TLDR:
Microsoft has released new guidance for organizations on how to protect against persistent nation-state attacks like the one disclosed a few days ago that infiltrated its own corporate email system. The guidance focuses on protecting against threat actors using malicious OAuth apps to hide their activity and maintain access to applications. The attack on Microsoft by Midnight Blizzard aimed to determine what information the company might have on the threat group. Microsoft’s corporate email accounts were compromised, and emails and document attachments were exfiltrated. Midnight Blizzard also breached Hewlett Packard Enterprise’s cloud-based email environment last May. Microsoft’s guidance includes auditing privilege levels, using anomaly detection policies, and considering conditional access application controls to protect against malicious OAuth apps.
In a recent cyberattack known as the “Midnight Blizzard” attack, threat actors infiltrated Microsoft’s corporate email system and maintained access for several weeks. The attack was conducted by the threat group Midnight Blizzard, who is affiliated with Russia’s Foreign Intelligence Service (SVR). The purpose of the attack was to gather intelligence on Microsoft and potentially other targets.
The attackers gained initial access to the environment through a legacy test account that was compromised in a password spray attack. They used a large number of legitimate residential IP addresses to launch their attacks, which helped them evade detection. Once inside, the attackers identified and compromised a legacy test OAuth application with privileged access to Microsoft’s corporate environment. They then created additional malicious OAuth applications and granted themselves full access to Office 365 Exchange mailboxes.
Microsoft’s new guidance focuses on protecting against these types of attacks. It recommends auditing privilege levels associated with all identities, both user and service, and scrutinizing privileges that belong to unknown or unused identities. The guidance also recommends using anomaly detection policies to identify malicious OAuth applications and considering conditional access application controls for users connecting from unmanaged services.
Overall, the Midnight Blizzard attack highlights the need for organizations to be vigilant in protecting against persistent nation-state attacks. Implementing strong security measures, such as auditing privilege levels and monitoring for anomalous activity, can help organizations detect and mitigate threats before they cause significant damage.