The Most Dangerous (and interesting) Microsoft 365 Attacks.

Every organization using Microsoft 365 (Formerly Office 365) should read this post and take the recommendation therewith. The summary of the post is this – DO NOT depend on Microsoft EOP /ATP solution alone to secure your Office 365 environment! Consider Cloud Email Security Supplements (CESS) platforms that covers all Office 365 ecosystems such as Email, SharePoint, OneDrive and Teams ( all offered via a SINGLE unified platform).

APT groups are developing new techniques that allow them to avoid detection and exfiltrate hundreds of gigabytes of data from emails, SharePoint, OneDrive, and other applications.

Government-sponsored hackers, who carry out cyber espionage campaigns, invest more resources than ever to find new ways of attacking the cloud. One of their preferred targets is Microsoft 365, previously called Office 365, a platform used by an increasing number of organizations of all sizes.

From an intelligence collector’s perspective, it makes sense to target it. “Microsoft 365 is a gold mine,” Doug Bienstock, incident response manager at Mandiant, tells CSO. “The vast majority of [an organization’s] data is probably going to be in Microsoft 365, whether it’s in the contents of individual emails, or files shared on SharePoint or OneDrive, or even Teams messages.”

Companies that rely heavily on Microsoft 365 tend to adopt it in almost every aspect of their work, from document writing to project planning, task automation, or data analytics. Some also use Azure Active Directory as the authentication provider for their employees, and attackers know that. “Getting access to [Active Directory] can, by extension, grant you access to other cloud properties,” Josh Madeley, incident response manager at Mandiant, tells CSO.

During their recent talk at Black Hat USA 2021, Madeley and Bienstock presented some of the novel techniques used by nation-state hackers in campaigns targeting data stored within Microsoft 365. The researchers showed how APT groups have evolved to evade detection and extract hundreds of gigabytes of data from their victims.

“These attackers are investing a lot of time and effort into learning about Microsoft 365,” Bienstock says. “They know way more about Microsoft 365 than your admin does. They know more about it than probably some employees at Microsoft.”

Avoiding detection

In the past year, APT groups have become better at avoiding detection, employing a few techniques that were never seen before. “One of those is downgrading user licenses from a Microsoft 365 E5 license to an E3 license,” Madeley says. It typically appears early in an attack.

The E5 license offers identity and app management, information protection, as well as threat protections. This helps organizations detect and investigate threats and notice malicious activity both on-premises and in the cloud environment, features the E3 license lacks. “A lot of the advanced telemetry that more mature organizations rely on for detection comes with that E5 license,” Madeley says. “So, while the threat actor may be saving the victim organizations money, they’re actually really easily disabling the most effective detection mechanisms that organizations have.”

Mailbox folder permission abuse

The two researchers saw APT groups use license downgrading together with an older technique that has been around since 2017, mailbox folder permission abuse, first described by Beau Bullock at Black Hills Information Security in the context of red teaming.

“There’s an analogy between folder permissions on your desktop and folder permissions in a mailbox,” Madeley says. “You can assign permissions to users for specific mailboxes or specific folders within your mailbox.” A person can, for instance, have read access to another person’s special projects mailbox folder if the two are working on those projects together. Or, someone could give their colleagues read access to their calendar folder to schedule meetings more efficiently.

For the complete post, visit