Microsoft has filed a Form 8-K with SEC after its cloud-based email infrastructure was infiltrated by a persistent and malicious hacking group known as “Nobelium” or “Midnight Blizzard”, orchestrated by Russian intelligence. This targeted cyber attack was discovered by Microsoft’s security team on January 12, 2024, and triggered an immediate response process. A Form 8-K is a report for unscheduled events, usually notifying events such as acquisitions, bankruptcy, and data breaches.
The attack began in late November 2023 when the threat actor employed a password spray attack to compromise a legacy non-production test tenant account. Password spraying is a type of brute force attack where an attacker brute forces a huge list of usernames with either default passwords or sometimes autogenerated predictions of passwords based on the username and additional info. This type of breach could be easily avoided by enforcing stronger passwords or having a basic two-factor authentication system set up.
This incident highlights a notable paradox wherein Microsoft, a company championing two-factor authentication across its products, appears to have neglected the implementation of this security measure in its core internal infrastructure. Despite promoting enhanced security practices externally, the recent breach underscores the vulnerability of Microsoft’s internal systems, raising questions about the consistency of its own security protocols.
The attacker further exploited a compromised test account to manipulate a legacy test OAuth application, which held elevated access to the Microsoft corporate environment. Subsequently, they generated additional malicious OAuth applications and a new user account to grant consent in the Microsoft corporate environment to the actor-controlled malicious OAuth applications.
Through their manipulations, the attacker gained full access to multiple Office 365 Exchange Online mailboxes, utilizing the full_access_as_app role, by leveraging malicious OAuth applications. The group known as Midnight Blizzard authenticated to Microsoft Exchange Online, enabling them to target corporate email accounts. This infiltration involved the use of a distributed residential proxy infrastructure to access the compromised tenant and Exchange Online for harvesting emails.
Although Microsoft claims that the attack compromised “a very small percentage of Microsoft corporate email accounts”, it also points out that it included accounts from the senior leadership team and cybersecurity research teams. Microsoft predicts the intent of the initial breach being the extraction of information related to Midnight Blizzard itself, given that Microsoft has published a lot of research on Midnight Blizzard and other nation-state-backed cyber-criminal groups associated with it.