Contributors: Vasil Michev, Sharon Breeze, Terence Jackson, Rob Edmondson

Once an attacker breaches your Microsoft 365 tenant with the necessary privileges, they use a range of sophisticated techniques to ensure that you can’t take away their ability to operate within your cloud environment.

This article covers:

• How Cyberattacks Resist Detection and Removal in Microsoft 365
• How to Prevent Security Setting Changes
• How to Detect Attackers Creating New Apps and Accounts in M365
• How to Prevent Audit Logs from Deletion
• How to Uncover Compromised Microsoft Exchange Mailboxes
• Alternative Way to Secure Microsoft 365 at Scale

The Anatomy of a Microsoft 365 Attack, Part 3: Persistence and Evasion

How do you secure your Microsoft 365 environment if you can’t detect attacks even as they happen? Here’s one of many examples of how attackers take advantage of inbuilt flaws to camouflage themselves in Microsoft 365:

In April 2024, security researchers at Varonis Threat Labs discovered that when a user opens a file using SharePoint's "Open in App" feature, it does not generate a "FileDownloaded" event that would typically alert administrators in the SharePoint audit logs. Instead, it creates a less suspicious "Access" event that may be overlooked by Microsoft admins, allowing attackers to trigger downloads without detection.

In this three-part series, CoreView will break down the tools, techniques, and tactics cybercriminals use in an attack on a Microsoft 365 tenant and share clear practical guidance on how best to secure your organization.

For the final part in this series, we’ll focus on Persistence and Evasion. Once an attacker has breached your Microsoft 365 tenant with the necessary privileges, they use a range of sophisticated techniques to ensure that you can’t take away their ability to operate within your cloud environment. We’ll break down each of them here, along with strategies to prevent and detect them.

For the other parts in this series, check out:  

• The Anatomy of a Microsoft 365 Attack, Part 1: Entry
• The Anatomy of a Microsoft 365 Attack, Part 2: Privilege Elevation

How Attackers Resist Detection and Removal in Microsoft 365

Once an attacker has successfully infiltrated a Microsoft 365 environment, the next crucial step is to maintain their foothold while evading detection. Attackers employ a variety of methods to ensure their malicious activities remain undetected by security solutions and to resist attempts by administrators to remove them from the compromised system.  

Evasion techniques are designed to bypass or deceive security measures, allowing the attacker to operate unnoticed within the M365 environment. These techniques often involve altering the characteristics of malware, manipulating legitimate processes, or exploiting gaps in detection capabilities.  

Persistence mechanisms, on the other hand, enable the attacker to maintain access to the compromised system even if their initial entry point is discovered and remediated. By establishing multiple backdoors and creating redundant access methods, attackers can ensure they can regain control of the environment if one of their access points is removed.

The combination of persistence and evasion techniques allows attackers to maximize the impact of their attack while minimizing the chances of being caught. As these techniques continue to evolve and become more sophisticated, organizations must stay vigilant and adopt a multi-layered approach to security to effectively defend against advanced threats.

Changing Security Settings

Microsoft 365 environments can be incredibly complex, with over 5,000 different configurations available across various services like Entra ID, Defender, Intune, and Purview. For large organizations, this can translate to hundreds of thousands or even millions of specific configurations within their tenant. Monitoring these settings to ensure they don't "drift" from their intended state is a daunting task at scale, making it relatively easy for cybercriminals with the right privileges to manipulate the environment and open windows for further attacks.

By modifying key security settings such as conditional access policies, external identity management, cross-tenant access, authentication, data loss prevention (DLP), and advanced threat protection (ATP) threat management configurations, attackers can create backdoors into the environment that persist even if their initial point of entry is detected and remediated. This allows them to maintain a foothold and continue their malicious activities.

Prevention

• Use tenant configuration management capabilities to define your ideal security settings and automatically deploy them consistently across all your Microsoft 365 tenants.
• Leverage configuration management tools to detect when settings drift from the approved baseline and automatically roll them back to the proper state.

Detection

• Continuously monitor your actual settings against your approved templates to identify drift in near real-time.
• Automatically remediate unauthorized changes by reverting configurations back to your defined baseline.
• Generate alerts for the security team to investigate whenever a suspicious modification is made to a sensitive configuration area.

Governing and securing Microsoft 365 starts with configuration management. See Configuration Manager for Microsoft 365 in action.

Creating New Apps and Accounts

Another tactic, employed by Midnight Blizzard, was to create new OAuth applications and accounts within the compromised Microsoft 365 tenant. After discovering and exploiting a highly privileged OAuth app, they immediately registered additional malicious apps. This ensured that even if the initial application was decommissioned, the attackers could maintain persistent access to the elevated privileges they required to further their objectives.

By creating redundant backdoors in the form of new OAuth apps and accounts, Midnight Blizzard made it significantly more difficult for defenders to completely remove them from the environment. This highlights the importance of closely monitoring and controlling the creation of new applications and accounts within Microsoft 365.

Prevention‍

• Implement strict controls around application registration to prevent the creation of potentially dangerous OAuth apps.
• Apply policy enforcement to automatically detect and remediate high-risk Entra ID registrations that could be used for malicious purposes.

Detection

• Continuously monitor your Microsoft 365 tenants for any configuration changes, including the creation of new OAuth applications and accounts.
• Regularly report on all Entra ID application registrations to identify any unauthorized or suspicious apps.
• Analyze the permissions assigned to newly registered Entra ID applications to spot any excessive or unnecessary privileges.

Deleting Logs and Hiding Artifacts

To evade detection and maintain their foothold within the compromised Microsoft 365 environment, attackers may take steps to disrupt audit logging and conceal malicious artifacts. This can involve tampering with critical security solutions like Microsoft Purview's unified audit logging and Defender for Cloud Apps' User and Entity Behavior Analytics (UEBA).

By disrupting these auditing and monitoring capabilities, attackers aim to blind the organization to their ongoing malicious activities. They may delete or modify audit logs to remove evidence of their actions, making it harder for security teams to piece together the timeline of the attack and scope of compromise. Attackers may also try to hide privileged accounts and applications they've created to facilitate their objectives.

Prevention‍

• Continuously monitor your Microsoft 365 tenants for any suspicious configuration changes made to Microsoft Purview and Defender for Cloud Apps settings.
• Implement “robust configuration change management” processes to ensure that misconfigurations and unauthorized changes don't make it into production environments.

Detection

• Regularly review Microsoft 365 tenant configurations against your approved baselines to identify any unauthorized modifications made to Microsoft Purview and Defender for Cloud Apps.
• Leverage Microsoft Sentinel or other SIEM platforms to centrally collect and analyze audit logs from across the Microsoft 365 ecosystem, watching for anomalous gaps in logging or suspicious configuration changes.
• Investigate any audit log entries indicating that logging was paused, modified, or deleted to determine if the actions were legitimate or signs of attacker activity.

Compromising Microsoft Exchange Mailboxes

Once attackers have established a foothold within a Microsoft 365 environment, they often seek to compromise and exploit Exchange mailboxes to maintain a long-term presence and further their objectives. By gaining control over mailboxes, cybercriminals can access sensitive communications, impersonate legitimate users, and cover their tracks to evade detection. Some common tactics employed by attackers after compromising a mailbox include:

• Setting up inbox rules to automatically hide or delete emails related to their malicious activities, making it harder for the real user or security teams to spot the compromise.
• Disabling audit logging and litigation hold features to limit the organization's ability to investigate and gather evidence of the attacker's actions.
• Configuring auto-forwarding rules to send copies of incoming emails to an external account controlled by the attacker, allowing them to silently monitor communications and harvest valuable information.

Prevention

• Regularly report on and alert for any mailboxes that have audit logging or litigation hold disabled, as these features are critical for detecting and investigating suspicious activity.
• Monitor for mailboxes with auto-forwarding rules configured to send emails to external domains, as this is a common data exfiltration technique used by attackers.
• Leverage built-in reporting and alerting capabilities in Exchange to detect anomalous activity, such as unusual volume of emails being deleted or forwarded, or access from suspicious IP addresses.

Detection

• Review audit logs for unusual mailbox activities, such as inbox rules being created or modified, audit settings being changed, or email forwarding being enabled.
• Monitor for anomalous increases in Exchange Web Services (EWS) API calls, which can indicate an attacker is using an application to enumerate and collect email data.
• Analyze message traces for suspicious mail flow patterns, such as a high volume of emails being sent to external recipients or messages being deleted shortly after delivery.
• Investigate any alerts generated by Microsoft Defender for Office 365 for signs of malicious activity, such as phishing attempts or malware attachments.

CoreView's Premium Solutions for Microsoft 365 Security

With cybercrime getting more and more sophisticated by the day, how can you thwart attempts to fool your security infrastructure during an attack on your Microsoft 365 environment? Just in 2023, CoreView helped a Canadian natural gas company respond within minutes to a breach in their system in the wake of the Suncor attack.

With the real-time monitoring and advanced auditing features from CoreView, you can make sure that your IT team is apprised of each and every change to your Microsoft 365 cloud configurations. That way, you can flag evasion attempts early, catching attackers before they have a chance to mask their patterns.  

With a proven track record of success, CoreView has helped customers across different industries, including Mateco, Save the Children, and Middleby improve their Microsoft 365 security posture. Ready to see it for yourself? Explore our flexible pricing options to begin your journey today.