Hackers Find New Ways To Access Your Microsoft 365 Account

Sep 13, 2022 | News




Hackers are constantly finding new ways to get into your data. A Russian state-sponsored threat actor, Cozy Bear, has created new tactics to slide into your Microsoft 365 accounts. 

Cozy Bear are using three techniques to execute and disguise these attacks:

  1. Disabling Purview Audit before engaging with a compromised email account
  2. Brute-forcing Microsoft 365 passwords that are yet to enrol in multi-factor authentication
  3. Covering their tracks by using Azure Virtual Machines via compromised accounts, or by purchasing the server. 

Purview Audit is a high-level security feature that logs if a person accesses an email account outside of the programme, thereby IT departments can control all accounts making sure there’s no unauthorised access. 

However, Cozy Bear makes sure to disable these features before accessing any of your emails. By doing this, they are also abusing the self-enrollment process for Multi-factor Authentication in Azure Active Directory. So, when users try to log in for the first time, they’ll first need to enable this on the account. 

Threat actors have found a way to work around this component by brute-forcing accounts that are yet to enrol in the advanced cybersecurity feature. They are able to then complete the process in the victim’s place, granting non stop access to the target organisations VPN infrastructure, leading to this targeting the entire network and its endpoints.

Azure’s virtual machines already holds Microsoft IP addresses, as Microsoft 365 runs on Azure, since Cozy Bear can further hide its Azure AD activity by bleding regular Application Address URLs with malicious activity. Luckily for you guys the team at VMhosts are here to help you before this happens. 

At VMhosts we can manage your BackUp Services, IT management and Recovery, so you don’t have to. If you want to have a conversation about how to improve your IT security, get in touch today.