Remediation and Hardening Strategies for Microsoft 365 to Defend Against APT29 (v1.3)

1 min read


In December 2020, Mandiant uncovered and publicly disclosed a widespread campaign conducted by the threat group we track as UNC2452. In some, but not all, of the intrusions associated with this campaign where Mandiant has visibility, the attacker used their access to on-premises networks to gain unauthorized access to the victim’s Microsoft 365 environment.

Goals and Objectives

APT29 and other threat actors have used several methodologies to move laterally from on- premises networks to the cloud, specifically Microsoft 365. This paper will help organizations understand these techniques used by APT29, how to proactively harden their environments, and how to remediate environments where similar techniques have been observed.

It is important to note that there is no formal security boundary between on-premises networks and cloud services provided by Microsoft 365. If an organization discovers evidence of targeted threat actor activity in their on-premises network, a thorough review of the cloud environment is often necessary as well.