Microsoft Threat Intelligence Centre (MSTIC) observed DEV-0343, a new activity cluster, conducting extensive password spraying against more than 250 Office 365 tenants, with a focus on U.S. and Israeli defense technology companies, Persian Gulf ports of entry, or global maritime transportation companies with business presence in the Middle East.
Per MSTIC, “Less than 20 of the targeted tenants were successfully compromised, but DEV-0343 continues to evolve their techniques to refine its attacks. MSTIC noted that Office 365 accounts with multifactor authentication (MFA) enabled are resilient against password sprays.”
Microsoft has observed DEV-0343 conducting extensive password spraying against >250 Office 365 tenants, with a focus on US and Israeli defense technology companies, Persian Gulf ports of entry, or maritime firms with business presence in the Middle East. https://t.co/sl4AEpXgY2
— Microsoft Security Intelligence (@MsftSecIntel) October 11, 2021
DEV-0343 emulates Firefox browser and uses IPs hosted on a Tor proxy network to perform extensive password sprays. It was observed that more than thousand unique Tor proxy IP addresses were used in attacks against each organization.
DEV-0343 operators typically target two Exchange endpoints – Autodiscover and ActiveSync – as a feature of the enumeration/password spray tool they use. This allows DEV-0343 to validate active accounts and passwords, and further refine their password spray activity.
Guidelines from Microsoft Threat Intelligence Centre
MSTIC has issued a few guidelines that can mitigate the threat:
- Enable multifactor authentication to mitigate compromised credentials.
- For Office 365 users, see multifactor authentication support.
- For Consumer and Personal email accounts, see how to use two-step verification.
- Download and use passwordless solutions like Microsoft Authenticator to secure accounts.
- Review and enforce recommended Exchange Online access policies.
- Block ActiveSync clients from bypassing Conditional Access policies.
- Block all incoming traffic from anonymizing services where possible.
Critical infrastructure, essential services, financial sector, and health care were, and continue to be the core target for premediated cyberattacks. The vicious will to disrupt a country and its services has been motivating state-sponsored-cyberattacks. Though government policies and regulations are being put in place to tackle the cyberattacks on critical services, the attacks continue unabated.