Long Term Access

Having gained a significant foothold in the on premises environment, the actor has made modifications to Azure Active Directory settings to facilitate long term access.

Federation Trusts

Microsoft has observed the actor adding new federation trusts to an existing tenant or modifying the properties of an existing federation trust to accept tokens signed with actor-owned certificates.

OAuth Application & Service Principal Credentials

The actor has been observed adding credentials (x509 keys or password credentials) to one or more legitimate OAuth Applications or Service Principals, usually with existing Mail.Read or Mail.ReadWrite permissions, which grants the ability to read mail content from Exchange Online via Microsoft Graph or Outlook REST. Examples include mail archiving applications. Permissions are usually, but not always, AppOnly.

The actor may use their administrator privileges to grant additional permissions to the target Application or Service Principal (e.g. Mail.Read, Mail.ReadWrite).

https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/