Guidance for partners on Nobelium targeted attacks

Today, Microsoft released guidance to help partners and customers protect against nation-state activity associated with the threat actor tracked as Nobelium. Nobelium is the same actor behind the SolarWinds compromise in 2020, and this latest activity shares the hallmarks of the actor’s compromise-one-to-compromise-many approach. Microsoft has notified organizations that the Microsoft Threat Intelligence Center (MSTIC) has observed being targeted or compromised by Nobelium through our nation state notification process.

To reduce the potential impact of this Nobelium activity, cloud service providers (CSP), managed service providers (MSP), and other IT services organizations that rely on delegated administrative privileges (collectively, “service providers”) or have been granted other administrative privileges by their customers, should review the guidance below and implement mitigations for your own organization and your customers immediately.

Microsoft has observed Nobelium targeting privileged accounts of service providers to move laterally in cloud environments, leveraging the trusted technical relationships to gain access to downstream customers and enable further attacks or access targeted systems. These attacks are not the result of a product security vulnerability but rather a continuation of Nobelium’s use of a diverse and dynamic toolkit that includes sophisticated malware, password sprays, supply chain attacks, token theft, API abuse, and spear phishing to compromise user accounts and leverage the access of those accounts. These attacks have highlighted the need for all administrators to adopt strict account security practices and take additional measures to secure their environments.

In the observed supply chain attacks, downstream customers of service providers and other organizations are also being targeted by Nobelium. In these provider/customer relationships, a customer delegates administrative rights to the provider to allow the provider to manage the customer’s tenants as if they were an administrator within the customer’s organization. By stealing credentials and compromising accounts at the service provider level, Nobelium can take advantage of several potential vectors, including but not limited to delegated administrative privileges (DAP), and then leverage that access to extend downstream attacks through trusted channels like externally facing VPNs or unique provider-customer solutions that enable network access.

To reduce the potential impact of this Nobelium activity, Microsoft encourages all partners and customers to immediately review the guidance below and implement risk mitigations, harden environments, and investigate suspicious behaviors that match the tactics described further in the MSTIC blog. The activity against these organizations is ongoing and MSTIC continues to observe, monitor, and notify impacted customers through our nation-state notification process.

Guidance for partners and customers from MSTIC

Microsoft recommends that cloud service providers, other technology organizations with elevated privileges for customer systems, and all downstream customers of these organizations review and implement the following actions to help mitigate and remediate the recent Nobelium activity.

If you are a cloud service provider or an organization who relies on elevated privileges

1. Verify and monitor compliance with Microsoft Partner Center security requirements
All Microsoft partners should review and verify overall compliance status with the partner security requirements through the Microsoft
Partner Center. Microsoft recommends the following:

  • Ensure multifactor authentication (MFA) is in use and conditional access policies are enforced: All Microsoft partners are required to use MFA to access Partner Center and for cross-tenant access to customer tenants in Microsoft commercial clouds. Partners are advised to check their security compliance in Partner Center and monitor if any user logins or API calls are not compliant with MFA enforcement. Partners should stay compliant at all times.
  • Adopt the Secure Application Model Framework: All partners integrating with Partner Center APIs must adopt the Secure Application Model framework for any app and user auth model applications.
  • Check the Partner Center Activity Logs: partners are advised to regularly check the "Activity Log" in Partner Center to monitor any user activities, including high privileged user creations, high privileged user role assignment, etc. Partners can also use Partner Center Activity Log APIs to create a custom security dashboard on key user activities in Partner Center to proactively detect suspicious activities.

2. Remove delegated administrative privileges (DAP) connection
when not in use

To improve security, Microsoft recommends that partners remove delegated administrative privileges that are no longer in use. Starting in November, a new reporting tool will be available that identifies and displays all active delegated administrative privilege connections and will help organizations to discover unused delegated administrative privileges connections.

This tool will provide reporting that captures how partner agents are accessing customer tenants through those privileges and will allow partners to remove the connection when not in use.

3. Conduct a thorough investigation and comprehensive response
Carry out additional investigations if you think you might have been affected to determine the full scope of compromised users/assets. Microsoft recommends the following:

  • Review the Azure AD Security Operations Guide to audit or establish your security operations.  If you are a cloud service provider or an organization that relies on elevated privileges, you need to assess the security implications in your network and its connectivity for your customers. In particular, review authentications that are associated with Azure AD configuration changes using the Microsoft 365 compliance center (formerly in the Exchange admin center) or Azure AD admin logs.
  • Adequate log retention procedures for cloud-based resources are critical to effectively identify, respond to, and remediate malicious activity. Cloud service providers and other technology organizations often configure individual subscriptions to meet specific customer requirements. These configurations might not include security controls that enable full accountability to administrative actions should an incident occur. We encourage all organizations to become familiar with logs made available within your subscription and routinely evaluate them for adequacy and anomalies.
  • General Incident response playbooks for Phishing and Password spray are available in Microsoft Security Best Practices.

For downstream customers

1. Review, audit, and minimize access privileges and delegated permissions
It is important to consider and implement a least-privilege approach. Microsoft recommends prioritizing a thorough review and audit of partner relationships to minimize any unnecessary permissions between your organization and upstream providers. Microsoft recommends immediately removing access for any partner relationships that look unfamiliar or have not yet been audited.

  • Review, harden, and monitor all tenant administrator accounts: All organizations should thoroughly review all tenant admin users, including those associated with Administer On Behalf Of (AOBO) in Azure subscriptions and verify the authenticity of the users and activity. We strongly encourage the use of strong authentication for all tenant administrators, review of devices registered for use with MFA, and minimize the use of standing high-privilege access. Continue to reinspect all active tenant admin users accounts and check audit logs on a regular basis to verify that high-privilege user access is not granted or delegated to admin users who do not require these to do their job.
  • Review service provider permissions access from B2B and local accounts: In addition to using the delegated administrative privilege capabilities, some cloud service providers use business-to-business (B2B) accounts or local administrator accounts in customer tenants. We recommend that you identify whether your cloud service providers use these, and if so, ensure those accounts are well-governed, and have least-privilege access in your tenant. Microsoft recommends against the use of “shared” administrator accounts. Review the detailed guidance on how to review permissions for B2B accounts.

2. Verify multi-factor authentication (MFA) is enabled and enforce conditional access policies.
MFA is the best baseline security hygiene method to protect against threats. Follow the detailed guidance on setting up multifactor authentication in Microsoft 365, as well as the guidance on deploying and configuring conditional access policies in Azure Active Directory (Azure AD).

3. Review and audit logs and configurations

  • Review and audit Azure AD sign-ins and configuration changes: Authentications of this nature are audited and available to customers through the Azure AD sign in logs, Azure AD audit logs, and the Microsoft 365 compliance center (formerly in the Exchange Admin Center). 

    We recently added the capability to see sign-ins by partners who have delegated admin permissions. You can see a filtered view of these sign-ins by navigating to the sign-in logs in the Azure AD admin portal, and adding a filter ‘Cross-tenant access type: Service provider’ on the ‘User-sign ins (non-interactive)’ tab.
  • Review Existing Log Availability and Retention Strategies: Investigating activities conducted by malicious actors places a large emphasis on having adequate log retention procedures for cloud-based resources including Office 365. Various subscription levels have individualized log availability and retention policies which are important to understand prior to forming an incident response procedure.

We encourage all organizations to become familiar with logs made available within your subscription and routinely evaluate them for adequacy and anomalies. For organizations relying on a third-party organization, work with them to understand their logging strategy for all administrative actions and establish a process should logs need to be made available during an incident.


More information and guidance available
Further information on this Nobelium activity, including observed behaviors, guidance on detection and Investigation through Advanced Hunting queries is available in the MSTIC blog.