Risk & Repeat: Microsoft's Midnight Blizzard mess

It's been two months since Microsoft first disclosed the breach it suffered at the hands of a Russian nation-state threat actor, but a number of questions remain.

Microsoft on Jan. 19 said it had recently detected a password spraying attack against a test tenant account that began at least as early as November. The attack was conducted by Midnight Blizzard, also known as Cozy Bear and APT29, the threat actor that was previously responsible for the infamous 2020 supply chain attack against SolarWinds.

Security executives and vendors criticized Microsoft over its initial handling of this breach, specifically over the lack of MFA protection for the test tenant account, as well as for allegedly downplaying elements of the attack and seemingly using the disclosure blog as an opportunity to up-sell its own security products.

More details finally came on March 8, when Microsoft published a new blog post providing additional details surrounding Midnight Blizzard's threat activities. In the post, Microsoft said it found evidence that Midnight Blizzard gained access to the tech giant's source code repositories and internal systems. Moreover, the blog post revealed that the threat actor was attempting to use unspecified cryptographic secrets, some of which "were shared between customers and Microsoft in email."

Although the blog post provided new information, a number of questions remain unanswered. What source code was accessed? Have any customers been compromised as a result of this breach? And is the March 8 disclosure considered part of the initial breach or a separate one altogether?

On this episode of the Risk & Repeat podcast, TechTarget editors Rob Wright and Alex Culafi discuss the Midnight Blizzard attack against Microsoft and the tech giant's response.

Subscribe to Risk & Repeat on Apple Podcasts.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.