Microsoft said the legacy test tenant account hacked by Russian nation-state threat actors this month did not have MFA enabled.
According to the initial disclosure, the account compromised was a legacy, non-production test tenant account that threat actors accessed starting in November 2023 before elevating privileges.
Microsoft discovered the attack on Jan. 12.
Midnight Blizzard, which is associated with the Russian government's Foreign Intelligence Service, is widely known as the threat actor behind the infamous 2020 supply-chain attack against SolarWinds.
In addition to the MFA detail, the post offered additional insights surrounding Midnight Blizzard's recent activity.
Microsoft said Midnight Blizzard has also been targeting other organizations - a notable piece of information given that HPE disclosed an attack attributed to the threat actor this week.
In last week's disclosure, Microsoft said the investigation into the breach indicated the threat actors were initially targeting email accounts looking for information related on Midnight Blizzard itself.
Microsoft has previously published research that warned of the dangers of Oauth abuse and the creation of malicious apps.
On Sept. 22, 2022, the company detailed an attack where Microsoft researchers discovered a threat actor deployed malicious OAuth applications on compromised cloud tenants and gained access to the target network's Exchange Online service.
Ironically, the attack mirrored Midnight Blizzard's breach of Microsoft itself.
Microsoft said Midnight Blizzard's tactics make it challenging to identify the group's activity.
The company offered guidance on defending against such attacks, including preventing Oauth app abuse.
First, customers should audit the privilege level of all user and service principal identities in their tenants using Microsoft's Graph Data Connect authorization portal.
Microsoft encouraged customers to closely examine privileges for unknown identities and apps with app-only permissions, which might have over-privileged access.
Microsoft also recommended auditing identities with ApplicationImpersonation privileges in Exchange Online, which lets a caller impersonate another user and perform the same tasks as that user.
For detecting malicious Oauth apps created by attackers, Microsoft encouraged customers to use anomaly detection policies in Defender for Cloud Apps.
The app governance feature in Defender for Cloud Apps can identify sensitive administrative activities in Exchange Online.
Microsoft also warned that Midnight Blizzard has abused Oauth apps in the past against other organizations using the EWS.AccessAsUser.
Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.
Rob Wright is a longtime technology reporter who lives in the Boston area.
This Cyber News was published on www.techtarget.com. Publication date: Fri, 26 Jan 2024 21:13:05 +0000