A Russia-linked cyber-espionage group has been observed using newer tactics that involve abusing various Microsoft 365 features in order to evade detection.

Known as APT29 or Cozy Bear, the group has previously targeted the United states and NATO countries. In 2022, the threat actor has focused on targeting organizations responsible for influencing and crafting the foreign policy of NATO countries and has been observed revisiting victims they compromised years, or months prior, according to a new report from cybersecurity firm Mandiant.

Specifically, APT29 was observed disabling Microsoft 365 licensing models in order to undermine organizations’ abilities to use logging features to confirm which accounts were compromised.

“Mandiant has observed APT29 disabling Purview Audit on targeted accounts in a compromised tenant. Once disabled, they begin targeting the inbox for email collection. At this point, there is no logging available to the organization to confirm which accounts the threat actor targeted for email collection and when. Given APT29’s targeting and TTPs Mandiant believes that email collection is the most likely activity following disablement of Purview Audit,” the cybersecurity company explained.

The threat actor was also seen taking advantage of the self-enrollment process for MFA (multi-factor authentication) in Azure Active Directory and other platforms. When an organization first enforces MFA, most platforms allow users to enroll their first MFA device at the next login, Mandiant explains, Azure AD default configuration doesn’t have additional enforcements on the MFA enrollment process, which allows anyone who knows the user name and password access the account from location and any device and enroll MFA, so long as they are the first person to do it.

In one case, APT29 carried out a password guessing attack against a list of mailboxes, obtained the password to an unused account, and enrolled in MFA. Using this account the attacker was able to access the victim’s VPN infrastructure that was using Azure AD for authentication and MFA.

“APT29 continues to develop its technical tradecraft and dedication to strict operational security. Mandiant expects that APT29 will stay apace with the development of techniques and tactics to access Microsoft 365 in novel and stealthy ways,” Mandiant warned.