Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452
Background: In December 2020, FireEye uncovered and publicly disclosed a widespread attacker campaign that is being tracked as UNC2452. In some, but not all, of the intrusions associated with this campaign where Mandiant has visibility, the attacker used their access to on-premises networks to gain unauthorized access to the victim’s Microsoft 365 environment.
Use this script to alert administrators and security practitioners to artifacts that may require further review to determine if they are truly malicious or part of legitimate activity.
NOTE: This tool is read-only. It does not make any changes to the Microsoft 365 environment.
Visit our Github repo to download the script today.
|Resources:||White paper (pdf)|
|Technical blog post|
|Related blog post about UNC2452|
|Requirements:||REQUIRED MODULES: The PowerShell module requires the installation of three Microsoft 365 PowerShell modules: 1) AzureAD, 2) MSOnline, 3) ExchangeOnlineManagement /// REQUIRED USER PERMISSIONS: The PowerShell module must be run with a Microsoft 365 account assigned specific privileges: 1) Global Administrator or Global Reader role in the Azure AD portal. 2) View-Only Audit Logs in the Exchange Control Panel|