. VPN usage: VPN servers, sometimes with similar geolocations
to their victims, used in an attempt to avoid detection and evade
conditional access policies.
Phase 4: Internal Reconnaissance
Outlook searching: The victim’s mailbox queried by attackersfor emails of interest. While not recorded in audit logs, it may be
available to export
if it was not deleted by attackers. O365 searching: Searches conducted within SharePoint and
other O365 applications for content of interest. While not recorded
in audit logs, SharePoint and OneDrive file interactions are
recorded in the UAL. Mail client usage: Outlook or third-party mail clients used
by attackers. Mail can be synced locally to the attacker’s machine
and accessed later.
Phase 5: Complete Mission
Direct deposit update: A request sent to the HR department toupdate the victim’s direct deposit information, redirecting payment
to the BEC actor. W-2 scam: A request sent to the HR department for W-2 forms,
used to harvest PII for tax fraud. Wire transfer: A wire transfer requested for an unpaid
invoice, upcoming M&A, charities, etc. Third-party account abuse: Abuse of the compromised user’s
privileged access to third-party accounts and services, such as
access to a corporate rewards site.
How Managed Defense Responds to O365 BECs
In this section, we’re going to walk through how Managed Defense
investigates a typical O365 BEC case.
Many of the steps in our investigation rely on querying for logs
with PowerShell. To do this, first establish
[…]