Cloudy with a Chance of APT - Novel Microsoft 365 Attacks in the Wild

Explore novel techniques used by APT groups to persistently access and extract data from Microsoft 365 in this 45-minute Black Hat conference talk. Gain insights into the technical underpinnings of these attacks, including disabling security features, manipulating mailbox folder permissions, and exploiting application vulnerabilities. Learn about potential extensions of these techniques and prepare your organization for emerging threats. Discover how attackers abuse app registrations, perform key derivation, and execute enterprise application hijacking. Understand the motivations behind these attacks and equip yourself with the knowledge to detect and mitigate these advanced persistent threats in cloud environments.

Intro
What's Going On?
Disabling Security Features
Mailbox Folder Permissions
Common Permissions
Detection
Types of Applications
Application Permissions
Secrets and Certificates
Enterprise Application Hijacking
Abuse of App Registrations
Key Derivation
Farmville
Replicating
Why?