September 8, 2022
min read
A computer system hacked warning sign

Recent reports indicate that the hacker group APT29, also known as Cozy Bear, has been actively targeting M365 deployments in 2022. Mandiant, a leader in the cyber security space, has been tracking the group’s efforts closely and reports that the group is specifically using admin privileges to disable Microsoft Purview auditing to access Microsoft 365 resources without being detected.

What is Microsoft Purview?

Microsoft Purview, formerly Microsoft Advanced Audit, is a suite of compliance, risk, and governance tools that helps organizations provide secure access to M365 resources to remote users.

A central feature of the suite is its ability to log specific information, such as IP addresses, usernames, and the like any time an M365 resource is accessed remotely. This feature is essential to maintaining a strong security posture, as it allows IT teams to identify unusual access patterns that may indicate an attack.

Mandiant reports that this logging feature is exactly what has been targeted before a larger-scale cyber-attack is carried out because it makes the subsequent attack much more difficult to detect.

How CoreView Can Detect When Microsoft Purview Is Disabled

CoreView makes it simple to perform automated audits of all aspects of your Microsoft 365 resources. Specifically for the case of monitoring Microsoft Purview itself, you can create automated audits that report all accounts for which it is disabled, and either send an alert to your IT team or re-enable it automatically when it is found to have been turned off.

Additional Security Measures

Taking action to protect the continuity of your Microsoft Purview reporting is an obvious first step, but there are additional steps you can take to reduce the chances of a bad actor gaining the required access to disable it in the first place as well.

Track License Usage and Offboarding Practices

By tracking license usage closely, you can reduce the chances that an unused license can be accessed and used either in preparation for an impending cyber-attack or in the attack itself.

CoreView makes it simple to take charge of Microsoft license usage as well as any unused or unassigned licenses that you may have.

Maybe even more importantly, with the same automated auditing approach, CoreView will allow your IT team to ensure that the credentials associated with any inactive accounts – such as those that were used by former employees – are blocked in the system, so they can’t be used by anyone else.

Automate Audit Logs

By automating audit logs, you can track daily user events, such as logins, over an extended period, which will provide the background information your IT team needs to detect irregularities.

For example, if there is a sudden spike in the number of failed logins attempts from unusual IP address ranges, there is a high likelihood that a brute force attack – one in which a massive number of random passwords are tried one after another to gain unauthorized access – is underway.

CoreView makes it simple to take such additional steps to further safeguard your M365 resources before unauthorized access has even been gained.

Zero Trust Mentality = Verify Explicitly

On a macro level, Microsoft has a concept of Zero Trust, which is to assume a breach and verify the details of it explicitly.

Conditional access policies sit at the center of the Zero Trust Model. With conditional access, IT puts policies in place that will block a user based on the type of device that they have, the authentication protocol that they are leveraging, or even the region of the world from which they are trying to connect.

For instance, if someone is trying to connect from Southeast Asia, but is currently in New York, that log-in attempt will be flagged and blocked.

Moreover, it is common for organizations to only require multi-factor authentication (MFA) when an employee is not connecting from a known, safe location. This can become a security risk if a hacker is able to configure the MFA on behalf of the user and grant himself a ‘safe’ external access and thereby gain access without using MFA.

CoreView mitigates these risks by discovering which users have not yet configured the MFA method also for those users working with Condition Access Policies. This enables your IT team to take corrective action straight from a policy report, rather than only being instructed to implement conditional access through a separate process.

Limit Global Admin Access

Finally, it is essential to any strong security posture that you limit the number of global administrators within your M365 system. Should one of these accounts become compromised, it will allow full, unrestricted administrative access to unauthorized users. Therefore, it is considered best practice to provide limited administrative privileges to the majority of admins in your M365 system.

CoreView's Perfect Privileges diagram

CoreView’s system of Virtual Tenants and “perfect permissions” makes it very straightforward to provide your administrators the access they need to perform their required tasks without over-granting administrative access.


CoreView will empower your IT department to proactively protect your M365 resources. Specifically, CoreView’s built-in, automated auditing features will allow you to track and respond to known vulnerabilities before they become a major problem for your organization.

Schedule a demo to learn more about how CoreView can help protect your business's critical M365 resources.

Get a personalized demo today

Created by M365 experts, for M365 experts.