As organizations increasingly rely on SaaS applications like Microsoft 365, Dynamics 365, and Entra ID, the stakes for data protection, security, and compliance have never been higher. Threats are becoming more sophisticated and threat actors always find new, innovative ways to attack an organization. In this blog, we will learn about a couple of new Microsoft 365 attack mechanisms that have recently come to light — and explain how you can defend your data.
Innovative Internal Attacks that Bypass Perimeter Security
According to Forbes, the Black Basta ransomware group has started using internal communication platforms such as Microsoft Teams for attacks. This group has adopted a new social engineering tactic by impersonating corporate IT support via Microsoft Teams to infiltrate networks. In this scheme, attackers pose as help desk personnel, contacting employees to assist with alleged spam issues. They then persuade the targets to install remote access software, such as AnyDesk, under the guise of resolving the problem. Once access is granted, the attackers deploy ransomware to encrypt the organization's data.
This is alarming because existing corporate security strategies have concentrated mainly on blocking external threats. Tools like email phishing filters, web monitoring, and firewalls are all aimed at preventing attacks from outside the network. But, Black Basta’s tactic of impersonating IT support within Microsoft Teams exposes the weaknesses of this approach. By operating within an organization’s internal communication platform, attackers can exploit employees' natural trust, bypassing external security measures altogether.
A New Way of Spear-Phishing
Microsoft recently published a warning saying it has detected a spear-phishing campaign by Russian threat actor Midnight Blizzard, which targeted thousands of users across more than 100 organizations with phishing emails. The bigger worry here is their approach for this specific attack campaign.
Midnight Blizzard used social engineering tactics referencing Microsoft, AWS, and Zero Trust concepts to lure users into opening a malicious account RDP (Remote Desktop Protocol) attachment. This attachment, signed with a LetsEncrypt certificate, included sensitive configurations that connected the target’s device to an actor-controlled server.
Once connected, the compromised RDP session allowed Midnight Blizzard to access a range of resources on the user’s device, including files, directories, network drives, peripherals (like smart cards and printers), and clipboard data. The threat actor could install malware or remote access tools (RATs) on local drives and network shares to maintain long-term access, even after the session ended. The connection also exposed user credentials, posing a severe risk to the compromised organizations.
How You Can Defend Against These Types of Ransomware Attacks
Ransomware is evolving, and these examples highlight the need to evolve your approach to data security. Remember that the best defense for any type of cyberattack is to have a backup of your critical data. But having a backup copy is not enough. Ransomware specifically target backup data for encryption or deletion to ensure that victims have to pay.
The best form is protection is to have an in-depth cybersecurity strategy that spans both your primary environment and backup data and include a comprehensive ransomware playbook that covers each step of protection and recovery. The National Institute of Standards and Technology (NIST), recommends following the Cybersecurity Framework (CSF):
- Identify — Identify your critical functions and data landscape across your environment, ensure the backup platform is a tier 1 application, and align critical applications and protection policies across backup and security teams.
- Protect — Ensure you always have safe, unencrypted backup data you can use for recovery with best-in-class platform security, immutable air-gapped backups, and zero trust architecture.
- Detect — Pinpoint unauthorized activity with insights into access attempts. Get alerts for data anomalies using an entropy-based machine learning algorithm that understands your unique environment.
- Respond — Stop the spread of ransomware immediately with API-based SIEM and SOAR integrations that automate response activities like quarantining infected resources and snapshots.
- Recover — Avoid reinfection by scanning individual snapshots before recovery to ensure data is clean. Or use automated recovery tools to find the most recent clean version of every file within a specified date range.
How Druva Ensures the Security of Your Microsoft 365 Data
Druva helps customers ensure the security and resiliency of Microsoft workloads with its 100% SaaS, fully managed platform. The Druva Data Security Cloud offers a suite of advanced data security features tailored specifically for Microsoft 365 (with support for Microsoft Backup Storage), Azure VMs, Microsoft Entra ID, and Microsoft Dynamics 365 workloads to keep customer data safe.
Druva’s support for Microsoft workloads includes:
- Microsoft 365 Backup — Druva’s industry-leading, 100% SaaS data protection, backup, and recovery platform protects your Microsoft 365 data, including Exchange Online, OneDrive, SharePoint, and Teams from common risks like accidental deletion, file corruption, insider attacks, and ransomware keeps your company compliant with data retention, legal hold, and eDiscovery.
- Microsoft 365 Backup Storage Service support — Druva delivers seamless integration with the Microsoft 365 Backup Storage service to enhance data protection capabilities for Exchange Online, OneDrive, and SharePoint Online. With frequent backup snapshots and speedy recovery options, Druva ensures the integrity and availability of customers’ Microsoft 365 data.
- Entra ID — Organizations can protect and quickly recover Microsoft Entra ID objects using Druva. This enables them to safeguard crucial business information regarding users, devices, enterprise, and organizational applications, including their relationships like groups, roles, and access permissions in the event of cyber threats, data loss, corruption, or accidental deletion.
- Azure VMs — Druva's agentless, cloud-native solution for Azure provides organizations with secure, air-gapped backups of Azure VM data, protecting against cyber threats at a lower cost and without management complexity. Druva protects Azure VM data from ransomware by creating an encrypted backup copy of your data that is inaccessible to attackers and stored in Druva's cloud.
- Dynamics 365 — Druva's data protection solution for Dynamics 365 (GA in early 2025) delivers advanced capabilities such as granular restoration of entities, records, and metadata — and potentially most importantly, flexible retention policies. This expanded retention is crucial for organizations needing to meet strict compliance requirements. With Druva, customers seamlessly manage backups, restore to production or sandbox environments, and optimize operational efficiency with automated workflows.
- Windows devices — Druva empowers organizations to protect their end user regardless of where the data resides — on your endpoint device or in M365 — so you can confidently tackle modern data risks such as security threats, data loss, compliance requirements, and management complexity, all while reducing costs. The Druva Data Security Cloud addresses the security of data for your end user — at scale and globally — be it reactively from an attack or isolated incident, or proactively as part of a device refresh cycle.
Druva also offers several innovative data security features that enable organizations to quickly respond to incidents and rapidly recover mission-critical data in the event of a cyber-attack or data loss.
- Unusual Data Activity (UDA) detection for Microsoft 365, which employs AI-driven anomaly detection technology to identify suspicious data modifications, empowering organizations to respond swiftly and protect their critical data assets from cyber threats. Druva UDA detects malicious, intentional, or unknown activities for files that are added, encrypted, deleted, or modified, generating alerts and ensuring efficient data resiliency from threats.
- Microsoft 365 Threat Hunting to accelerate incident response by enabling organizations to quickly and easily search for threats across an extended timeline of backups and end-user data. By locating threats and quarantining backups, Druva prevents the restoration of compromised data, eliminating reinfection risks and ensuring comprehensive data security.
- Curated Recovery for Microsoft 365 to help accelerate recovery time and minimize data loss during cybersecurity attacks. Druva ensures seamless and secure restores for OneDrive and SharePoint by creating customized snapshots with the latest, cleanest, and safest scanned file versions.
Witness the Power of the Data Security Cloud, Live
Experience how Druva can help your organization keep its critical data secure by visiting our booth at Microsoft Ignite from November 19-21.