Microsoft revealed that the legacy test tenant account that was breached by Russian nation-state threat actors earlier this month did not have multi-factor authentication (MFA) enabled. This information was disclosed in a blog post titled “Midnight Blizzard: Guidance for responders on nation-state attack,” which served to provide assistance to defenders while also shedding light on the recent attack disclosed by Microsoft.
The threat actors, known as Midnight Blizzard, Nobelium, Cozy Bear, and APT29, gained access to a small percentage of Microsoft corporate email accounts, including those belonging to senior leadership, via password spraying. According to the initial disclosure by Microsoft, the compromised account was a legacy, non-production test tenant account that the threat actors accessed starting in November 2023. The attack was not discovered until January 12, 2024.
Midnight Blizzard has been associated with the Russian government’s Foreign Intelligence Service and is infamous for being the threat actor behind the 2020 supply-chain attack against SolarWinds. Microsoft clarified that the legacy test tenant account breached by Midnight Blizzard did not have multifactor authentication (MFA) enabled, indicating a vulnerability in the account. However, it was also mentioned that a similar tenant today would not be as vulnerable due to mandatory Microsoft policy and workflows ensuring MFA and active protections are enabled.
When asked by TechTarget Editorial about why the legacy tenant did not have MFA enabled, Microsoft declined to comment. Despite the absence of MFA, the blog post also provided additional insights into Midnight Blizzard’s recent activities, revealing that the threat actors have been targeting other organizations. Notable among these organizations is HPE, which disclosed an attack attributed to the same threat actor this week.
In addition to targeting Microsoft, Midnight Blizzard tailored its password spraying tactics to a limited number of accounts and used a low number of attempts to evade detection and avoid account blocks. Furthermore, they reduced visibility by launching attacks from a distributed residential proxy infrastructure. The threat actors used their initial access to compromise a legacy test OAuth application with elevated access to the Microsoft corporate environment, allowing for further lateral movement and post-compromise activity in victim networks.
Microsoft said its investigation into the breach indicated that the threat actors were initially targeting email accounts looking for information related to Midnight Blizzard itself. This is not the first time that Microsoft has encountered such tactics from threat actors. In the past, Microsoft has warned of the dangers of OAuth abuse and the creation of malicious apps, particularly relating to similar attacks they have observed in the past.
Microsoft has also provided guidance on defending against such attacks, including steps to prevent OAuth app abuse. The company highlighted the complexity of identifying Midnight Blizzard’s activity due to the heavy use of proxy infrastructure with a high changeover rate, making it challenging to detect using traditional IOCs.
Given the evolving nature of cyber threats, defenders are often required to adapt and strengthen their defenses. In the case of the recent Microsoft breach, it is clear that threat actors are becoming increasingly sophisticated and strategic in their tactics. As organizations and technology continue to evolve, it is crucial for defenders to remain vigilant and proactive in protecting their networks and systems.