Russian Cyber Espionage Hits Microsoft: Leadership Emails Exfiltrated in Breach

Microsoft details a cybersecurity incident perpetrated by the Russian state-sponsored hacking group, Midnight Blizzard, (also referred to as APT29, Cloaked Ursa, Cozy Bear, Nobelium, or UAC-0029). The incident was detected by Microsoft on January 12, 2024, and promptly initiated their response process. The attack was traced to have began in late November 2023, through password spray attack aimed at a legacy non-production test tenant account. The attackers succeeded in compromising this account, providing them with initial access to Microsoft's environment. Subsequently, the threat actors infiltrated a subset of Microsoft's corporate email accounts, including those of senior leadership and employees in departments like cybersecurity and legal. These accounts contained sensitive information, and the attackers exfiltrated several emails and attached documents.

An absence of MFA on the compromised test account is confirmed by Microsoft. Furthermore, Microsoft reveals following the initial access Midnight Blizzard proceeded to "identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment. The actor created additional malicious OAuth applications. They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications. The threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes." While Microsoft informs their investigation remains ongoing, the current known techniques used by Midnight Blizzard involve leveraging residential proxy networks password spraying, and abusing OAuth applications to pivot to the Microsoft Exchange Online service to compromise emails.

Microsoft Threat Intelligence has identified that Midnight Blizzard has targeted other organizations as well, and are actively notifying them. Midnight Blizzard’s primary targets are noted to include government organizations, NGOs, software developers, and IT service providers in the U.S. and Europe. Additionally, while occurred earlier in May 2023, Hewlett Packard Enterprise (HPE) disclosed a cybersecurity breach within its cloud-based email environment, attributed to Midnight Blizzard resulting in email theft.