Microsoft has revealed that Russian state-sponsored threat actors successfully breached its corporate email system, stealing sensitive email attachments and messages from the senior leadership team.
This was not a sophisticated attack based on zero days or vulnerability exploits. The attackers leveraged simple cloud misconfigurations and poor password management practices to breach the company.
All companies are at risk of suffering the same fate. Microsoft even warned that “the same actor has been targeting other organizations.” This highlights the need for security teams to learn from Microsoft’s mistakes.
Who was behind the Microsoft breach?
The group responsible, Midnight Blizzard, began their offense with a straightforward attack method known as “password spraying.” Password spraying targets multiple user accounts with a handful of common passwords like ‘qwerty’ and ‘12345’. It exploits the human tendency to choose ease (such as reusing passwords) over security.
The password spraying attack was successful, allowing the group to gain access to a non-production test tenant account that did not have multi-factor authentication (MFA) enabled.
Midnight Blizzard leveraged this foothold to create new malicious OAuth applications and compromise a legacy OAuth application with elevated privileges.
The attackers then escalated the legacy application’s access by granting full authorization to Office 365 Exchange Online mailboxes through OAuth. This was achieved by providing consent to the malicious OAuth applications using a newly established user account.
With this access, the threat actor could infiltrate the Microsoft email accounts of senior staff members and extract sensitive data.
The attack began in November 2023 and was discovered by Microsoft in January 2024. This means the attackers had access to internal Microsoft accounts for two months without being detected.
How security teams safeguard against password spray attacks?
This incident serves as a stark reminder of the importance of bolstering cloud application security. A lack of multi-factor authentication allowed the attackers to breach Microsoft’s systems. Beyond that, Microsoft did not have a zero trust architecture in place to detect the breached accounts.
To avoid a similar attack in your organization, here are the steps to take:
Implement multi-factor authentication (MFA)
Ensure your organization has multi-factor authentication (MFA) implemented. MFA is a primary defense against unauthorized access, serving as a robust deterrent against password spray attacks.
Audit user accounts
Conduct routine audits to identify and deactivate unused accounts. Restrict account access to a need-to-know basis, using the principle of least privilege.
Strengthen test environment security
Apply the same level of security scrutiny to test accounts and sandboxes as you do to production accounts.
Embrace a zero-trust architecture
Adopt a zero-trust architecture by segmenting networks into smaller perimeters. Utilize identity validation technology and restrict access to network resources. This limits the risks of unauthorized access to sensitive data in the event of a breach.
Invest in data-centric security tools
Deploy cloud data loss prevention (DLP) to ensure users access information based on context, not just their role. This mitigates the risks associated with compromised accounts, offering protection even if threat actors bypass multi-factor authentication.
