You can’t audit me: Russian hacker group Cozy Bear continues targeting Microsoft 365 accounts

Researchers at the cybersecurity firm Mandiant have warned that the Russian hacking group APT29, also known as Cozy Bear or Nobelium, is actively targeting Microsoft 365 accounts in the US and NATO-affiliated organizations in espionage campaigns to steal sensitive data. For those unaware, APT29 is claimed to be a Russian espionage group that Mandiant says it has been tracking since at least 2014 and is likely sponsored by the Foreign Intelligence Service (SVR). Despite the publicisation of multiple APT29 operations, they continue to be extremely prolific.
Mandiant has observed APT29 continue to demonstrate exceptional operational security and advanced tactics targeting Microsoft 365. The group has highlighted several newer TTPs used by APT29 in recent operations.

Disabling licenses
Microsoft 365 uses a variety of licensing models to control an individual user’s access to services in the Microsoft 365 suite of products. The licenses can also dictate security and compliance settings such as log retention and Mail Items Accessed logging within Purview Audit. The most common licenses are E1, E3, and E5; however, there are a variety of other license plans and granular add-ons that make licensing in M365 complex.
For a hacker, one of the most troublesome logging features is Purview Audit, formerly Advanced Audit. This feature, available with E5 licenses and certain add-ons, enables the Mail Items Accessed audit. Mail Items Accessed records the user-agent string, timestamp, IP address, and user each time a mail item is accessed. The audit records any type of mail access whether it is using the Graph API, Outlook, a browser, or other methodology. This is a critical log source to determine if a hacker is accessing a particular mailbox, as well as to determine the scope of exposure. Further, it is the only way to effectively determine access to a particular mailbox when the threat actor is using techniques like Application Impersonation or the Graph API.
The research company has observed APT29 disabling Purview Audit on targeted accounts in a compromised tenant. Once disabled, they begin targeting the inbox for email collection. At this point, there is no logging available to confirm which accounts have been targeted for email collection and when. Given APT29’s targeting and TTPs, researchers believe that email collection is the most likely activity following disablement of Purview Audit.
MFA takeover of dormant accounts
Multi-factor authentication (MFA) is a crucial tool that companies can deploy to thwart account takeover attacks by threat actors. By requiring users to provide both something they know and something they have, organizations can significantly reduce the risk of account compromise. MFA itself, however, is not a silver bullet.
In one instance, APT29 conducted a password guessing attack against a list of mailboxes they had obtained through unknown means. The threat actor successfully guessed the password to an account that had been setup, but never used. Because the account was dormant, Azure AD prompted APT29 to enroll in MFA. Once enrolled, APT29 was able to use the account to access the organization’s VPN infrastructure that was using Azure AD for authentication and MFA.