Microsoft Provides Defence Guidance After Nation-State Compromise


Microsoft has provided new details for responders to the Russian nation-state attack that compromised its systems earlier in January. Alongside this announcement, the company has issued guidance for users on how to combat this ongoing, real threat.

On January 12, 2024, Microsoft detected malicious activity on its network by “Midnight Blizzard”  (aka, Nobelium, APT29, Cozy Bear), a Russian state-sponsored group that specializes in espionage and intelligence gathering operations.

How access was originally gained

Initial access was achieved by compromising a legacy, non-production test tenant account, through password spray attacks. The group then used the account’s permissions to access the email accounts of some of Microsoft’s senior leadership team. This then throws questions of Microsoft’s enterprise cyber security (ECS) and existing identity management (IDM) protocols and procedures.

It’s evident that at the time of the attack, the test tenant account did not have multi-factor authentication (MFA) enabled; the tech giant admitted. The unveiling of this fact shocked and astounded the masses in equal measure, as surely such measures are a given for such a giant?

How “Midnight Blizzard” Concealed the Attack

Microsoft’s latest post revealed that “Midnight Blizzard” used residential proxy networks to launch its password spray attacks. This intentionally routed traffic through a vast number of IP addresses (that are also used by legitimate users) helping “ensure the actor obfuscated their activity and could persist the attack over time, until proven successful.”

Microsoft noted that threat actors like “Midnight Blizzard” often use OAuth (open authorisation) applications to help hide their malicious activity. In this case, the group leveraged its initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment.

The cyber-attackers then built a new user account that they used to gain consent to additional malicious OAuth applications that they had also previously created. This enabled them to use the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role, providing access to countless mailboxes. This would then become one of the largest-scale cyber security breaches the company had experienced.

How to Defend Against this Nation-State Attack

Microsoft advised a range of actions customers should take to reduce the risk of being hit by this type of attack:

  • Identify malicious OAuth applications

Identify all current highly privileged identities in your tenant and particularly scrutinize privileges that belong to an unknown identity, or an identity no longer in use. Defenders can also identify malicious OAuth apps using anomaly detection policies and should implement conditional access app control for users connecting from unmanaged devices.

  • Protect against password spray attacks

Recommended actions include eliminating insecure passwords and implementing MFA (Multifactor Authentication), educating all employees to review sign-in activity and highlight suspicious sign-in attempts. Once any suspicious activity has been suspected or identified, a full reset of all vulnerable account passwords must occur to prevent further password spray attacks.

  • Enable identity alerts and protection

The Microsoft Entra ID Protection provides various detections to help users identify threat activity associated with the “Midnight Blizzard” attack. These include unfamiliar sign-in properties, password spray attacks and suspicious sign-ins.

  • Identify and investigate suspicious OAuth activity immediately

Numerous follow-on activities can be indicated if a threat actor has used OAuth applications in their attack. These include an app with application-only permissions accessing numerous emails, an increase in app API calls to the Exchange Web Services API after a credential update, and a suspicious users creating an OAuth app that accessed mailbox items.

  • Prioritise education of users

The investment in identity management through attending IDM events and conferences will provide first-hand education and experience for all users. This training is essential in preventing future cyber-security threats. Similarly, leaders prioritising enterprise cyber security (ECS) through dedicated cyber security events and conferences  equip their teams with the most recent knowledge and training, to enable early detection, rather than crisis managing a cyber-attack once its occurred.

Microsoft added that its investigation into the incident is ongoing and will provide more thorough details as appropriate.

IT firm HPE said in a regulatory filing on January 19 that it believes “Midnight Blizzard” was behind a breach of its cloud-based email environment back in May 2023. This attack at the time, enabled the hackers to access HPE mailboxes belonging to individuals in its cybersecurity, go-to-market, business segments, and other functions.

The two attacks are both stark examples of the sophistication and discretion with which the cyber-criminals infiltrate even the world’s giants. Both instances highlight the growing need for effective IDM and ECS training worldwide.