A week after Microsoft disclosed that Kremlin-backed spies had illegally accessed its network and stolen internal emails and files from its executives and staff, the company has confirmed that the compromised corporate account used in the attack did not have multi-factor authentication (MFA) enabled.
According to a statement released by Microsoft on Thursday, the espionage team known as Midnight Blizzard, which is supported by Moscow, used password spray attacks to successfully compromise a legacy, non-production test tenant account that did not have multifactor authentication (MFA) enabled. Password spray attacks involve trying to log into multiple accounts using one password, waiting a while, and then trying again with another password, repeating this process repeatedly to avoid detection. Once the attackers identify an account with a weak password, they can use it as a starting point to access the broader IT environment.
After gaining initial access to a non-production Microsoft system, the intruders compromised a legacy test OAuth application that had access to the company’s corporate IT environment. From there, the attackers were able to steal emails and other files from corporate inboxes belonging to high-level Microsoft executives and other staff.
The disclosure also revealed that the attackers utilized residential broadband networks as proxies to make their traffic look like it was legitimate work-from-home staff traffic, using real users’ IP addresses.
Microsoft has also reported that other organizations, such as HPE, have been targeted by Midnight Blizzard, though the exact method of intrusion is not yet clear.
This incident highlights the importance of implementing multi-factor authentication (MFA) for all user accounts, especially for global tech giants like Microsoft. The company has stated that it will be fast-tracking MFA across the board in response to the breach.
Microsoft’s latest advisory includes guides for administrators on how to avoid being compromised in a similar manner. The company’s disclosures have drawn attention to the apparent lack of MFA protection within the organization, prompting calls for improved security measures.
The incident has emphasized the urgent need for Microsoft to move even faster in addressing security vulnerabilities and implementing stronger protections. The company’s failure to have MFA enabled on the compromised corporate account has been criticized as “inexcusable” and “preventable” by US Senator Ron Wyden.
As per Microsoft’s own threat intelligence, the incident underscores the need for a review of basic security hygiene across the company’s extensive operations to prevent future breaches. Microsoft has committed to applying their current security standards to legacy systems and internal business processes, even if it causes disruption to existing processes.
Overall, the breach at Microsoft serves as a sobering reminder of the importance of implementing robust security measures, including multi-factor authentication, to protect against sophisticated cyber threats. It also underscores the need for companies to continuously review and update their security protocols to stay ahead of malicious actors.