This past year has proved the point that advanced nation-state backed threat actors are increasingly investing their time and money to develop novel ways to access the cloud. These actors are especially interested in Microsoft 365, where more and more organizations are collaborating and storing some of their most confidential data. Especially for threat groups with intelligence collection requirements, Microsoft 365 can be their holy grail.
In this talk, we will break down several novel techniques that we’ve observed used in the past year by APT groups to persistently access Microsoft 365 and extract data. This talk will detail the technical underpinnings that are key to understanding and realizing these techniques. We will also cover new extensions or facets of these techniques that have not yet been observed or discussed but are natural extensions of the techniques that organizations should be prepared for.