Researchers have observed the threat actor uses EWS impersonation to target organizations for mass email harvesting since at least early 2021, Bienstock said. The technique was first described in red teaming circles back in 2016.
But EWS impersonation is not always malicious. A legitimate use would be if an application checks a human resources system for scheduled time off and automatically sets out-of-office messages, Bienstock said. 
“This feature must be explicitly granted to an account by an administrator in the organization,” Bienstock told Cybersecurity Dive. “It is useful to a threat actor because with access to one single account, they can become any other user in the victim organization and access that user’s email, attachments and contacts.”
Because the tactic abuses a legitimate feature of Microsoft Exchange and Exchange Online, organizations should lock down the use of this feature and proactively monitor for signs of abuse. 
Accounts granted privileges to use impersonation should have logins restricted to certain IP addresses the organization knows are trusted and actively used by the application, Bienstock said. Organizations should also create alerts for new accounts that are granted the privilege for impersonation. 
The threat actor, linked to Russian state sponsors, unleashed a historic supply chain attack against SolarWinds from 2019 to late 2000, before being discovered. The SolarWinds attack involved the poisoning of that company’s Orion monitoring platform. 
Microsoft has faced intense scrutiny since the attack was uncovered in December 2000, as the threat actor was able to view some of the company’s source code and the attack raised questions among researchers and customers about the vulnerability of Microsoft enterprise platforms. 
Mandiant outlined efforts by the threat actor to access Microsoft 365 mailboxes by altering permissions in March. 
Microsoft issued detailed research on the new attacks from Nobelium last week. Microsoft began observing the attacks in May and a total of 140 resellers and technology service providers have been targeted and 14 have been compromised, according to a blogpost by Tom Burt, corporate vice president of customer trust and security. 
The attacks have been part of a larger wave by the threat actor — Microsoft has notified 609 customers between July 1 and Oct. 19 that they had been attacked 22,868 times by Nobelium, according to the blogpost. Microsoft also released technical guidance to help improve security. 
Security teams need to understand how the business will work when an attacker limits access to its systems.
As more states legalize recreational use, employers in the public and private sector may need to change how they hire for cybersecurity.
Subscribe to Cybersecurity Dive for top news, trends & analysis
Security teams need to understand how the business will work when an attacker limits access to its systems.
As more states legalize recreational use, employers in the public and private sector may need to change how they hire for cybersecurity.
Get the free daily newsletter read by industry experts
The free newsletter covering the top industry headlines

source