The company said in a blog post on Tuesday that it had observed the malware it reported last month as moving to the Microsoft 365 cloud using four main methods:
- Stealing the Active Directory Federation Services token-signing certificate and using it to forge tokens for arbitrary users (sometimes described as Golden SAML).
- Modifying or adding trusted domains in Azure AD to add a new federated Identity Provider that the attacker controlled.
- Compromising the credentials of on-premises user accounts that are synchronised to Microsoft 365 that have high privileged directory roles, such as Global Administrator or Application Administrator.
- Backdooring an existing Microsoft 365 application by adding a new application or service principal credential in order to use the legitimate permissions assigned to the application, such as the ability to read email, send email as an arbitrary user, access user calendars, etc.
FireEye disclosed on 9 December AEDT that it had been compromised and had its Red Team tools stolen. The campaign was later described as being widespread and tracked as UNC2452.
In a white paper, FireEye's Mandiant division went into greater detail about the remediation techniques.
The company also released an Azure auditing script that could be used to check Microsoft 365 tenants for indicators of some of the techniques used by UNC2452.