Examine elevation of privilege attacks

  • 4 minutes

In an elevation of privilege scenario, attackers work to increase their power once they compromise one or more accounts. In Microsoft 365, they usually want to acquire Global Administrator privileges. Specific service privileges are also desirable if the targeted data is in that product or service.

Another common pivot at this point is for the hacker to create a new account and promote that new account to a Global Administrator. By doing so, the attacker can now "hide in plain sight." In other words, the attacker has an account that no one else uses. Usually, organizations don't notice these accounts unless it regularly reviews the Global Administrator account population.

Diagram showing an image of a hacker working on a laptop.

Preventing an elevation of privilege attack

In an elevation of privilege attack, user accounts are at the center of the attack pattern. As such, attackers target protection controls just as they do with an account breach. To counter these attacks, Microsoft recommends that you implement Microsoft Entra multifactor authentication (MFA). It's especially important to implement multifactor authentication on admin accounts and accounts with access to sensitive content.

Besides MFA, one of the best protections an organization can employ is to keep the number of Global Administrators small. Microsoft recommends that organizations have a minimum of two and a maximum of five global admins for any size of tenant. By doing so, you keep the target area small, which makes it difficult for an attacker to hide. Microsoft also recommends that organizations regularly review their Global Administrators and their activity, including auditing and alerts.

In the event a breach of this nature occurs, you should carefully determine everything the attacker did to your data or to further entrench themselves in your tenancy. Look for new accounts, accounts with recent changes (such as promotion to a Global Administrator), global configuration changes, and every interaction with data from the affected accounts.

Once you successfully regain control of the breached accounts, you can usually reverse the changes made by the attacker. You can then determine what, if any, communication steps you should take if the attacker removed or deleted data. Pay careful attention to:

  • Document access control lists
  • Mailbox delegate permissions
  • Mailbox forwarding rules
  • Mail transport rules

Tip

Microsoft recommends enabling MFA on the affected accounts.

Knowledge check

Choose the best response for the following question. Then select “Check your answers.”

Check your knowledge

1.

As the Microsoft 365 Administrator for Lucerne Publishing, Inc., Holly Dickson is concerned about several users who recently fell for elevation of privilege attacks. Which of the following strategies can Holly implement to help prevent future elevation of privilege attacks?