TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Business Email Compromise via Azure Administrative Privileges | Huntress

2023-07-27 · Read original ↗

ATT&CK techniques detected

9 predictions
T1078.004Cloud Accounts
75%
“: lagos, nigeria. our soc squad immediately reported the action to our partner, who went in to ensure the offending account had its password reset, multi - factor authentication ( mfa ) was added as a requirement and the inbox rules were removed. but of course, our investigation …”
T1098Account Manipulation
72%
“account that was not utilized often, reset the credentials, then granted that account full admin privileges in azure too. in other words, the attacker now had two accounts with full administrative privileges they could use to wreak havoc. as the attacker found out when testing th…”
T1078.004Cloud Accounts
72%
“actors in the wild west of microsoft 365. if ever you decide you need someone to provide some managed detection and response for microsoft 365, you know who to call. continue to part five : legitimate apps as traitorware for persistent microsoft 365 compromise special thanks to @…”
T1556.006Multi-Factor Authentication
59%
“but our attacker was quite persistent and continued to try to maintain and regain access. remember that second account they had compromised and made into an admin? within minutes, they popped back on via the second compromised account ( account 2 ) using the persistent access tha…”
T1098.002Additional Email Delegate Permissions
54%
“business email compromise via azure administrative privileges | huntress most of the time when you hear about business email compromise ( bec ), you hear a single user account was compromised, leading to large amounts of financial damage. but in this instance, we found that an at…”
T1078.004Cloud Accounts
44%
“, which would move emails from a specific legitimate - looking domain to the conversation history folder and mark them as read. this would allow the attacker to browse the contents of these emails unnoticed while having persistent access. then things got even more interesting. th…”
T1556.006Multi-Factor Authentication
41%
“to halt an attack like this where the attacker has access to multiple accounts? - any user with any kind of administrative privileges should be required to use multi - factor authentication ( mfa ). not enforcing mfa is like locking a door and then taping the keys to the outside …”
T1098.002Additional Email Delegate Permissions
37%
“, which would move emails from a specific legitimate - looking domain to the conversation history folder and mark them as read. this would allow the attacker to browse the contents of these emails unnoticed while having persistent access. then things got even more interesting. th…”
T1098Account Manipulation
31%
“but our attacker was quite persistent and continued to try to maintain and regain access. remember that second account they had compromised and made into an admin? within minutes, they popped back on via the second compromised account ( account 2 ) using the persistent access tha…”

Summary

Explore how Huntress stopped a massive business email compromise (BEC) attack targeting multiple user accounts within a single organization.