Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452

Cybercrime admin todayApril 24, 2019 102 117 4

share close

In December 2020, FireEye uncovered and publicly disclosed a
widespread campaign conducted by the threat group we track
as UNC2452. In some, but not all, of the intrusions associated
with this campaign where Mandiant has visibility, the attacker
used their access to on-premises networks to gain unauthorized
access to the victim’s Microsoft 365 environment

Goals and Objectives

UNC2452 and other threat actors have used several methodologies
to move laterally from on-premises networks to the cloud,
specifically Microsoft 365. This paper will help organizations
understand these techniques used by UNC2452, how to proactively
harden their environments, and how to remediate environments
where similar techniques have been observed.

The gallery

It is important to note that there is no formal security boundary
between on-premises networks and cloud services provided by
Microsoft 365. If an organization discovers evidence of targeted
threat actor activity in their on-premises network, a thorough
review of the cloud environment is often necessary as well.

Scanning for vulnerabilities


Organizations can use the Azure AD Investigator auditing
script, available from the FireEye GitHub repository, to
check their Microsoft 365 tenants for indicators relative to the
techniques detailed throughout this paper. The script will alert
administrators and security practitioners to artifacts that may
require further review to determine if they are truly malicious or
part of legitimate activity.

Written by: admin

Tagged as: , , , , , .

Rate it
Previous post

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *