Microsoft said the legacy test tenant account hacked by Russian nation-state threat actors this month did not have MFA enabled.
The company disclosed this information via a Thursday-night blog post titled "Midnight Blizzard: Guidance for responders on nation-state attack." Although the primary purpose of the post is to assist defenders, it also offers new insight into the attack disclosed by Microsoft last Friday.
A Russian state-affiliated threat actor known as Midnight Blizzard -- also tracked as Nobelium, Cozy Bear and APT29 -- breached Microsoft's corporate network via password spraying and accessed "a very small percentage of Microsoft corporate email accounts," including a number belonging to senior leadership. According to the initial disclosure, the account compromised was a legacy, non-production test tenant account that threat actors accessed starting in November 2023 before elevating privileges. Microsoft discovered the attack on Jan. 12.
Midnight Blizzard, which is associated with the Russian government's Foreign Intelligence Service, is widely known as the threat actor behind the infamous 2020 supply-chain attack against SolarWinds.
In this latest blog post, Microsoft clarified that the legacy test tenant account compromised by Midnight Blizzard "did not have multifactor authentication (MFA) enabled." But the company said a similar tenant today would not be as vulnerable.
"If the same team were to deploy the legacy tenant today, mandatory Microsoft policy and workflows would ensure MFA and our active protections are enabled to comply with current policies and guidance, resulting in better protection against these sorts of attacks," the post read.
TechTarget Editorial asked Microsoft why the legacy tenant did not have MFA enabled, but the company declined to comment.
In addition to the MFA detail, the post offered additional insights surrounding Midnight Blizzard's recent activity. Microsoft said Midnight Blizzard has also been targeting other organizations -- a notable piece of information given that HPE disclosed an attack attributed to the threat actor this week.
"Using the information gained from Microsoft's investigation into Midnight Blizzard, Microsoft Threat Intelligence has identified that the same actor has been targeting other organizations and, as part of our usual notification processes, we have begun notifying these targeted organizations," Microsoft said.
Regarding tactics and techniques, the tech giant said Midnight Blizzard tailored its password spraying "to a limited number of accounts, using a low number of attempts to evade detection and avoid account blocks based on the volume of failures." Moreover, the threat actor reduced visibility further by launching attacks from a "distributed residential proxy infrastructure."
Midnight Blizzard used the initial access "to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment." Microsoft noted that Midnight Blizzard is "adept" at identifying and abusing OAuth apps for lateral movement and post-compromise activity in victim networks.
"The actor created additional malicious OAuth applications," the blog post read. "They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications. The threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes."
In last week's disclosure, Microsoft said the investigation into the breach indicated the threat actors were initially targeting email accounts looking for information related on Midnight Blizzard itself.
A familiar attack pattern
Microsoft has previously published research that warned of the dangers of Oauth abuse and the creation of malicious apps. For example, on Sept. 22, 2022, the company detailed an attack where Microsoft researchers discovered a threat actor deployed malicious OAuth applications on compromised cloud tenants and gained access to the target network's Exchange Online service. Ironically, the attack mirrored Midnight Blizzard's breach of Microsoft itself.
"The investigation revealed that the threat actor launched credential stuffing attacks against high-risk accounts that didn't have multi-factor authentication (MFA) enabled and leveraged the unsecured administrator accounts to gain initial access," the blog post read. "The unauthorized access to the cloud tenant enabled the actor to create a malicious OAuth application that added a malicious inbound connector in the email server."
On Dec. 12, 2023, Microsoft reported similar activity from threat actors in financially motivated attacks that used credential stuffing "against high-risk accounts that didn't have multi-factor authentication (MFA) enabled and leveraged the unsecured administrator accounts to gain initial access."
Preventing Oauth app attacks
Microsoft said Midnight Blizzard's tactics make it challenging to identify the group's activity. "Due to the heavy use of proxy infrastructure with a high changeover rate, searching for traditional IOCs, such as infrastructure IP addresses, is not sufficient to detect this type of Midnight Blizzard activity," Microsoft said in the Thursday post.
However, the company offered guidance on defending against such attacks, including preventing Oauth app abuse. First, customers should audit the privilege level of all user and service principal identities in their tenants using Microsoft's Graph Data Connect authorization portal. Microsoft encouraged customers to closely examine privileges for unknown identities and apps with app-only permissions, which might have over-privileged access.
Microsoft also recommended auditing identities with ApplicationImpersonation privileges in Exchange Online, which lets a caller impersonate another user and perform the same tasks as that user. "If misconfigured, or not scoped appropriately, these identities can have broad access to all mailboxes in an environment," the company warned.
For detecting malicious Oauth apps created by attackers, Microsoft encouraged customers to use anomaly detection policies in Defender for Cloud Apps. Additionally, the app governance feature in Defender for Cloud Apps can identify sensitive administrative activities in Exchange Online.
Microsoft also warned that Midnight Blizzard has abused Oauth apps in the past against other organizations using the EWS.AccessAsUser.All Microsoft Graph API role. "Defenders should review any applications that hold EWS.AccessAsUser.All and EWS.full_access_as_app permissions and understand whether they are still required in your tenant," Microsoft said. "If they are no longer required, they should be removed."
Alexander Culafi is an information security news writer, journalist and podcaster based in Boston. Rob Wright is a longtime technology reporter who lives in the Boston area.