Researchers at Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU) uncovered a malicious activity cluster, tracked as DEV-0343, that is targeting the Office 365 tenants of US and Israeli defense technology companies. Threat actors are launching extensive password spraying attacks aimed at the target organizations, the malicious campaign was first spotted in July 2021.

Microsoft added that password spray attacks on Office 365 accounts with MFA enabled failed.The DEV-0343 focuses on defense companies that support United States, European Union, and Israeli government partners producing military grade radars, drone technology, satellite systems, and emergency response communication systems.

Microsoft researchers said that the activity is aligned with Teheran interests and its TTPs are similar to the ones of another Iran-linked threat actor.

The researchers speculate the attackers aimed at gaining access to commercial satellite imagery and proprietary shipping plans and logs, this information could allow the Iranian Government to compensate for its developing satellite program.

Threat actors behind DEV-0343 leverage an elaborate series of Tor IP addresses to obfuscate their infrastructure.

“DEV-0343 conducts extensive password sprays emulating a Firefox browser and using IPs hosted on a Tor proxy network. They are most active between Sunday and Thursday between 7:30 AM and 8:30 PM Iran Time (04:00:00 and 17:00:00 UTC) with significant drop-offs in activity before 7:30 AM and after 8:30 PM Iran Time. They typically target dozens to hundreds of accounts within an organization, depending on the size, and enumerate each account from dozens to thousands of times. On average, between 150 and 1,000+ unique Tor proxy IP addresses are used in attacks against each organization.” continues the report. “DEV-0343 operators typically target two Exchange endpoints – Autodiscover and ActiveSync – as  a feature of the enumeration/password spray tool they use. This allows DEV-0343 to validate active accounts and passwords, and further refine their password spray activity.”

Microsoft Report

Microsoft has directly notified customers that have been targeted or compromised, providing them with the information they need to secure their accounts.

The IT giant recommended organizations to look for the following tactics in logs and network activity to determine if their infrastructure was hit by the threat actors:

  • Extensive inbound traffic from Tor IP addresses for password spray campaigns
  • Emulation of FireFox or Chrome browsers in password spray campaigns
  • Enumeration of Exchange ActiveSync or Autodiscover endpoints
  • Use of enumeration/password spray tool similar to the O365SprayTool
  • Use of Autodiscover to validate accounts and passwords
  • Observed password spray activity commonly peaking between 04:00:00 and 11:00:00 UTC

Below is the list of defensive measures shared by Microsoft to mitigate DEV-0343 attacks:

  • Enable MFA to mitigate compromised credentials.
  • Microsoft strongly encourages all customers to download and use passwordless solutions.
  • Review and enforce recommended Exchange Online access policies
  • Block Active Sync clients from bypassing Conditional Access policies
  • Block all incoming traffic from anonymizing services where possible.