{ "id": "935a8292-6546-4d35-9f52-2253d34fca6d", "created_at": "2026-04-06T01:29:07.096754Z", "updated_at": "2026-04-10T03:37:32.854805Z", "deleted_at": null, "sha1_hash": "1aa6d8790d7e14d607221caf23afed10998013eb", "title": "Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452 | Blog | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 64008, "plain_text": "Remediation and Hardening Strategies for Microsoft 365 to Defend\r\nAgainst UNC2452 | Blog | Mandiant\r\nBy Mandiant\r\nPublished: 2021-01-19 · Archived: 2026-04-06 00:09:41 UTC\r\nWritten by: Mike Burns, Matthew McWhirt, Douglas Bienstock, Nick Bennett, Juraj Sucik\r\nUPDATE (May 2022): We have merged UNC2452 with APT29. The UNC2452 activity described in this post and\r\nreport is now attributed to APT29.\r\nUPDATE (Oct. 28, 2021): Mandiant has recently observed targeted threat actors using EWS impersonation (via\r\nthe ApplicationImpersonation role) to maintain persistent access to mailboxes in victim environments. Once the\r\nthreat actor has access to this role, its abuse is hard to detect and provides the threat actor control over every\r\nmailbox in a victim tenant. Mandiant has also observed targeted threat actors abusing the trust relationship\r\nbetween Cloud Service Provider (CSP) organizations and their customers to laterally move from service providers\r\nto their downstream customers and gain administrator privileges in the target tenants. The blog post, white paper,\r\nand Azure AD Investigator tool have been updated to reflect these findings.\r\nUPDATE (Mar. 18): Mandiant recently observed targeted threat actors modifying mailbox folder permissions of\r\nuser mailboxes to maintain persistent access to the targeted users' email messages. This stealthy technique is not\r\nusually monitored by defenders and provides threat actors a way to access the desired email messages using any\r\ncompromised credentials. The white paper, blog post and Azure AD Investigator tool have been updated to reflect\r\nthese findings. Mandiant would like to thank the members of Microsoft’s Detection and Response Team (DART)\r\nfor their collaboration on this research.\r\nIn December 2020, FireEye uncovered and publicly disclosed a widespread attacker campaign that is being\r\ntracked as UNC2452. In some, but not all, of the intrusions associated with this campaign where Mandiant has\r\nvisibility, the attacker used their access to on-premises networks to gain unauthorized access to the victim’s\r\nMicrosoft 365 environment.\r\nGoals and Objectives\r\nMethodologies that UNC2452 and other threat actors have used to move laterally from on-premises networks to\r\nthe Microsoft 365 cloud have been detailed in our white paper, Remediation and Hardening Strategies for\r\nMicrosoft 365 to Defend Against UNC2452. The paper also discusses how organizations can proactively harden\r\ntheir environments and remediate environments where similar techniques have been observed.\r\nMandiant is releasing an auditing script, Azure AD Investigator, through its GitHub repository that organizations\r\ncan use to check their Microsoft 365 tenants for indicators of some of the techniques used by UNC2452. The\r\nscript will alert administrators and security practitioners to artifacts that may require further review to determine if\r\nhttps://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452\r\nPage 1 of 3\n\nthey are truly malicious or part of legitimate activity. Many of the attacker techniques detailed in the white paper\r\nare dual-use in nature—they can be used by threat actors but also by legitimate tools. Therefore, a detailed review\r\nfor specific configuration parameters may be warranted, including correlating and verifying that configurations are\r\naligned with authorized and expected activities.\r\nAttacker Tactics, Techniques and Procedures (TTPs)\r\nMandiant has observed UNC2452 and other threat actors moving laterally to the Microsoft 365 cloud using a\r\ncombination of five primary techniques:\r\n1. Steal the Active Directory Federation Services (AD FS) token-signing certificate and use it to forge tokens\r\nfor arbitrary users (sometimes described as Golden SAML). This would allow the attacker to authenticate\r\ninto a federated resource provider (such as Microsoft 365) as any user, without the need for that user’s\r\npassword or their corresponding multi-factor authentication (MFA) mechanism.\r\n2. Modify or add trusted domains in Azure AD to add a new federated Identity Provider (IdP) that the attacker\r\ncontrols. This would allow the attacker to forge tokens for arbitrary users and has been described as an\r\nAzure AD backdoor.\r\n3. Compromise the credentials of on-premises user accounts that are synchronized to Microsoft 365 that have\r\nhigh privileged directory roles, such as Global Administrator or Application Administrator.\r\n4. Backdoor an existing Microsoft 365 application by adding a new application or service principal credential\r\nin order to use the legitimate permissions assigned to the application, such as the ability to read email, send\r\nemail as an arbitrary user, access user calendars, etc.\r\n5. Modify the permissions of folders in a victim mailbox (such as the inbox) to make its contents readable by\r\nany other user in the victim’s Microsoft 365 environment.\r\n6. Use EWS Impersonation to impersonate any mailbox owner in the Microsoft 365 tenant and bulk collect\r\nmail items.\r\n7. Target and compromise Cloud Service Providers (CSPs) that have permissions to administer customer\r\ntenants of organizations that UNC2452 is targeting, and abuse the access granted to the CSP to perform\r\npost-compromise activities against the target organization.\r\nRead the white paper for a detailed overview of each technique, including practical remediation and hardening\r\nstrategies, and check out our auditing script, Azure AD Investigator.\r\nDetections\r\nFireEye Helix Detection\r\nMITRE\r\nTechnique\r\nDetection Logic\r\nMICROSOFT AZURE ACTIVE\r\nDIRECTORY [Risky Sign-In]\r\nT1078.004\r\nAlert on suspicious logon activity as detected\r\nby Azure Identity Protection\r\nOFFICE 365 [Federated Domain Set] T1550 Alert on new domain federation in Office 365\r\nhttps://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452\r\nPage 2 of 3\n\nOFFICE 365 [Modified Domain\r\nFederation Settings]\r\nT1550\r\nAlert of modification to domain federations\r\nsettings in Office 365\r\nOFFICE 365 [User Added Credentials to\r\nService Principal]\r\nT1098.011\r\nAlert on addition of certificates or passwords\r\nadded to Service Principals\r\nOFFICE 365 ANALYTICS [Abnormal\r\nLogon]\r\nT1078.004\r\nAlert on suspicious login activity based on\r\nheuristics\r\nWINDOWS METHODOLOGY [ADFS\r\nDump]\r\nTA0006\r\nT1552\r\nT1552.004\r\nT1199\r\nAlert on activity access requests for the AD\r\nFS Distributed Key Manager (DKM)\r\ncontainer in Active Directory\r\nOFFICE 365 [Mailbox Folder Permission\r\nChange – Inbox and Top Of Information\r\nStore]\r\nT1098.002\r\nAlert on suspicious modifications of mailbox\r\nfolder permissions for the inbox or top of\r\ninformation store.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452\r\nhttps://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452\r\nPage 3 of 3\n\nDIRECTORY [Risky Sign-In] T1078.004 by Azure Identity Protection \nOFFICE 365 [Federated Domain Set] T1550 Alert on new domain federation in Office 365\n Page 2 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452" ], "report_names": [ "remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438947, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1aa6d8790d7e14d607221caf23afed10998013eb.pdf", "text": "https://archive.orkl.eu/1aa6d8790d7e14d607221caf23afed10998013eb.txt", "img": "https://archive.orkl.eu/1aa6d8790d7e14d607221caf23afed10998013eb.jpg" } }