{
	"id": "eade8b41-c66c-409e-a69a-b6c4f8a245ef",
	"created_at": "2026-04-06T00:22:10.881055Z",
	"updated_at": "2026-04-10T13:12:08.420136Z",
	"deleted_at": null,
	"sha1_hash": "db6b6de18726f6ada8e14d0429d10da51103440d",
	"title": "Incident Responders Explore Microsoft 365 Attacks in the Wild",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 633080,
	"plain_text": "Incident Responders Explore Microsoft 365 Attacks in the Wild\r\nBy Kelly Sheridan\r\nPublished: 2021-08-05 · Archived: 2026-04-05 15:48:04 UTC\r\nIB Photography via Adobe Stock\r\nBLACK HAT 2021 – Microsoft 365 is a hot target for cybercriminals, who constantly seek new ways to bypass its\r\nsafeguards to access corporate data. And as defenders step up their game, attackers do the same.\r\n\"This past year has proved the point that nation-state-backed threat actors are increasingly investing time and\r\nmoney to develop novel ways to access data in Microsoft 365,\" said Josh Madeley, manager of professional\r\nservices at Mandiant, in a briefing entitled \"Cloud with a Chance of APT: Novel Microsoft 365 Attacks in the\r\nWild\" during this year's Black Hat USA.\r\nThese attackers are especially interested in Microsoft 365 because it's where more and more organizations store\r\ntheir data and collaborate, Madeley continued. Applications such as email, SharePoint, OneDrive, and Power BI\r\ncan hold a wealth of information invaluable to attackers.\r\n\"If you're an espionage-motivated threat actor, Microsoft 365 is the holy grail,\" he said.\r\nhttps://www.darkreading.com/threat-intelligence/incident-responders-explore-microsoft-365-attacks-in-the-wild/d/d-id/1341591\r\nPage 1 of 3\n\nIn the talk, Madeley and co-presenter Doug Bienstock, incident response manager at Mandiant, walked through\r\nlessons learned from large-scale espionage campaigns they've observed over the past year. Techniques they saw\r\nhelped attackers disable security features like auditing and logging, automate data theft with old tactics, and abuse\r\nenterprise applications with new ones. They also maintained their access by abusing SAML and Active Directory\r\nFederation Services.\r\nMadeley kicked off the talk with methods for evading detection. Attackers aren't interested in modifying data, he\r\nsaid. They want to steal the data, review it, and understand it. There are stealthy ways to do this, but attackers\r\nwant to improve on their tactics and make it harder for defenders to catch them – \"especially if they want to\r\nperpetrate data theft over years,\" he said.\r\nOne way they do this is by disabling security features. All domain admins have access to the audit logs in\r\nMicrosoft 365, though organizations that pay for an E5 subscription have access to advanced auditing. This comes\r\nwith MailItemsAccessed, a feature that records any interactions with mail item objects within a 24-hour period,\r\nafter which it's throttled.\r\nIt's a problematic feature for attackers looking to steal from corporate mailboxes, Madeley noted. They needed to\r\nfind a way around it.\r\n\"Fortunately, Microsoft handed it to them in the Set-MailboxAuditBypassAssociation cmdlet,\" he continued. This\r\nprevents the logging of mailbox actions for specific users. When configured, any mailbox owner actions made by\r\nspecified users who have the bypass configuration aren't going to be logged. Delegate actions performed by\r\nspecified users on other target mailboxes are not logged, and certain admin actions are also not going to be logged,\r\nMadeley explained.\r\n\"You'd be well-served to monitor for the execution of this cmdlet in your tenant,\" he said of Set-MailboxAuditBypassAssociation. If an organization is monitoring for data theft, it may miss malicious activity if\r\nan attacker's target inbox isn't being logged.\r\nA more efficient way to bypass logging is to downgrade critical users' licenses from E5 to E3, Madeley said. This\r\ndisables MailItemsAccessed logging without affecting any of the features most people will use on a daily basis.\r\n\"These are really simple techniques, once you give admin access to a tenant, to make these changes to enable long\r\nterm data theft,\" he added.\r\nMailbox Folder Permission Abuse\r\nAnother technique discussed was the abuse of mailbox folder permissions, which act as an alternative to mailbox\r\ndelegations. Within a mailbox, an owner, admin, or account with full access permissions can grant permissions to\r\nother users that allow them to access specific folders within a mailbox. There are many legitimate use cases for\r\nthis: sharing calendars, having team mailboxes, or allowing admin assistants to access particular folders.\r\n\"Just like administrators, attackers who have acquired sufficient permissions to a mailbox or a tenant can modify\r\nthese permissions to allow them to access the folder contents,\" Madeley said. It's an older technique first\r\ndocumented by Black Hills Security in 2017 but is still effective.\r\nhttps://www.darkreading.com/threat-intelligence/incident-responders-explore-microsoft-365-attacks-in-the-wild/d/d-id/1341591\r\nPage 2 of 3\n\nThe incident response team recently saw an APT actor lose access to multiple environments using a sophisticated\r\nmeans of targeting mailboxes, only to fall back on this method of abusing mailbox folder permissions.\r\n\"What was even more fascinating is, when they fell back on this method, there were no modifications made to the\r\nenvironment to enable it during the time of our investigation, which meant that those changes had been made a\r\nlong time before,\" he noted.\r\nAttackers will ultimately be after roles with ReadItems permissions, as this grants access to read mail items in a\r\nspecific folder. There are several roles with this permission: Author, Editor, NonEditingAuthor, Owner,\r\nPublishingEditor, PublishingAuthor, and Reviewer. Madeley said that Reviewer, specifically, is the one his team\r\nhas seen attackers use.\r\nIn addition to users within the tenant, there are two special users: an anonymous user, or any external\r\nunauthenticated user, and the default, or \"everyone\" user. The latter includes any internal and authenticated users.\r\nBy default the access for both user types is set to None.\r\nHowever, an attacker can take advantage. Madeley has seen attackers assign a default user to the Reviewer role,\r\nwhich would allow any authenticated user access to the mailbox folder. Permissions don't cascade down from\r\n\"child\" to \"parent\" for existing folders, but newly created folders will inherit the permission. This can be \"trivially\r\ndone\" using the Set-MailboxFolderPermission cmdlet, he noted.\r\nThe attacker will still need to maintain some level of access through a valid account; however, with this\r\nmodification, they don't need to maintain access to a specific account they want to target on a daily or weekly\r\nbasis. Instead, they can use one compromised account to access 10 mailboxes with modified folder permissions.\r\nAbout the Author\r\nFormer Senior Editor, Dark Reading\r\nKelly Sheridan was formerly a Staff Editor at Dark Reading, where she focused on cybersecurity news and\r\nanalysis. She is a business technology journalist who previously reported for InformationWeek, where she covered\r\nMicrosoft, and Insurance \u0026 Technology, where she covered financial services. Sheridan earned her BA in English\r\nat Villanova University. You can follow her on Twitter @kellymsheridan.\r\nSource: https://www.darkreading.com/threat-intelligence/incident-responders-explore-microsoft-365-attacks-in-the-wild/d/d-id/1341591\r\nhttps://www.darkreading.com/threat-intelligence/incident-responders-explore-microsoft-365-attacks-in-the-wild/d/d-id/1341591\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.darkreading.com/threat-intelligence/incident-responders-explore-microsoft-365-attacks-in-the-wild/d/d-id/1341591"
	],
	"report_names": [
		"1341591"
	],
	"threat_actors": [],
	"ts_created_at": 1775434930,
	"ts_updated_at": 1775826728,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/db6b6de18726f6ada8e14d0429d10da51103440d.pdf",
		"text": "https://archive.orkl.eu/db6b6de18726f6ada8e14d0429d10da51103440d.txt",
		"img": "https://archive.orkl.eu/db6b6de18726f6ada8e14d0429d10da51103440d.jpg"
	}
}