Recommended Security Controls

For immediate assistance with a network intrusion, ransomware
attack, or BEC, please contact: IrongateResponse@irongatesecurity.com  

The ransomware landscape continues to evolve. The latest threat actor making waves is ExClop, a sophisticated group now actively targeting Microsoft 365 (M365) tenants. Unlike traditional ransomware operators, ExClop seeks total tenant takeover—exfiltrating and deleting data, locking victims out of their cloud environments, and demanding ransom for restored access.

Early intelligence suggests potential links between ExClop and the Black Basta ransomware operation, despite the name’s resemblance to Cl0p. 

ExClop’s Attack Playbook 

ExClop campaigns reveal a deep understanding of Microsoft’s cloud ecosystem, employing multiple techniques in parallel: 

• Credential Theft – Phishing emails and malware disguised as Teams alerts or voicemail notifications target admin-level accounts. 

• OAuth Abuse – Malicious third-party apps trick users into granting excessive permissions, enabling persistence even after password resets. 

• Power Platform Exploits – Compromised accounts are used to automate exfiltration and maintain covert access through Power Automate and Power Apps. 

Recommended Security Controls

Protecting against tenant-level compromise requires layered defenses and strong user awareness. Key measures include: 

Offline Recovery Preparation 

Organizations often prepare for data center outages or ransomware, but few plan for the loss of an email tenant. In recent incidents, victims have waited 2–4 weeks for providers to validate ownership and restore access. 

To reduce downtime: 

• Review your provider’s offline verification requirements and create a playbook for tenant account takeover scenarios. 

• Archive offline documents that demonstrate proof of ownership (billing, domain registration, configuration exports). Review quarterly or monthly. 

• Establish alternate contact methods with your provider to avoid circular lockout during recovery

Key Takeaway: ExClop represents a new level of ransomware threat—one that targets the very control plane of your cloud environment. Securing your tenant and preparing offline recovery procedures are essential to resilience. 

Contact us today to learn more about our Digital Forensics and Incident Response (DFIR) services.

Steve Ramey has spent the past two decades helping clients protect, investigate, and respond to events involving their digital interests. He has led hundreds of data breach investigations, assessed incident response and security programs, and successfully advised organizations through extortion negotiations.