How ITDR Could Have Helped Microsoft in the Midnight Blizzard Hack

Identity-based attacks are on the rise, but they can be prevented with the right identity threat detection and response (ITDR) measures. 

As winter crept in last year, so did identity threat actors. Microsoft revealed in January that the Russia-backed group Midnight Blizzard (aka Nobelium) had compromised senior-level email accounts and stolen sensitive information in a password-spraying attack dating back to November 2023. 

Thought to be affiliated with the Russian Foreign Intelligence Service, Midnight Blizzard performs espionage attacks on targets across the US and Europe. The group is perhaps best known for the SolarWinds hack in 2020 – a massive supply chain breach that affected thousands of organizations, including the US government. 

Midnight Blizzard’s latest attack on Microsoft was sophisticated but easily preventable. A protective layer of identity threat detection and response (ITDR) measures would have stopped the group from gaining a foothold in Microsoft’s corporate environment. In this blog, we’ll look at how. 

How It Happened

In late November 2023, Midnight Blizzard used a password-spraying attack to compromise an old Microsoft test account that didn’t have multifactor authentication (MFA) enabled. To avoid being detected or locked out of the system, the group used residential proxy networks to masquerade as legitimate users. It focused its attack on a small number of accounts. 

With a foothold in the system, Midnight Blizzard took over a legacy test OAuth application connected to Microsoft’s corporate environment and created more OAuth applications. It leveraged the privileges that came with these to grant itself the Microsoft 365 Exchange Online full_access_as_app role, which provided access to the entire 365 stack. In what Microsoft says was a bid to find information about itself, Midnight Blizzard then stole data, such as documents and emails from senior-level accounts. 

How It Was Discovered

“The Microsoft security team detected a nation-state attack on our corporate systems on January 12, 2024,” Microsoft disclosed in an 8-K filing, “and immediately activated our response process to investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access.” 

The breach, which Microsoft detected in log data when reviewing Exchange Web Services, apparently didn’t affect customer environments, production systems, source code, or AI systems and was solely identity-based – Midnight Blizzard didn’t exploit any vulnerabilities in the company’s system. 

The attack flow, in brief:

  • November 2023 – initial access: Password-spraying attack
  • Privilege escalation: Abuse and duplication of OAuth applications
  • Data exfiltration: Theft of information from senior-level email accounts
  • Covering tracks: Use of residential proxy infrastructure and a precise, low-volume password-spraying attack
  • January 12, 2024 – mitigation: Detection via Exchange Web Services activity and denial of further access 

Gaps in Identity Security 

Password spraying is the equivalent of throwing spaghetti at the wall and seeing what sticks. Attackers take a set of common passwords, which are often stolen and sold on the dark web, and use them on a large number of accounts. “Spraying” passwords in this way is heavy-handed, but if just one works, that’s all the attackers need – they’ve gained access. 

Legacy accounts and applications are common attack surfaces. They often lack the latest security controls, as well as an active user who can monitor failed login attempts and verify suspicious activity. Without MFA in place, proper monitoring and hygiene, and possibly unnecessary access privileges, Microsoft’s test tenant was particularly susceptible to password spraying. Midnight Blizzard likely knew this – it focused the attack on only a small number of accounts.

6 Key Lessons Learned 

Microsoft is lucky that Midnight Blizzard didn’t abuse its access privileges more aggressively within the 365 stack – it certainly had the chance to do so. When business-critical identities are left unsecured across cloud infrastructure, SaaS apps, and identity providers like this, they can give threat actors catastrophic levels of access. 

Basic identity protections shouldn’t be used as a crutch. It’s clear from this incident and the recent uptick in identity-based attacks (including the 2023 Okta breaches) that organizations must equip their identity and access management (IAM) providers with an extra layer of protection – ITDR. The right ITDR solution is essential for strengthening weak authentication controls before attackers can exploit them and shut down security threats. 

Here are 6 recommendations to consider:

#1Protect legacy and old accounts, which may become the Wild West for attackers. Ensure that everything your user identities can access and everything that can access their management systems is monitored, properly configured, and protected, as it may hide other keys to the “real kingdom” or at least trick your user identities into providing access. Conduct routine audits to verify that apps, especially those utilized for testing or those no longer in use, do not possess excessive privileges.

#2Prevent non-privileged users from initiating new OAuth app registrations. Require all OAuth app registrations to be initiated by authorized users through an approved process. 

#3Implement strong MFA, but acknowledge it is not enough, and monitoring, detection, and response routines should be performed. Following the attack, Microsoft admitted its mistake: “If the same team were to deploy the legacy tenant today, mandatory Microsoft policy and workflows would ensure [MFA], and our active protections are enabled to comply with current policies and guidance.”

Microsoft’s test tenant was initially compromised because it didn’t have MFA enabled. Additionally, the company failed to monitor its identities properly, leaving a gaping hole in its defenses. ITDR solutions can remove this attack surface by ensuring users have strong passwords and by integrating with MFA for a solid identity security base. You can also get stronger phishing-resistant authenticators for highly sensitive assets. 

#4 – Think outside the (in)box. Communication channels like email inboxes are stepping stones for attackers to move laterally and escalate their access privileges. Though Microsoft hasn’t said what permissions its legacy account had that gave Midnight Blizzard a foothold, we know that they led directly to the heart of its corporate environment. Consider the blast radius of an attack. ITDR solutions can offer a clearer view of where your privileges lead and help you protect them with password policies, lockout procedures, and session lifetime limits for admin roles.

#5 – Close the gaps quickly. If attackers gain a foothold in IAM infrastructure using a trusted identity, it’s vital to shut them out as quickly as possible to prevent them from escalating their privileges, moving laterally between one sub-identity and another, or escalating via management hacks. The key here is to quickly contain the attack by reducing every excessive access, prioritizing the mitigation of misconfiguration around the compromised identity, and hardening the authentication and authorization controls. ITDR solutions can spot the gaps in your post-authentication controls and identify opportunities such as least privileged access to make it more difficult for attackers to move freely in your system with stricter trust relations.

#6 – Stay vigilant. It’s good practice to constantly monitor unusual activity and devise an action plan for a potential attack. ITDR solutions continuously monitor user and entity behavior. Identity analytics powered by machine learning can automatically analyze correlations, track suspicious behavior, prioritize threats by risk, generate proactive alerts, and shut down compromised identities in real time. 

How Rezonate Identity Threat Detection and Response (ITDR) Can Help

In similar situations to the Microsoft breach, Rezonate would have been able to spot and automatically fix misconfigured identity authentication controls prior to the breach by proactively monitoring MFA activity, passwords, session controls, trust relations, etc. 

But when the breach occurred, Rezonate’s identity threat detection and response would kick in based on many of the activities performed by the adversary, including but not limited to: 

1. Anomalous login attempts, followed by successful login from a suspicious context.
2. Creation or modification of Service Principals and creation of new credentials for them.
3. Spike in delegation attempts to users’ inboxes.

Read about the techniques the adversary utilized in more detail, in our blog post, Threat Hunting Guide for Azure Active Directory.

While monitoring and working on automatic or manual responses, based on the understanding of the compromised identities, Rezonate could help to automatically harden the other identities’ access paths and add re-authentication and re-authorization actions that would have stopped the attackers or delay them until full remediation takes action. 

Protect Your Most Vulnerable Assets with ITDR

Identities are now our most vulnerable asset. And as we’ve seen with Microsoft, attackers only need to find one crack in your identity infrastructure to inflict serious damage. That’s why protecting your identity fabric with a protective layer of continuous, context-aware identity threat detection measures is so important. The right ITDR solution can provide an intelligent, orchestrated response to incidents across cloud, SaaS, and identity provider applications to prevent identity-based attacks like the one Microsoft suffered.

To learn more about Rezonate’s approach to identity threat detection and response, request a demo.

Rezonate was recognized as a 2023 Gartner® Cool Vendor™ in Identity-First Security.  Learn More.