Mandiant has continued to trace APT29’s conduct, which incorporates using totally different strategies to entry the Microsoft 365 accounts of its targets. The cybersecurity agency has lately noticed a brand new tactic leveraged by APT29 to bypass multi-factor authentication (MFA). This system exploits the MFA self-enrollment course of constructed into Microsoft’s enterprise id service, Azure Energetic Listing, in addition to comparable platforms.
In line with Mandiant, APT29 carried out an assault towards a company that concerned guessing the password of an account that was created however by no means used. Since nobody had ever logged into the account, the account wasn’t protected by MFA. As soon as APT29 gained entry to the account, the risk actor accomplished the MFA self-enrollment course of and used the account to hook up with the group’s VPN.
Organizations can attempt to stop this type of unauthorized entry by guaranteeing that there aren’t any dormant accounts unprotected by MFA. System Directors can and sometimes ought to implement insurance policies to routinely deactivate accounts after a sure interval of inactivity. Organizations may also require that customers purchase a short lived entry move from the assistance desk to finish the MFA self-enrollment course of.