RIP Office365 Command and Control – We Hardly Knew You

Tim Carrington, Security Consultant
July, 2020
5 mins read

The public release of offensive tooling often incites heated debate within the information security community.

The main aim of releasing such tooling is to provide organizations with the ability to defend themselves against advanced adversaries. Advances made in cyber defense in recent years can be partially attributed to the public release of offensive tooling. For example, the security enhancements made to Powershell as a result of Powershell based offensive capabilities

Microsoft has risen to the challenge of using offence to inform defense. This has not only disrupted F-Secure Consulting's red team operators, but delivered a killer blow to real-world threat actors. Any effort by an organization that forces attackers to redevelop their toolkit, and results in the redistribution of resources, is a welcome sight.  


Recent years have seen attackers adopt new techniques in order to hide their command and control (C2) activities. Publicly available threat intelligence, as well as data collected from F-Secure's incident response investigations, has shown a shift towards leveraging legitimate third-party cloud services. Attackers have been seen in the wild making use of Outlook, Instagram, Google Drive, and so on.  

The most recent example of attackers leveraging cloud services is referenced in an advisory published by the Australian government this June. Among the tactics, techniques, and procedures (TTPs) deployed was the use of the LibraryPSE malware that performed C2 over the OneDrive API. 

In response to the growing number of attacks leveraging cloud services, F-Secure Labs released the C3 framework. This tool allowed operators to rapidly prototype and test esoteric command and control channels. One objective of releasing C3 publicly was to highlight the wide range of services available to attackers looking to hide their C2 traffic.  

C3 detection - SOC

Detection of C2 traffic is not a trivial task. In most cases, organizations are more likely to succeed defending against threat actors if they focus on the surrounding phases of the cyber kill chain (such as delivery and execution).

It therefore follows that detecting Custom Command and Control (C3) channels is just as difficult, if not more so. Leveraging services such as those provided by Microsoft adds a layer of legitimacy to traffic that cannot be achieved by attackers using their own infrastructure.

The Kibana entry below shows Event Tracing for Windows (ETW) events for network traffic originating from the OneDrive executable on a Windows 10 system. Differentiating the legitimate OneDrive traffic from the C3 relay that has been injected into that process is challenging. This problem is exacerbated when scale is factored in—detecting malicious traffic of this nature among thousands of endpoints would be near infeasible.

Fig 1. Legitimate and malicious OneDrive network traffic

C3 detection - cloud providers

Cloud providers are uniquely placed to detect malicious use of their services. This is largely due to the wealth and granularity of information available to them. Detecting anomalies within this data is easier for the provider than it would be on the compromised endpoint.

Microsoft is an example of one such organization which has proactively taken steps to defend organizations from abuse of its services. It has recently developed the capability to detect and block malicious use of Azure Applications. Specifically, F-Secure has observed that any application used in the C3 framework (such as OneDrive365 and Outlook365 (O365) is now detected as malicious, and subsequently disabled by Microsoft (within approximately three hours).

The following figures show authentication attempts from a C3 relay leveraging O365 through the graph API. Highlighted in green are the successful authentication attempts. The entries highlighted in red show the application being identified as malicious by Microsoft, and subsequently disabled.

Fig 2. O365 API authentication attempt

Fig 3. Authentication details within Azure

From an attacker’s perspective, the Azure AD tenant used to register the application would be considered unusable for any subsequent C2 activity over Azure Apps. As shown in the previous images, Microsoft would be positioned to inform the affected organization through a lookup of the source IP addresses.

Detection of esoteric C2 channels can be a significant challenge from the enterprise SOC's perspective. With Microsoft now setting the example, it is hoped that more cloud providers will take centralized action benefiting their customers and their businesses. F-Secure Consulting is delighted to have helped improve cyber defense by highlighting these techniques to drive defensive counter measures.

Accreditations & Certificates

F-Secure Consulting (F-Secure Cyber Security (Pty) Ltd) is a level 4 contributor to B-BBEE with a procurement recognition level of 100%. Learn more and download our B-BBEE certificate. Click here to read the press release.

Follow us
@fsecure_consult F-Secure-Consulting f-secure-foundry fsecurelabs