Microsoft reported that a nation-state hacking group, allegedly run by Russian intelligence, breached Microsoft’s cloud-based email system by using a test account to authorize a custom-built malicious application. The attack specifically targeted Microsoft 365, the company’s suite of productivity and cloud storage apps. The attack, discovered recently and disclosed publicly by Microsoft on January 19, has been attributed to a group known as Midnight Blizzard, which was formerly referred to as Nobelium and is also known as APT29 and Cozy Bear.
The group has been linked to Russia’s Foreign Intelligence Service, or SVR, following its involvement in injecting a Trojan into the SolarWinds Orion software. The SolarWinds campaign, which was not detected until December 2020 despite potentially beginning as early as September 2019, demonstrated the ability of SVR to conduct cyberespionage operations for extended periods of time.
In the case of the Microsoft attack, the group appeared to have access to Microsoft’s Outlook inboxes for approximately six weeks. As part of the ongoing investigation, it was discovered that the attackers used identical tactics to target the inboxes of an unspecified number of Microsoft customers. Microsoft has begun notifying these targeted organizations and continues to review its defenses to prevent future attacks.
One such targeted customer is Hewlett Packard Enterprise (HPE), which confirmed that it had been notified of unauthorized access to its cloud-based email environment. HPE stated that the suspected nation-state actor behind the attack was believed to be Midnight Blizzard, also known as Cozy Bear. The attack on HPE appears to be connected to a previous incident in May 2023 when multiple SharePoint files were exfiltrated by the same threat actor.
Microsoft described the steps by which the compromise of its “legacy, non-production test tenant account” proceeded, including password spraying, creating malicious OAuth applications, gaining full access to multiple Office 365 Exchange Online mailboxes, and harvesting emails. The company is currently undertaking forensic analysis to gather more details about the attack and ensure that better defenses are in place to prevent a similar incident from occurring in the future.
In response to the attack, Microsoft has pledged to move quickly to strengthen its defenses, including its legacy technology, and ensure that its current security standards are applied to internal business processes. The company acknowledged the need to update its policies and guidance to provide better protection against these types of attacks and mitigate potential disruptions to its business processes. Microsoft is also making efforts to enhance its security protocols, particularly in light of its support for Ukraine, and has promised to overhaul its defenses to protect against future attacks.