Contributors: Vasil Michev, Sharon Breeze, Terence Jackson, Rob Edmondson
Once an attacker has gained entry into your M365 tenant, they use a variety of tactics to elevate their privileges and permissions so they can more easily execute their objectives.
This article covers:
Gaining entry to Microsoft 365 is one thing. But, without the right privileges, attackers can’t cause much damage to your cloud environment. That’s why cybercriminals are coming up with increasingly sophisticated methods to elevate their access permissions during an attack.
For example, Semperis researchers recently found out about a new attack that allowed a Microsoft 365 Application Administrator or Cloud Application Administrator to elevate their privileges to Global Administrator by abusing the "Device Registration Service" application in Entra. While it has since been plugged by Microsoft, this vulnerability could have opened the door to a lot of attacks if left unchecked.
In this three-part series, we break down the tools, techniques, and tactics cybercriminals use in an attack on a Microsoft 365 tenant and share clear practical guidance on how best to secure your organization.
For the second part in this series, we’ll focus on Privilege Elevation. Once an attacker has gained entry into your M365 tenant, they use a variety of tactics to elevate their privileges and permissions so they can more easily execute their objectives. We’ll break down each such tactic here, along with steps you can take to prevent and detect such actions.
For the other parts in this series, check out:
Privilege elevation is the act of exploiting bugs, design flaws, or configuration oversights in an operating system or application to gain elevated access to resources that are normally protected from an application or user. The result is that an attacker with limited access can increase their privileges to become an administrator.
In a Microsoft 365 environment, privilege elevation often involves compromising accounts with privileged roles like Global Administrator, Application Administrator, or Exchange Administrator. With these elevated privileges, an attacker can perform malicious actions like:
There are several common techniques attackers use to elevate privileges in Microsoft 365. We’ll break down each of them below.
If an attacker compromises a standard user account with a Copilot license, they may be able to use it to quickly find valuable information. As Copilot is rolled out across Microsoft 365, many organizations are becoming aware that they've relied on "security by obscurity" in their cloud environments. Some files and pages have organization-wide sharing settings, meaning any user with Copilot could accidentally stumble on these documents thanks to the enhanced discoverability of generative AI.
However, with Copilot for Microsoft 365, there is also a risk that an attacker accessing a user account with a Copilot license can quickly find important information to plan the next stage of their attack. Copilot's ability to search across email, documents, and collaboration spaces means attackers can use natural language queries to rapidly discover sensitive data, privileged accounts, and key systems.
For example, an attacker could ask Copilot questions like:
By using Copilot's powerful search and summarization capabilities, attackers can significantly reduce the time needed for reconnaissance compared to manually sifting through documents and emails. This allows them to more quickly identify high-value targets and plan their next steps.
When a user creates an application in Entra, it can easily be granted excessive permissions like the ability to fetch information about users in the directory, erasing messages from mailboxes, and sending emails. Finding or creating an application with these privileges can give an attacker an easy pathway to elevate their own access. This is the method that was used in the Midnight Blizzard Attack.
Attackers look for applications with overly broad permissions that they can abuse. For example, an app with delegated permissions like Mail.ReadWrite, Mail.Send, User.Read.All, and Directory.Read.All would allow an attacker to read and send email on behalf of users and access sensitive directory data.
If an attacker compromises an account with the Application Administrator or Cloud Application Administrator role, they could create a new application and grant it high privileged permissions. These roles have the ability to assign credentials to applications, even if they can't directly elevate their own privileges.
Attackers can also take over existing applications by adding their own credentials. If an application already has dangerous permissions granted, this provides an easy way to gain privileged access without creating suspicious new apps.
Many third-party applications require Entra permissions for single sign-on and other identity/productivity enhancements. When they request these permissions, users rarely get clear information on what is being requested and why.
For example, research from Adaptive Shield has shown that 67% of third-party apps request permissions that have medium to high levels of associated risk. 15% have privileges to read, create, update, and delete all the files you can access.
Large organizations can sometimes have over 1000 third-party apps connecting to Entra, making this a highly effective target for cyber criminals. Attackers look for third-party apps with excessive permissions that they can abuse to gain unauthorized access to sensitive data and systems.
For example, an app with the Mail.ReadWrite, Files.ReadWrite.All, or Directory.ReadWrite.All permissions could allow an attacker to access and manipulate email, files, and directory objects for the entire organization. Even seemingly benign apps like event management or travel booking tools can request broad permissions during the setup process.
Similar to the issues mentioned above, many organizations have taken advantage of the PowerApps capabilities included in their Microsoft ELA, only to later realize there has been little governance over the creation and management of these apps.
This has led to many teams struggling with PowerApps sprawl, which has also led to permission sprawl.
Often, PowerApps aren't developed according to the principle of least privilege, meaning they sit in the tenant with permissions that could be exploited. Attackers look for PowerApps with excessive permissions that grant access to sensitive data or allow performing high-risk actions.
For example, a PowerApp with the User.Read.All, Mail.ReadWrite, or Files.ReadWrite.All permissions could allow an attacker to access directory data, read and send emails, or modify files across the organization. Even PowerApps intended for a specific business process may request broad permissions that go beyond what is actually needed.
Microsoft 365 has arguably the most powerful privileged account role in an organization: Global Admin. The privileges associated with these accounts are so powerful that they can practically destroy a business under the right circumstances. Microsoft does provide 80 different admin roles that are less privileged, but they are still far too powerful in many circumstances.
Despite the options that Microsoft provides, CoreView research has found that as many as 36% of Microsoft admins have used Global Admin privileges just to stay productive.
This is because administrative teams are forced into choosing between security and productivity when working within Microsoft's native capabilities. Plus in mature organizations, there can be as many as 50 manual steps for onboarding a new user account and another 50 for offboarding.
But compliance mandates like NIST, SOX, NIS, ASD, etc., all require that organizations enforce least privilege, which is especially important for Microsoft 365. In the absence of that, if an attacker gains access to an account with sufficient permissions like Global Administrator or Privileged Role Administrator, they can also create new privileged user accounts to further increase the damage that they can do.
Securing Microsoft 365 starts with configuration management. See CoreView’s Configuration Management solution in action.
Scripting unlocks huge productivity for administrations, but it also gives attackers a fast way to make progress in your environment.
Adversaries could abuse PowerShell for information gathering and to launch remote scripts on your machines. These may also use it to discover how permissions are configured and where best to focus their attack for privilege elevation.
PowerShell is an extremely versatile tool that can be used by attackers to perform a variety of malicious activities in a Microsoft 365 environment. These include:
If you want to limit an attacker’s control over your M365 cloud environment during an unforeseen breach, the best way is to start with a foundation of good governance that enforces least privilege principles from the beginning.
For example, with the Functional Access Control (FAC) feature in CoreView, you can implement granular access permissions that go beyond the level of precision possible with Microsoft’s built-in Role-Based Access Control (RBAC). This is just one of many ways that CoreView helps implement better security controls within your Microsoft 365 environment.
Trusted by enterprises like Talan, Mateco, Save the Children, and CUNY, CoreView has a proven track record of securing and governing Microsoft 365 effortlessly. Ready to take control of your Microsoft 365 environment?
