{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/nobelium/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["NOBELIUM Group"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Office 365 Exchange Online","Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azure","azuread","office365","persistence","nobelium"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of the 'full_access_as_app' permission being assigned to an application within Office 365 Exchange Online. This activity is identified by the GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40' and the ResourceAppId '00000002-0000-0ff1-ce00-000000000000'. This permission grants broad control over Office 365 operations, including full access to all mailboxes and the ability to send emails as any user. The observed activity leverages the \u0026quot;Update application\u0026quot; operation in Azure Active Directory AuditLogs. The threat is significant because successful exploitation grants the attacker the ability to impersonate any user within the targeted organization, leading to potential data breaches, financial fraud, or further compromise of the environment. References to Microsoft's response to the Midnight Blizzard campaign indicate that this type of permission abuse has been seen in nation-state attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises an Azure AD account with sufficient privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised account to access the Azure portal or uses PowerShell/Graph API.\u003c/li\u003e\n\u003cli\u003eThe attacker registers a malicious application within the Azure AD tenant, or modifies an existing one.\u003c/li\u003e\n\u003cli\u003eThe attacker assigns the 'full_access_as_app' permission (dc890d15-9560-4a4c-9b7f-a736ec74ec40) to the application. This is achieved through the \u0026quot;Update application\u0026quot; operation.\u003c/li\u003e\n\u003cli\u003eThe application gains full access to all mailboxes in the Exchange Online environment (ResourceAppId: 00000002-0000-0ff1-ce00-000000000000).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the granted permissions to access sensitive emails, contacts, and calendar data from targeted mailboxes.\u003c/li\u003e\n\u003cli\u003eThe attacker may send emails on behalf of other users, potentially leading to phishing attacks or business email compromise (BEC).\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or maintains persistence within the environment by creating new rogue applications.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful assignment of the 'full_access_as_app' permission allows an attacker to access and control all mailboxes within the targeted Office 365 Exchange Online environment. This can lead to significant data breaches, financial losses through BEC attacks, and reputational damage. Organizations in any sector are vulnerable, but those handling sensitive data or operating in regulated industries face the highest risk. Nation-state actors like NOBELIUM have been known to exploit this type of permission abuse to gain long-term access to victim networks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Azure AD FullAccessAsApp Permission Assigned\u0026quot; to your SIEM and tune for your environment to detect unauthorized assignments of the 'full_access_as_app' permission.\u003c/li\u003e\n\u003cli\u003eReview Azure AD audit logs for \u0026quot;Update application\u0026quot; events where the 'full_access_as_app' permission (dc890d15-9560-4a4c-9b7f-a736ec74ec40) is being assigned.\u003c/li\u003e\n\u003cli\u003eImplement the recommendations from Microsoft's blog post \u0026quot;Midnight Blizzard Guidance for Responders on Nation State Attack\u0026quot; to harden your Azure AD environment and prevent similar attacks.\u003c/li\u003e\n\u003cli\u003eMonitor for applications with excessive permissions, especially those with the 'full_access_as_app' permission, and investigate any anomalies.\u003c/li\u003e\n\u003cli\u003eRegularly audit application permissions in Azure AD to identify and remediate any overly permissive configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-azuread-fullaccess/","summary":"Detection of 'full_access_as_app' permission assignment to an application in Office 365 Exchange Online, potentially leading to unauthorized access and data exfiltration.","title":"Azure AD FullAccessAsApp Permission Assignment","url":"https://feed.craftedsignal.io/briefs/2024-01-azuread-fullaccess/"}],"language":"en","title":"CraftedSignal Threat Feed - Nobelium","version":"https://jsonfeed.org/version/1.1"}