Last updated on: January 7, 2022
In this blog we review five attack techniques exploited to compromise MS 365 tenants. Qualys SaaS Detection & Response can be used by both IT and security teams to assess these threats, and then to fix common misconfigurations, hardening supply chain defenses.
Last October, news of Microsoft 365 (MS 365) tenants being compromised shocked the cyber security world. The alleged perpetrators are the threat group APT29 (aka Nobelium, Cozy Bear, UNC2542). APT29 previously targeted SolarWinds’ Orion inventory management software in 2020. Their recent objectives surrounded MS 365 tenants. They targeted the trust relationships between worldwide organizations and service providers / IT resellers of MS 365. Microsoft alerted that 609 organizations were targeted 22,868 times in the last six months. The purpose of the attacks was to piggyback on any direct access that resellers may have to their customers’ IT systems.
Importantly, these attacks did not exploit any vulnerability in MS 365. Instead, they focused on getting access to MS 365 tenants by exploiting security misconfigurations. According to a detailed report published by Mandiant, the attack used multiple techniques, and each technique had a different impact on the accessibility and security of tenants. Attackers could get read access to crucial email accounts, forward the emails to other accounts, alter the email folder contents, send phishing mail from legit email addresses, and so on.
Protecting Your MS 365 Tenants with SaaSDR
Qualys SaaS Detection and Response (SaaSDR) exists to mitigate such attacks. We have used Qualys SaaSDR to perform a detailed assessment of security configurations of MS 365 tenants. Let’s compare the configurations relevant to these attack techniques and their desired security posture with the security guidelines. This will reveal how SaaSDR fixes the misconfigurations on MS 365 tenants. Remediating the misconfigurations within the same SaaSDR console enables IT and security teams to take corrective actions immediately.
Here are five types of attack that exploit MS 365 misconfiguration:
Attack Technique #1: Golden SAML Attack to Access MS 365 through a Forged Identity
The Golden SAML attack steals the Active Directory Federation Services (AD FS) token-signing certificate and uses it to forge tokens for arbitrary users. The tokens enable attackers to authenticate to Microsoft 365 as any user without authentication or MFA.
Protection from this attack requires the verification of two configurations on the MS 365 tenant:
- Check if the
ImmutableIDconfig is set correctly
- Ensure that the roles and accounts with privileged access are strictly cloud-only accounts
If a privileged on-premises account manages Azure AD and has an ImmutableID property set, a threat actor could forge a SAML token for the account. This token can present a security risk as it facilitates lateral movement from the on-premises environment to the cloud.
Qualys SaaSDR Assessment
Qualys SaaSDR helps audit if an ‘ImmutableID’ property is not set for cloud-only administrator accounts. All privileged cloud-only accounts should leverage MFA through conditional access policies or security defaults. SaaSDR lists all such cloud-only administrator accounts with their ImmutableID property values. The list helps IT teams to take corrective actions for these accounts.
Attack Technique #2: Abusing Azure AD Privileged Roles and Hijacking Azure AD Apps
Attackers can compromise the credentials of on-premises user accounts synced to Microsoft 365 and assign high privileged directory roles (such as Global Administrator or Application Administrator) to these accounts. With such privileges, they can access user mailboxes, change mailbox settings, and may even get complete control over the Microsoft 365 environment.
Attackers can hijack an existing Microsoft 365 application by adding a rogue credential. Then they use the legitimate permissions assigned to the application – such as reading email, sending email as an arbitrary user, accessing user calendars, etc. – all while bypassing MFA.
Qualys SaaSDR Assessment
Qualys SaaSDR checks if passwords of cloud-only administrator accounts are rotated periodically. Changing the admin password after a specific period leaves an inadequate time frame for the attackers with compromised passwords. Qualys SaaSDR also checks if the number of global administrators is between two and four. This is a CIS benchmark recommendation. Similarly, SaaSDR also checks whether global administrator roles retain any licenses. Many Azure AD services require active licenses. If global administrators possess active AD licenses, it vastly increases the threat surface of MS 365.
Attack Technique #3: Compromise CSP Permissions to Access Customer Tenants
Microsoft partners, resellers, and Cloud Service Providers can be configured to have partner relationships. These permissions allow partners to manage tenants, including all accounts, subscriptions, and resources on the tenant. APT29 attackers have exploited these relationships to gain illegitimate privileged access to Azure AD tenants.
Qualys SaaSDR Assessment
SaaSDR helps to either continuously or periodically assess the configuration of ‘Delegated admin privileges assigned in partner relationships’. When delegated access privileges are assigned to partners, corresponding administrative roles are also assigned to the tenant. Therefore it is recommended to remove these delegated access privileges.
Attack Technique #4: Modification to Mailbox Folder Permissions
The attacker assigns ‘Default’ user permissions that grant read privileges to Inbox items and other mailbox folders. After this, the attacker can log in as any user in the same MS 365 tenant and read the contents of the mailbox folders.
Qualys SaaSDR Assessment
Enabling mailbox auditing for users will provide more visibility into potentially suspicious activity. Visibility is required for mailbox logon events and specific actions concerning the mailbox owner, delegate, or administrator. Qualys SaaSDR helps audit configurations such as mailbox auditing and permission sets for default and anonymous users for accessing the inbox and root folder of the mailbox, etc. Enabling audit logging makes monitoring and detection possible in Microsoft 365.
Attack Technique #5: Modifying Trusted Domains to Get Access to MS 365 as Any User
When attackers modify or add trusted domains in Azure AD, they can add a new federated Identity provider (IdP) that they control.
Qualys SaaSDR Assessment
Qualys SaaSDR can check all the unverified federated domains. Frequent audits of these domains leave attackers unable to forge tokens for arbitrary users. These measures prevent access to Microsoft 365 as any user without a password or MFA.
Qualys: a Certified Vendor for MS 365 CIS Benchmarks
Qualys is a certified vendor for assessing compliance according to CIS Benchmarks. Qualys offers an out-of-the-box policy for assessing compliance according to the latest release of CIS Benchmarks for MS 365, v1.3. On top of the suggestions offered by Mandiant in its report, we strongly recommend that organizations using MS 365 abide by the baseline security configurations advised in CIS Benchmarks.
4 Security Configurations to Protect MS 365
Here are some security configurations that can protect you from such attacks.
Use of Conditional Access Policies
Smaller organizations should enable the “Security defaults” group settings on Azure AD as an easy fix. Qualys SaaSDR enables you to check adherence to security defaults like MFA enablement and blocking of legacy authentication protocols. However, conditional access policies are preferred if an organization has more stringent security requirements for hardening MS 365. SaaSDR helps assess the posture of MS 365 security according to your specific ‘conditional access policies’ or ‘access policies’, and then to evaluate the controls with respect to these policies.
Multi-factor Authentication (MFA) for Admin Accounts
Enforce multi-factor authentication on all those accounts with access to Microsoft 365 tenants. At a minimum, enable MFA for accounts with different admin access rights to the tenant. Qualys SaaSDR lists all such accounts on which MFA is disabled.
Replacing Legacy Authentication with Modern Authentication
Legacy authentication is enabled by default on MS 365 for SharePoint, Exchange Online, and some other Microsoft 365 services. Legacy authentication needs to be replaced by modern authentication when establishing sessions between email clients and Exchange Online/SharePoint.
Qualys SaaSDR assesses if legacy authentication is blocked and modern authentication is enabled. Modern authentication prevents users from connecting with older versions of Office or ActiveSync, or from using protocols like IMAP, POP, or SMTP. Note that it may require upgrades to older versions of Office as well as the use of mobile mail clients that support modern authentication.
Blocking User Consent to Apps while Accessing Data
By default, users can consent to applications accessing the organization’s data present on the tenant through some permissions. By default, users should access their mailbox or MS Teams conversations. If this access is misused, the same consent may allow an app to read and write to all SharePoint sites in the organization. Attackers commonly use custom applications to trick users into granting them access to company data. SaaSDR helps you monitor this critical configuration for MS 365 tenants.
Qualys SaaSDR: the Right Response to Security Misconfigurations in MS 365
IT teams may not always know the implications of default settings in MS 365, leading to security blind spots. Security teams can focus on reducing the threat surface of MS 365 tenants by hardening the security configurations. Qualys SaaSDR supports the requirements of both IT and security through a single console.
When the security posture of MS 365 tenants is assessed according to CIS Benchmarks, Qualys SaaSDR reveals any deviations from the required security baselines. SaaSDR helps fix any misconfigurations without the need to log in to the MS admin center. Simply provide the required permissions to the underlying connector linking MS 365 tenants with Qualys SaaSDR, and the misconfigurations are fixed via remediation jobs. After remediation, you can download a detailed report of the actions taken for further audits.
When the attackers like APT29 move laterally from on-premises networks to the cloud, securing all-cloud SaaS setups is imperative. Recent reports reveal that attackers are focusing on SaaS like Microsoft 365 and piggyback on their trusted relationships with IT resellers and partners. Attackers are crafting innovative ways to target business-critical SaaS applications through supply chain attacks. Hence, organizations need to be one step ahead by proactively stepping up the security of these SaaS applications.
This is where the continuous assessment of MS 365 by Qualys SaaS Detection and Response can help. The assessment of access and secure configurations also helps organizations move forward toward Zero Trust.
View this video to learn more about exciting SaaSDR features.
Please contact your Technical Account Manager or sign up here to quickly get started with your Qualys SaaSDR subscription trial.