SolarWinds-Linked Attackers Target Microsoft 365 Mailboxes

Researchers observe attackers altering mailbox folders to assign read-only permissions to any authenticated user on a target machine.

Mandiant security researchers have observed UNC2452, the group theyre tracking in association with the SolarWinds attacks, using a new tactic targeting Microsoft 365 mailboxes.
Mandiant began tracking UNC2452
in December 2020 when it discovered the global cyberattack that infected SolarWinds Orion software updates to infect some 18,000 organizations around the world. In some, but not all, of the intrusions they observed, researchers noticed attackers were using on-premise network access to enter a victims Microsoft 365 environment unauthorized.
This week, the research team reported attackers, in some instances, are modifying the mailbox folder permissions of individual Microsoft 365 mailboxes to maintain persistent access to the target users emails.
This stealthy technique is not usually monitored by defenders and provides threat actors a way to access the desired email messages using any compromised credentials, Mandiant researchers wrote in an updated blog post.
They have also updated their Azure AD Investigator tool, as well as their whitepaper on UNC2452, to include this new technique.
Read more details
here
and the full whitepaper with remediation strategies
here
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
SolarWinds-Linked Attackers Target Microsoft 365 Mailboxes