{ "id": "6fe0a84b-5c05-45f5-b752-0fdd7044c5a0", "created_at": "2026-04-06T00:14:11.727843Z", "updated_at": "2026-04-10T03:37:17.258514Z", "deleted_at": null, "sha1_hash": "04489e19c3da6d80d1d4493656c9b1eac0b7d67f", "title": "APT29 Continues Targeting Microsoft 365 | You Can't Audit Me", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 56772, "plain_text": "APT29 Continues Targeting Microsoft 365 | You Can't Audit Me\r\nBy Mandiant\r\nPublished: 2022-08-18 · Archived: 2026-04-05 18:24:58 UTC\r\nWritten by: Douglas Bienstock\r\nAPT29 is a Russian espionage group that Mandiant has been tracking since at least 2014 and is likely sponsored\r\nby the Foreign Intelligence Service (SVR). Mandiant continues to identify APT29 operations targeting the United\r\nStates' (US) interests, and those of NATO and partner countries. Despite the publicization of multiple APT29\r\noperations, they continue to be extremely prolific. In 2022, APT29 has focused on organizations responsible for\r\ninfluencing and crafting the foreign policy of NATO countries. This has included multiple instances where APT29\r\nrevisited victims they had compromised years, or sometimes only months beforehand. This persistence and\r\naggressiveness are indicative of sustained interest in this information and strict tasking by the Russian\r\nGovernment.\r\nMandiant has observed APT29 continue to demonstrate exceptional operational security and advanced tactics\r\ntargeting Microsoft 365. We are highlighting several newer TTPs used by APT29 in recent operations.\r\nDisabling Licenses\r\nMicrosoft 365 uses a variety of licensing models to control an individual user’s access to services in the Microsoft\r\n365 suite of products. The licenses can also dictate security and compliance settings such as log retention and Mail\r\nItems Accessed logging within Purview Audit. The most common licenses are E1, E3, and E5; however, there are\r\na variety of other license plans and granular add-ons that make licensing in M365 complex.\r\nFor a threat actor, one of the most troublesome logging features is Purview Audit, formerly Advanced Audit. This\r\nfeature, available with E5 licenses and certain add-ons, enables the Mail Items Accessed audit. Mail Items\r\nAccessed records the user-agent string, timestamp, IP address, and user each time a mail item is accessed. The\r\naudit records any type of mail access whether it is using the Graph API, Outlook, a browser, or other methodology.\r\nThis is a critical log source to determine if a threat actor is accessing a particular mailbox, as well as to determine\r\nthe scope of exposure. Further, it is the only way to effectively determine access to a particular mailbox when the\r\nthreat actor is using techniques like Application Impersonation or the Graph API.\r\nMandiant has observed APT29 disabling Purview Audit on targeted accounts in a compromised tenant. Once\r\ndisabled, they begin targeting the inbox for email collection. At this point, there is no logging available to the\r\norganization to confirm which accounts the threat actor targeted for email collection and when. Given APT29’s\r\ntargeting and TTPs Mandiant believes that email collection is the most likely activity following disablement of\r\nPurview Audit. We have updated our white paper, Remediation and Hardening Strategies for Microsoft 365 to\r\ninclude more details on this technique as well as detection and remediation advice. Additionally, we have updated\r\nthe Azure AD Investigator with a new module to report on users with advanced auditing disabled.\r\nhttps://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft\r\nPage 1 of 3\n\nMFA Takeover of Dormant Accounts\r\nMulti-factor authentication (MFA) is a crucial tool that organizations can deploy to thwart account takeover\r\nattacks by threat actors. By requiring users to provide both something they know and something they have,\r\norganizations can significantly reduce the risk of account compromise. MFA itself, however, is not a silver bullet.\r\nMandiant has previously discussed how threat actors abuse push-based MFA to spam users with notifications until\r\nthey eventually accept the prompt and allow the threat actor access. Microsoft has recently announced that they\r\nwill roll out MFA push notification with number matching to combat this.\r\nMandiant has begun to observe another trend where threat actors, including APT29, take advantage of the self-enrollment process for MFA in Azure Active Directory and other platforms. When an organization first enforces\r\nMFA, most platforms allow users to enroll their first MFA device at the next login. This is often the workflow\r\nchosen by organizations to roll out MFA. In Azure AD and other platform’s default configuration, there are no\r\nadditional enforcements on the MFA enrollment process. In other words, anyone with knowledge of the username\r\nand password can access the account from any location and any device to enroll MFA, so long as they are the first\r\nperson to do it.\r\nIn one instance, APT29 conducted a password guessing attack against a list of mailboxes they had obtained\r\nthrough unknown means. The threat actor successfully guessed the password to an account that had been setup,\r\nbut never used. Because the account was dormant, Azure AD prompted APT29 to enroll in MFA. Once enrolled,\r\nAPT29 was able to use the account to access the organization’s’ VPN infrastructure that was using Azure AD for\r\nauthentication and MFA. Mandiant recommends that organizations ensure all active accounts have at least one\r\nMFA device enrolled and work with their platform vendor to add additional verifications to the MFA enrollment\r\nprocess. Microsoft Azure AD recently rolled out a feature to allow organizations to enforce controls around\r\nspecific actions such as MFA device enrollment. Using conditional access, Organizations can restrict the\r\nregistration of MFA devices to only trusted locations, such as the internal network, or trusted devices.\r\nOrganizations can also choose to require MFA to enroll MFA. To avoid the chicken-and-egg situation this creates,\r\nhelp desk employees can issue Temporary Access Passes to employees when they first join or if they lose their\r\nMFA device. The pass can be used for a limited time to login, bypass MFA, and register a new MFA device.\r\nFocus on Operational Security\r\nAPT29 continues to demonstrate exceptional operational security and evasion tactics. In addition to the use of\r\nresidential proxies to obfuscate their last mile access to victim environments, Mandiant has observed APT29 turn\r\nto Azure Virtual Machines. The virtual machines used by APT29 exist in Azure subscriptions outside of the victim\r\norganization. Mandiant does not know if these subscriptions have been compromised or purchased by APT29.\r\nSourcing their last-mile access from trusted Microsoft IP addresses reduces the likelihood of detection. Because\r\nMicrosoft 365 itself runs on Azure, the Azure AD Sign-In and Unified Audit Logs already contain many Microsoft\r\nIP addresses and it can be hard to quickly determine if an IP address belongs to a malicious VM or a backend\r\nM365 service. From Mandiant’s own observation it also appears that Microsoft owned IP addresses greatly reduce\r\nthe risk of detection by Microsoft’s risky sign-ins and risky users reports.\r\nMandiant has also observed APT29 mix benign administrative actions with their malicious ones. For example, in a\r\nrecent investigation APT29 gained access to a global administrator account in Azure AD. They used the account to\r\nhttps://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft\r\nPage 2 of 3\n\nbackdoor a service principal with ApplicationImpersonation rights and start collecting email from targeted\r\nmailboxes in the tenant. To accomplish this, APT29 added a new certificate, or Key Credential, to the service\r\nprincipal. Once added, APT29 was able to authenticate to Azure AD as the Service Principal and use its roles to\r\ncollect email. To blend in, APT29 created the certificate with a Common Name (CN) that matched the display\r\nname of the backdoored service principal. In addition to this, they also added a new Application Address URL to\r\nthe service principal. The address they added was completely benign, not needed to facilitate their malicious\r\nactivities, and was related to the functionality of the application as documented by the vendor. This action\r\ndemonstrates the extremely high level of preparation that APT29 takes and the extent to wish they try to\r\nmasquerade their actions as legitimate.\r\nOutlook\r\nAPT29 continues to develop its technical tradecraft and dedication to strict operational security. Mandiant expects\r\nthat APT29 will stay apace with the development of techniques and tactics to access Microsoft 365 in novel and\r\nstealthy ways.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft\r\nhttps://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "references": [ "https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft" ], "report_names": [ "apt29-continues-targeting-microsoft" ], "threat_actors": [ { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434451, "ts_updated_at": 1775792237, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/04489e19c3da6d80d1d4493656c9b1eac0b7d67f.pdf", "text": "https://archive.orkl.eu/04489e19c3da6d80d1d4493656c9b1eac0b7d67f.txt", "img": "https://archive.orkl.eu/04489e19c3da6d80d1d4493656c9b1eac0b7d67f.jpg" } }