Alex - stock.adobe.com
Cybersecurity vendors and executives criticized Microsoft on a variety of fronts over the breach it suffered earlier this month.
Microsoft on Jan. 19 disclosed a data breach it suffered when a Russian state-affiliated threat actor, tracked as Midnight Blizzard, used a password spray attack to compromise a legacy non-production test tenant account. The actor -- also known as Nobelium, Cozy Bear and APT29 -- then escalated privileges through malicious Oauth applications and accessed a number of Microsoft corporate email accounts, including a number belonging to senior leadership. The actor first gained an initial foothold in November of last year.
Additionally, the tech giant last week said Midnight Blizzard likely compromised other organizations. HPE disclosed an attack it attributed to the threat actor last week. More importantly, Microsoft revealed that the test tenant account had no multifactor authentication enabled.
"If the same team were to deploy the legacy tenant today, mandatory Microsoft policy and workflows would ensure MFA and our active protections are enabled to comply with current policies and guidance, resulting in better protection against these sorts of attacks," the blog post disclosing this update read.
Tenable chairman and CEO Amit Yoran told TechTarget Editorial that MFA could have prevented the breach Microsoft suffered and that the company should be held to a higher standard due to its role in the security ecosystem.
"While it's true that Microsoft is often targeted because of its size and impact within IT infrastructure, we have seen a lot of successful attacks recently on their products and now on their company systems as well," Yoran said. "Breaches like the one disclosed last week, which involved password-spraying, can be prevented with multi-factor authentication, which apparently wasn't in place. Microsoft itself touts MFA as an important element to good cyber hygiene. And the fact of the matter is that their status in the security supply chain means they need to be held to a higher standard."
SentinelOne chief trust officer Alex Stamos published a blog post on LinkedIn last week in which he admonished Microsoft for downplaying and obscuring details surrounding the attack in its most recent blog post. Stamos said Microsoft "abused" the use of the term "legacy" to describe the test tenant account, as he said the tenant was "clearly configured to allow for production access as of a couple of weeks ago." He added that Microsoft was obligated to secure its legacy products just as well as more current ones.
Moreover, Stamos argued Microsoft was using its security flaws to upsell its own security products. In one of several examples, Microsoft said defenders could "detect, investigate, and remediate identity-based attacks using solutions like Microsoft Entra ID Protection" despite the post being about an identity attack that Microsoft suffered.
"This is morally indefensible, just as it would be for car companies to charge for seat belts or airplane manufacturers to charge for properly tightened bolts," Stamos said. "It has become clear over the past few years that Microsoft's addiction to security product revenue has seriously warped their product design decisions, where they hold back completely necessary functionality for the most expensive license packs or as add-on purchases."
Karan Sondhi, CTO of Trellix's public sector segment, similarly emphasized this focus on upselling in an email to TechTarget Editorial.
"Microsoft's focus on selling 'security monitoring' tools raises questions about why they aren't prioritizing the security of their infrastructure and products," he said. "Despite best practices like Zero Trust and 'secure by design,' recent incidents imply Microsoft isn't directing enough efforts toward implementing these principles internally and securing its internal infrastructure."
A Microsoft spokesperson shared the following statement with TechTarget Editorial.
Security is a team sport and success is achieved through industry cooperation and information sharing. We are committed to transparency, as we demonstrated by public disclosing this attack just days after we became aware, and then following up with the results of our ongoing investigation days later with more guidance to help our customers protect themselves from a similar attack. This attack does highlight the continued risk posed to all organizations from well-resourced nation-state threat actors. No organization is immune to these persistent attacks.
Ongoing troubles for Microsoft
Midnight Blizzard is perhaps best known for its infamous supply-chain attack against SolarWinds in 2020. The attack occurred when the actor injected malicious code into SolarWinds' Orion platform before the vendor unknowingly sent out poisoned software updates to its customers. Victims included U.S. government agencies as well as major companies such as Intel, Cisco and Microsoft.
Microsoft said that based on its investigation, one of Midnight Blizzard's goals in this latest attack was to find information related to the threat actor itself.
David Raissipour, chief technology and product officer at collaboration security vendor Mimecast, said that although no organization is immune to cyberattacks, "this particular breach occurred due to Microsoft's failure to standardize best practices across all systems and secure low priority accounts."
"As an organization with a mission to protect businesses and users, Microsoft must practice what it preaches: remaining extra vigilant in protecting their own company, so they can effectively enable the organizations they work with to stay secure," Raissipour said. "The event serves as invaluable reminder to Microsoft and organizations of all sizes of the need for standardizing cyber practices and layering defenses across the network."
The Midnight Blizzard attack was particularly notable because Microsoft had published research last year warning of threat actors abusing Oauth applications within victims' networks. In a September blog post, the company detailed an attack in which a threat actor used credential stuffing against an organization's cloud tenant accounts that lacked MFA protection. The threat actor used the cloud tenant access to create malicious OAuth apps, which lets the attacker infiltrate the victim's Exchange Online instance.
Microsoft's blog post urged customers to apply MFA and set conditional access policies to prevent further abuse. However, the Midnight Blizzard breach showed that the company fell short of its own recommendations for such threats.
Microsoft is no stranger to criticism regarding its security practices. Last year, a number of security industry professionals, including Yoran, shared frustrations with TechTarget Editorial regarding the tech giant's issues surrounding transparency, vulnerability patching, inconsistent communication practices and more. Perhaps in part to alleviate these years-long criticisms, Microsoft last fall launched the Secure Future Initiative to, according to a memo from Microsoft Security executive vice president Charlie Bell, "evolve how we do security."
However, in its initial disclosure of the Midnight Blizzard breach, Microsoft said "this incident has highlighted the urgent need to move even faster."
Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, told TechTarget Editorial during a call that this is the fourth breach against Microsoft since SolarWinds in late 2020. The two in-between were at the hands of the Lapsus$ hacker group in 2022 and more recently, the China-based threat actor Storm-0558 last summer. Because of this, he said, the Midnight Blizzard attack should be seen as part of a pattern rather than an unfortunate one-off incident.
"Microsoft has still been unable to figure out how to roll out multi factor authentication into their own environment, and they're asking customers to trust them with their security," Meyers said. "If you can't implement basic security best practices across your environment, you don't stand a chance against teenagers, let alone the SVR [Russia's Foreign Intelligence Service] or the MSS [Ministry of State Security] in China."
Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.