Users continue to be the weakest link in the initial chains of compromise we investigate. Virtual identities used by humans are the critical enabler of breaches that lead to intellectual property theft, ransomware, and cryptomining, to name just a few. It’s critical for defenders to adopt detection technologies and strategies that thwart identity compromises earlier in the intrusion chain.
In 2022 adversaries demonstrated their talents for circumventing several types of identity verification technologies that security teams use to prevent unauthorized use of compromised credentials. Namely, adversaries got smarter in their approaches to circumventing multi-factor authentication (MFA) and geographic/trust-based detection heuristics.
In most scenarios, their techniques tricked end users into accepting “ghost” MFA requests, commonly through a technique known as MFA Request Generation, which we’ve covered in depth in the techniques section of this report. In brief, it involves a victim yielding to the annoyance of MFA prompts that they just want to go away, inadvertently enabling initial access for an adversary. In cases where adversaries failed to gain access to systems after initial MFA bypass, they often abused the trust of public cloud infrastructure to bypass single points of failure in static geographic or hosting provider checks performed by identity access management systems.
Siphoning data from Office 365
In 2022 we observed an increase in account compromises targeting Office 365. Adversaries appear to be prioritizing data theft in these operations, ranging from email collection and data exfiltration to full-on employee impersonation in hopes of committing financial fraud. These attacks almost always originated from an account login from an unusual location. In such instances, an adversary login would have unusual attributes, such as logging in from a net new IP address not seen before for a given identity, as well as other, secondary outlier attributes like mismatched User-Agents or never-before-seen device types or geo IP locations. These initial logins were almost always reported from the Office 365 Exchange Online workload type in the Azure audit logs, but we also saw other Azure application types being abused. Below is a breakdown of the identity compromise sources we observed, organized by Azure Application IDs and their respective application name: