BEC Threats in M365: The Latest Guidance

On December 12, 2023, Hewlett Packard Enterprise Company received notification that a suspected nation-state actor, identified as Midnight Blizzard or Cozy Bear, had gained unauthorized access to HPE’s cloud-based email environment. HPE with collaboration with external cybersecurity experts, activated their response process to investigate, contain, and remediate the incident, successfully eradicating the malicious activity. In the aftermath of theirs investigation, it has come to light that the threat actor had infiltrated and exfiltrated data starting in May 2023 from a limited number of HPE mailboxes. The affected mailboxes belonged to individuals in critical functions such as cybersecurity, go-to-market, and various business segments.

This recent security incident at Hewlett Packard Enterprise underscores the imperative for organizations to prioritize the collection and analysis of security logs. Specifically, through the lens of unified audit logs within the M365 ecosystem, these logs are instrumental in providing insights into user activities and potential malicious actions. The importance of promptly detecting and responding to such incidents is highlighted by the HPE case, where unified audit logs was probably used in revealing unauthorized access to sensitive SharePoint files and manipulations within mailboxes. Retaining these logs over an extended period equips organizations with the ability to retroactively investigate incidents, aiding in identifying the entry point and duration of a threat actor's presence. In the face of persistent Business Email Compromise (BEC) threats, the HPE incident and other significant M365 BEC instances, serves as a stark reminder that threat actors can infiltrate systems and operate undetected for an extended duration. Continuous BEC threat hunts, fueled by the analysis of unified audit logs, empower organizations to proactively search for indicators of compromise, facilitating the discovery and neutralization of potential threats before they escalate. At Mitiga, we're always on the lookout for potential threats in Microsoft 365. We continuously scan security logs to find anything suspicious or harmful. Our team uses advanced tools and technology to quickly identify and respond to any unusual activity, ensuring that organizations stay secure in the ever-changing world of cybersecurity.