Russia-linked Cozy Bear (APT29) uses evasive techniques to target Microsoft 365 users in NATO countries

Russia-linked APT group Cozy Bear continues to target Microsoft 365 accounts in NATO countries for cyberespionage purposes.

Mandiant researchers reported that the Russia-linked Cozy Bear cyberespionage group (aka APT29, CozyDuke, and Nobelium), has targeted Microsoft 365 accounts in espionage campaigns.

The experts pointed out that APT29 devised new advanced tactics, techniques, and procedures to evade detection.

Microsoft 365 users on a higher-grade E5 license could use a security feature named “Purview Audit” (formerly Advanced Audit), enabling the Mail Items Access audit. Mail Items Accessed records the user-agent string, timestamp, IP address, and username each time a mail item is accessed. Mandiant confirmed that APT29 was able to disable the Purview Audit feature on targeted accounts in a compromised tenant.

Read more about it : here