Corporate Email Accounts Penetrated and Data Exfiltrated
A January 19 article released by the Microsoft Security Response Center (MSRC) details an attack on Microsoft by the nation state actor Midnight Blizzard (a Russian state-sponsored actor also known as Nobelium. Microsoft says that the attack was an attempt by Midnight Blizzard to discover information Microsoft had about their activities. On discovering the attack, Microsoft moved to mitigate its effect and block further access. They said:
“Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents.”
What the Attack Might Have Been
Parsing this text, we find:
- The attackers used a password spray to compromise an account. This probably means that the compromised account didn’t use multifactor authentication (MFA), allowing the attackers to break into the account by guessing its password.
- The account belonged to a legacy non-production test tenant. This implies that the tenant was something like the free developer tenant made available by Microsoft for testing. During his TEC 2022 keynote, Microsoft VP for Identity Security Alex Weinert observed that many test tenants do not use MFA, even to protect administrator account. The overall percentage of MFA-protected administrator accounts was 34.15% then. I wonder what the percentage is now.
- The attacker used the account’s permissions. No detail is available as to what permissions the account had that could be exploited. Most permissions are boundary-limited to a tenant. Perhaps the account had the ability to run an app that had permissions for other tenants. This is certainly a possibility if the tenant supported development activities.
- The attacker gained access to a small number of Microsoft corporate email accounts, including those used by members of its senior leadership team (Satya Nadella direct reports). An app with consent to use Graph APIs to read Entra ID user account details in Microsoft’s corporate tenant could do this, and then if the app had permissions to access mailboxes, it could exfiltrate messages and attachments.
Curiously, the article then asserts:
“The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems.”
Given that the attacker managed to access corporate mailboxes, the assertion that no access was gained to production systems is odd unless Microsoft means that production systems are those used to deliver services like Azure and Microsoft 365. However, those corporate mailboxes are hosted by Microsoft’s own Microsoft 365 tenant, so the “no access to production systems” assertion doesn’t ring true.
Smells Like a Bad OAuth App
Although Microsoft has deliberately chosen not to reveal details about the attack, the supplied description exhibits the fingerprints of misuse of a multi-tenant OAuth app and underlines the need for Microsoft 365 tenants to check the assignment of high-priority app permissions regularly.
Update (January 25): A new MSRC post confirms that Midnight Blizzard used an OAuth App with the Office 365 Exchange Online “run as app” permission to access Microsoft corporate email accounts.
Closing the Barn Door After the Attacker Departs
Microsoft says that they “will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes.” I believe that their current security standards mandate the use of MFA, and this is likely to be the immediate quick fix.
Instructing administrators to enable MFA for all accounts in development tenants, preferably using an authenticator app or FIDO2 key instead of SMS challenge-response, could cause a little disruption for developers, but achieving protection against attacks like password sprays is worth it.