“On several occasions, the group assigned additional roles to compromised users, including the Exchange Administrator role,” according to ReliaQuest. “This role was used to monitor the inboxes of high-profile employees, enabling the attackers to stay ahead of the security team and maintain their control over the environment.”
Ensuing battle over IT resources
Despite the stealth of the attack incident response defenders at the compromised company detected the attack and began to fight back, setting up a tug-of-war to establish control over the organization’s IT resources. In response, Scattered Spider abandoned attempts at covert infiltration and began an aggressive attempt to disrupt business operations and hinder response and recovery.
For example, the group began deleting Azure Firewall policy rule collection groups. The attack was ultimately thwarted, at least in its main aims. Although some sensitive data was extracted, the likely plan to deploy ransomware never came to fruition.
