Decipher File · November 2023 to January 2024
Microsoft Midnight Blizzard: Password Spray Reaches Senior Leadership Email
The Microsoft Midnight Blizzard incident is the cybersecurity Russian SVR campaign that read Microsoft executive email through a forgotten test tenant. From late November 2023 to January 2024, Midnight Blizzard (APT29) used password spray against a legacy non-production tenant without MFA, then abused an OAuth application's permissions to access Microsoft senior leadership and security team mailboxes.
Incident summary
Microsoft disclosed in a January 19, 2024 SEC 8-K filing and MSRC blog post that it had detected a nation-state attack on its corporate systems on January 12, 2024. The threat actor, identified as Midnight Blizzard (also known as NOBELIUM, APT29, and Cozy Bear), is associated with Russia's Foreign Intelligence Service (SVR). The same actor was responsible for the SolarWinds Sunburst campaign in 2020.
Per Microsoft's January 25, 2024 technical analysis, Midnight Blizzard used password spray attacks tailored to a low number of accounts and a low attempt volume per account to evade detection. The actor compromised a legacy non-production test tenant account that did not have multifactor authentication enabled. The compromised account had access to a legacy OAuth application granted elevated Exchange Online permissions.
The actor used the OAuth application to access mailboxes belonging to Microsoft senior leadership, the cybersecurity team, the legal team, and other functions. Microsoft confirmed in a March 8, 2024 update that Midnight Blizzard had also accessed source code repositories and internal systems beyond email, expanding the disclosed scope significantly from the initial January announcement.
Attack technique
MITRE ATT&CK maps the entry to T1110.003 (Brute Force: Password Spraying). Midnight Blizzard tradecraft on this campaign emphasized low-and-slow operations: a small number of attempts per account spread across many accounts and obscured behind residential proxy infrastructure to defeat impossible-travel and volume-based detections.
After authenticating to the legacy test tenant, the actor pivoted to a legacy OAuth application that had been granted full_access_as_app to Office 365 Exchange Online during early product testing, then never deprovisioned. T1098.001 (Account Manipulation: Additional Cloud Credentials) and T1528 (Steal Application Access Token) describe how the actor created additional credentials for the OAuth application and used those credentials to mint tokens with elevated mailbox access scope.
The OAuth application's full_access_as_app permission allowed access to mailboxes across the Microsoft corporate tenant, not just the legacy test tenant. This privilege boundary failure is the core architectural lesson. T1114.002 (Email Collection: Remote Email Collection) describes the EWS API queries the actor used to collect emails and attachments from senior leadership mailboxes.
Impact and consequences
Microsoft confirmed in its January 19, 2024 disclosure that Midnight Blizzard exfiltrated emails and attachments from senior leadership mailboxes including parts of cybersecurity, legal, and other functions. The March 8, 2024 update confirmed that the actor had used information from those exfiltrated emails to gain or attempt to gain access to additional Microsoft systems, including some source code repositories.
CISA issued Emergency Directive 24-02 on April 2, 2024 ordering federal civilian agencies to analyze whether emails sent to or received from Microsoft corporate accounts known to be in Midnight Blizzard's possession contained authentication tokens, credentials, or sensitive information that required rotation. ED 24-02 was the first emergency directive issued because of a vendor email compromise, marking a precedent for federal action on commercial vendor breaches.
The incident, combined with the Storm-0558 incident in 2023, drove the April 2, 2024 CSRB report on Storm-0558 to expand its critique of Microsoft security culture to recommend industry-wide reforms. Microsoft's expanded Secure Future Initiative announcement in November 2023 was further accelerated and connected to executive compensation in May 2024, tying security outcomes to senior leadership pay.
Indicators of Compromise
Specific artifacts defenders should hunt for. Cross-reference these against your existing detection rules before acting on them.
- › Successful authentication to a legacy non-production Microsoft test tenant from residential proxy IPs
- › Password spray patterns with low attempts per account against accounts without MFA
- › OAuth application with elevated permissions in the legacy tenant retained for testing
- › OAuth application granted full_access_as_app role to Office 365 Exchange Online
- › EWS API access to Microsoft corporate mailboxes via the OAuth application token
Lessons for defenders
Legacy non-production tenants are production risk. The compromised account belonged to a legacy test tenant that had not been hardened to current standards, did not have MFA enforced, and contained a forgotten OAuth application with broad permissions. Inventory all tenants, decommission unused tenants, and apply baseline security controls to every tenant including test environments.
OAuth application permissions outlive their use cases. The OAuth application Midnight Blizzard abused had been granted full_access_as_app for testing during product development and then forgotten. Periodic review of OAuth applications, automated detection of high-privilege OAuth grants, and short-lived OAuth permissions reduce this attack surface.
Password spray is a low-noise floor. The actor evaded detection by keeping per-account attempts low and using residential proxies. Detection engineering for password spray needs to baseline tenant-wide login patterns and account-level entropy rather than relying on per-account thresholds. UEBA-style detections that compare attempt rate distributions across populations catch low-volume spray.
MFA on every account, including legacy and service accounts. The single missing MFA on the legacy test tenant account became the entire breach. Conditional access policies that require MFA on every interactive sign-in, with break-glass accounts isolated and monitored, eliminate this entire entry path.
Tenant-to-tenant trust boundary failure analysis matters. The OAuth application's permissions reached the corporate tenant from the test tenant. Reviewing trust boundaries between tenants, applications, and resources, including reviewing app registrations and consents from a tenant security posture management tool, surfaces this class of misconfiguration.
Related career roles
The cybersecurity professionals whose day-to-day work would have detected, investigated, or contained this incident.
Related Decipher Files
Frequently asked questions
How did Midnight Blizzard get into Microsoft?
Per Microsoft's January 25, 2024 technical analysis, Midnight Blizzard used a password spray attack against a legacy non-production test tenant account that did not have MFA enabled. The compromised account had access to a legacy OAuth application granted elevated Exchange Online permissions, which the actor used to access mailboxes across Microsoft's corporate tenant.
Did Midnight Blizzard access Microsoft source code?
Per Microsoft's March 8, 2024 update, Midnight Blizzard accessed some Microsoft source code repositories and internal systems beyond email. Microsoft has not stated which repositories or product source code were accessed in detail. The same update confirmed the actor used information from exfiltrated emails to extend access into additional systems.
Why did CISA issue an emergency directive over the Microsoft incident?
CISA Emergency Directive 24-02 on April 2, 2024 ordered federal civilian agencies to analyze emails sent to or received from Microsoft corporate accounts known to be in Midnight Blizzard's possession. The concern was that those emails could contain authentication tokens, credentials, or sensitive information requiring rotation. ED 24-02 was the first emergency directive issued because of a commercial vendor email compromise.
Sources
- Microsoft MSRC: Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard · Microsoft's January 19, 2024 disclosure
- Microsoft Security Blog: Midnight Blizzard Guidance for Responders · Microsoft Threat Intelligence technical detail and detection guidance
- Microsoft 8-K Filing on Midnight Blizzard (January 19, 2024) · Microsoft SEC disclosure of the cybersecurity incident
- Microsoft MSRC Update: Update on Midnight Blizzard (March 8, 2024) · Microsoft confirmation of source code repository access
- CISA Emergency Directive 24-02: Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System · April 2, 2024 federal directive
- MITRE ATT&CK G0016 APT29
DecipherU is not affiliated with, endorsed by, or sponsored by any company listed in this directory. Information compiled from publicly available sources for educational purposes.
Get cybersecurity career insights delivered weekly
Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.
Get Cybersecurity Career Intelligence
Weekly insights on threats, job trends, and career growth.
Unsubscribe anytime. More options