This feature, available with E5 licenses and certain add-ons, enables the Mail Items Accessed audit.
Once disabled, they begin targeting the inbox for email collection.
The threat actor successfully guessed the password to an account that had been setup, but never used.
Because the account was dormant, Azure AD prompted APT29 to enroll in MFA.
Lastly, Mandiant has observed APT29 using Azure Virtual Machines (VMs).
The virtual machines used by APT29 exist in Azure subscriptions outside of the victim organization.
It is unclear if the threat actor group has compromised or purchased these subscriptions.
For example, in a recent investigation APT29 gained access to a global administrator account in Azure AD.
APT29 continues to develop its technical tradecraft and dedication to strict operational security.
source: www.techworm.net
