Identity attacks have been increasing every single day. Over the past few years, attackers have been observed attempting to transition from on-premise to cloud environments for further exploitation. Today, I would like to showcase some detection insights regarding attacks, starting from cloud-based identity attacks and extending to compromised Office 365 environment.
Here is the complete attack scenario that I simulated manually, step by step.
"Assuming the attacker has obtained the email address information and requires a password to log in to Office 365/Outlook, they begin by attempting to access it with various easily guessable passwords at random. After a few attempts, they manage to guess the password, but their access is blocked by MFA (Multi-Factor Authentication). Subsequently, they resort to repeatedly requesting MFA approval to exhaust the targeted user, a technique known as MFA fatigue. Eventually, after 10-15 attempts, the user approves access due to exhaustion."
Cloud-Based Identity to Exfiltration : Attack flow
As I've divided this blog into two parts, this part focuses on Part 1, examining cloud-based identity attacks leading to successful logins to Outlook activities.
Firstly, I'd like to highlight how Microsoft Defender XDR is excellent for visualizing all suspicious activities and correlating them into one incident. After simulating the entire attack, a series of alerts were gradually generated over time.
Here are all the alerts generated in Microsoft Defender XDR.
Product : Alert title : MITRE ATT&CK Techniques
------- : --------------------------------------------------- : -----------------------------------------------------------------------------------------------------------------
MDA : Investigation priority score increase :
XDR : Suspicious behavior: Impossible travel activity : T1078.004: Cloud Accounts
XDR : Impossible travel activity : T1078: Valid Accounts, T1078.004: Cloud Accounts
XDR : Multiple Failed Sign-Ins : T1110: Brute Force
XDR : Suspicious behavior: Multiple failed login attempts : T1110: Brute Force, T1212: Exploitation for Credential Access
MDA : Multiple failed login attempts : T1110: Brute Force, T1110.001: Password Guessing
MDA : Activity from a Tor IP address : T1078: Valid Accounts, T1078.004: Cloud Accounts
Entra : Anonymous IP address :
MDA : Logon from a risky IP address :
XDR : Suspicious email forwarding rule : T1114.003: Email Forwarding Rule
MDA : Suspicious inbox forwarding rule : T1114: Email Collection, T1114.003: Email Forwarding Rule
Entra : Anomalous Token :
XDR : Suspicious behavior: Mass delete : T1485: Data Destruction
MDA : Mass delete : T1485: Data Destruction
XDR : Suspicious behavior: Mass download : T1213: Data from Information Repositories, T1530: Data from Cloud Storage, T1039: Data from Network Shared Drive
MDA : Mass download : T1074: Data Staged
XDR : Suspicious massive data read : T1119: Automated Collection, T1213.002: Sharepoint
Attack simulation & Incident in Microsoft Defender XDR
The simulation begins with an identity-based attack, and chronologically, we can observe two "Impossible travel activity" alerts generated by Microsoft Defender for Cloud Apps. Interestingly, two "Impossible travel activity" alerts and another alert, which is "Anonymous IP address" generated by Microsoft Entra ID Protection, are related activities. That's why these events and alerts were correlated and generated the "Suspicious behavior: Impossible travel activity" alert by Microsoft Defender XDR in the end.
Impossible travel activity & XDR alert
We observed two alerts of "Impossible Travel activity", but let's investigate why two identical alerts were generated. The first one involves travel between Japan and Germany within a 15-minute timeframe. Additionally, in this activity, we can confirm that the attacker used a Tor browser.
Impossible Travel activity : Japan - Germany
The second one involves travel between Japan and the Netherlands within an 18-minute timeframe. Similarly to the first one, we can confirm that the attacker used a Tor browser.
Impossible Travel activity : Japan - Netherlands
Important
Now, from these first attempts, we understand that the targeted user usually accesses Office 365 in Japan. However, the attacker uses a Tor browser and attempts to access Office 365 environment anomalously, detected from two locations: Germany and the Netherlands.
The next detected activities were multiple failed sign-ins and login attempts. These were identified through Microsoft Defender for Cloud Apps, revealing that the failures stemmed from incorrect passwords and unapproved MFA requests by the target user. Thee attacker persisted, attempting various commonly used passwords in hopes of success. Despite eventually discovering the correct password, the attacker was prevented from accessing the account by MFA, which was enabled for the target user in this tenant. As the attacker continuously requested MFA and their requests were consistently denied, numerous failed login attempts were logged in Microsoft Defender XDR. Ultimately, these events were correlated into a single alert: "Suspicious behavior: Multiple failed login attempts"
Despite multiple failed attempts and denial of MFA access, the attacker persisted in requesting MFA approval. Eventually, the target user approved the access due to tiredness, a technique often exploited in cyber attacks known as MFA fatigue. Reviewing the "Activity from a Tor IP address" alert, we can confirm that the attacker successfully accessed Outlook/Microsoft Exchange Online using a Tor browser. Following the successful login, the attacker proceeded to create forwarding rules to collect data from daily email activities.
I hope these insights will be helpful for all. Stay tuned for Part 2, where we'll discuss what happens when the attacker moves to the cloud environment.
The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company.