Microsoft has issued new guidance for organizations on how to defend against persistent nation-state attacks, such as the recent one that breached its own corporate email system. A major emphasis of the guidance is on protecting against threat actors using malicious OAuth apps to conceal their activity and maintain access to applications.
The attack on Microsoft by Midnight Blizzard, otherwise known as Cozy Bear, culminated in the compromise of the email accounts of several Microsoft employees, including company leadership. The breach took place over a number of weeks starting late November 2023, with the attackers accessing corporate email accounts and extracting emails and attachments in an apparent effort to ascertain what information the company might have about Midnight Blizzard itself. This latest attack comes after Midnight Blizzard breached Hewlett Packard Enterprise’s cloud-based email environment last May. These attacks are believed to be part of an ongoing intelligence-gathering campaign by SVR/Midnight Blizzard.
In its initial disclosure of the attack, Microsoft described how Midnight Blizzard gained access to its environment via a legacy, non-production test account that the threat actor compromised via a password spray attack. The investigation revealed that the threat actors used a “vast number” of legitimate residential IP addresses to launch their password spray attacks against targeted accounts at Microsoft, which helped to hide their activity and evade detection.
The attackers utilized an initial account to identify and compromise a legacy test OAuth application with privileged access to Microsoft’s environment. “The actor created additional malicious OAuth applications,” Microsoft said, noting that “They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications.”
The adversary used the compromised OAuth app to grant themselves full access to Office 365 Exchange mailboxes. This abuse of OAuth allowed the attackers to maintain access to applications, even if they lost access to the initially compromised account. According to Tal Skverer, research team lead at Astrix Security, the attackers likely leveraged malicious OAuth tokens because they knew their access to the compromised account would be short-lived. Skverer explains that the attackers created OAuth apps and consented to them in order to generate non-expiring OAuth access tokens.
In response to the attack and to help organizations mitigate the risks associated with the misuse of OAuth apps, Microsoft issued guidance to audit privilege levels of all identities—both user and service. The blog also advised organizations to review privileges closely, especially if they belong to unknown entities or are no longer in use. Additionally, organizations need to audit identities that have the ApplicationImpersonation privilege in Exchange Online that can allow them to impersonate a user and execute the same operations as that user.
Microsoft recommends using anomaly detection policies to identify malicious OAuth apps and conditional access application controls for users connecting from unmanaged services. Lastly, the blog also included detailed guidance on what to look for in log data to detect malicious activity associated with Midnight Blizzard.
Posture management tools can also help organizations to inventory all non-human identities (NHIs) in their environment, especially those that pose the highest risk. These tools can highlight an unused OAuth application with over-permissive access to impersonate every user when authenticating to Office 365 Exchange, which could be a sign of an attack.