InfoconDB

Presented at Black Hat USA 2021, Aug. 5, 2021, 1:30 p.m. (40 minutes)

This past year has proved the point that advanced nation-state backed threat actors are increasingly investing their time and money to develop novel ways to access the cloud. These actors are especially interested in Microsoft 365, where more and more organizations are collaborating and storing some of their most confidential data. Especially for threat groups with intelligence collection requirements, Microsoft 365 can be their holy grail.

In this talk, we will break down a number of novel techniques that we've observed used in the past year by APT groups to persistently access Microsoft 365 and extract data. This talk will detail the technical underpinnings that are key to understanding and realizing these techniques. We will also cover new extensions or facets of these techniques that have not yet been observed or discussed but are natural extensions of the techniques that organizations should be prepared for.

Presenters:

Josh Madeley - Manager, Professional Services, Mandiant
Josh Madeley is a member of the Mandiant Incident Response Team. His recent focus on Office 365 intrusions has converted him into a PowerShell fanboy.
Doug Bienstock - Manager, Professional Services, Mandiant
Doug Bienstock splits his time at Mandiant performing Incident Response and Red Team work. He uses lessons learned from IRs to better simulate attacker techniques and help organizations stay ahead of the bad guys. Doug has extensive experience with Microsoft 365 and supporting services - both as an investigator and researcher.

Cloudy with a Chance of APT: Novel Microsoft 365 Attacks in the Wild

Presenters:

Links:

Similar Presentations: