Sophos X-Ops MDR investigated two Microsoft 365 incidents where attackers used Microsoft Graph to compromise email accounts, manipulate permissions, and monitor activity. The linked activity across cases suggests a single actor or closely related group targeting admin accounts and exploiting cloud-based controls to maintain access. #MicrosoftGraph #IOFlood
Keypoints
- Two threat-hunt cases in Microsoft 365 revealed email account compromises using Microsoft Graph security events.
- Initial access likely occurred about 90 days before observed malicious activity, potentially allowing logging window rollover or IAB handover.
- Attackers used external IPs to log in, including three IPs observed in both cases and associated abuse/domains.
- Persistence established via cloud/admin accounts, with later actions including mailbox access, delegation, and SharePoint changes.
- Email access and manipulation included remote collection, forwarding rules, and impersonation via SendAs and mailbox permissions.
- Defense evasion involved spoof-list allowances and mailbox deletions to hide activity and bypass controls.
MITRE Techniques
- [T1078.004] Valid Accounts – Cloud Accounts – The threat actor accessed multiple accounts on the targeted systems, in one case changing the phone number associated with a specific account to a different phone number.
- [T1136.003] Create Cloud Account – One such admin-level account was created during the first week of December; it was then used to create another account in late February, nearly eighty days later.
- [T1098] Account Manipulation – The threat actor added a new phone number to a compromised user account, likely to perform and intercept phone calls directly or via Microsoft Teams.
- [T1098.002] Account Manipulation: Additional Email Delegate Permissions – The threat actor leveraged their privileged account to grant themself full access to other users’ mailboxes. They also used this privilege to “send as” (i.e., send email from other users’ accounts).
- [T1098.003] Account Manipulation: Additional Cloud Roles – The threat actor added the compromised administrator account to the target organization’s SharePoint with the “site admin” role and enabled “share using anonymous links.”
- [T1114.002] Remote Email Collection – After giving themselves full permissions to other users’ mailboxes, the threat actor proceeded to read users’ emails to learn more about the users and the organization.
- [T1114.003] Email Forwarding Rule – The threat actor implemented transport rules to redirect emails containing certain headers to the compromised mailbox and used rules to delete emails from the target mailbox.
- [T1562.001] Impair Defenses: TenantAllowBlockListSpoofItems – The threat actor leveraged TenantAllowBlockListSpoofItems to add spoofed sender entries to the tenant allow list, enabling spoofed-domain sending.
- [T1070.008] Indicator Removal: Clear Mailbox Data – Deletions of emails were used to hide activity; transport rules facilitated forwarding and deleting mail, and some deletions aligned with security notifications being suppressed.
Indicators of Compromise
- [IP] External login IPs – 104.161.20.102, 185.241.149.122 (observed abuse reports; used to access accounts; ports exposed include RPC/SMB/RDP).
- [IP] External login IP – 20.232.202.245 (Azure EastUS; exposed port 3389/TCP).
- [Domain] ioflood.com – domain name of a dedicated-server hosting provider referenced in abuse context.
- [Domain] ipxo.com – domain name of an IP-address marketplace; referenced in abuse context.
- [Port] Exposed ports – 21/TCP (FTP), 135/TCP (RPC), 445/TCP (SMB), 3389/TCP (RDP) observed on associated IPs.