Researchers at Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU) uncovered a malicious activity cluster, tracked as DEV-0343, that is targeting the Office 365 tenants of US and Israeli defense technology companies. Threat actors are launching extensive password spraying attacks aimed at the target organizations, the malicious campaign was first spotted in July 2021.
Microsoft added that password spray attacks on Office 365 accounts with MFA enabled failed.The DEV-0343 focuses on defense companies that support United States, European Union, and Israeli government partners producing military grade radars, drone technology, satellite systems, and emergency response communication systems.
Microsoft researchers said that the activity is aligned with Teheran interests and its TTPs are similar to the ones of another Iran-linked threat actor.
The researchers speculate the attackers aimed at gaining access to commercial satellite imagery and proprietary shipping plans and logs, this information could allow the Iranian Government to compensate for its developing satellite program.
Threat actors behind DEV-0343 leverage an elaborate series of Tor IP addresses to obfuscate their infrastructure.
Microsoft has directly notified customers that have been targeted or compromised, providing them with the information they need to secure their accounts.
The IT giant recommended organizations to look for the following tactics in logs and network activity to determine if their infrastructure was hit by the threat actors:
- Extensive inbound traffic from Tor IP addresses for password spray campaigns
- Emulation of FireFox or Chrome browsers in password spray campaigns
- Enumeration of Exchange ActiveSync or Autodiscover endpoints
- Use of enumeration/password spray tool similar to the O365SprayTool
- Use of Autodiscover to validate accounts and passwords
- Observed password spray activity commonly peaking between 04:00:00 and 11:00:00 UTC
Below is the list of defensive measures shared by Microsoft to mitigate DEV-0343 attacks:
- Enable MFA to mitigate compromised credentials.
- Microsoft strongly encourages all customers to download and use passwordless solutions.
- Review and enforce recommended Exchange Online access policies
- Block Active Sync clients from bypassing Conditional Access policies
- Block all incoming traffic from anonymizing services where possible.