In December 2020, FireEye uncovered and disclosed publicly a widespread attacker campaign that is being tracked as UNC2452. In some, but not all, of the intrusions associated with this campaign where Mandiant has visibility, the attacker used their access to on-premises networks to gain unauthorised access to the victim’s Microsoft 365 environment.
Fireeye has released a new blog and whitepaper on UNC2452 that details the specific attack techniques used by UNC2452, as well what organisations can do to proactively harden and remediate their environments.
There’s a lot of scattered information out there making it difficult for companies to determine what they need to do to investigate their environment. This whitepaper is meant to serve as that playbook, with the specific methodologies that our Mandiant experts are seeing from this attacker.
- For those impacted by UNC2452 it offers remediation guidance
- For those not impacted by UNC2452 it offers hardening guidance
- In all cases it offers detection guidance