Microsoft Explains Recent Hack in More Detail, Offers Advice to Customers

One week after it disclosed that a state-sponsored Russian hacking group infiltrated its corporate systems, Microsoft today provided more details.

“If the same team were to deploy the legacy tenant today, mandatory Microsoft policy and workflows would ensure MFA and our active protections are enabled to comply with current policies and guidance, resulting in better protection against these sorts of attacks,” the Microsoft Threat Intelligence team writes in the new post, confirming the suspicion I raised last week. “Given the reality of threat actors that are well resourced and funded by nation states, we are shifting the balance we need to strike between security and business risk – the traditional sort of calculus is simply no longer sufficient. For Microsoft, this incident has highlighted the urgent need to move even faster.”

Last week, Microsoft noted that Midnight Blizzard, a threat actor sponsored by the government of Russia, had infiltrated its corporate systems and was able to read and download some internal emails from members of its senior leadership team and employees in its cybersecurity, legal, and other groups. Today, it provided the following additional information:

• The hacking group is also targeting other organizations, so Microsoft begun notifying these targeted organizations. (We learned today that HPE was among those companies.)
• Microsoft discovered the attacks in a review of its Exchange Web Services (EWS) activity.
• The group used a password spray attack to successfully compromise legacy, non-production test tenant account that did not have multifactor authentication (MFA) enabled. (As I suspected.) It tailored the attacks to a limited number of accounts, using a low number of attempts to evade detection and avoid account blocks based on the failure volume. It also launched these attacks from a distributed residential proxy infrastructure. Together, these techniques helped hide their activity, allowing them to continue for months until they were successful.
• Once they compromised an account, the group found a legacy test OAuth application with elevated access to the Microsoft corporate environment, compromised it, and then created additional malicious OAuth applications. They also created a new user account that gave their malicious OAuth apps access to the internal corporate environment. These then granted them the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes.
• The group used its malicious OAuth applications to authenticate to Microsoft Exchange Online and target Microsoft corporate email accounts.

Microsoft recommends that its customers defend themselves against malicious OAuth apps by auditing the privilege levels of all user and service identities in their organizations, paying particularly attention to unknown identities and apps with app-only permissions, as those have privileged access levels. Identities with ApplicationImpersonation privileges in Exchange Online can impersonate users and gain broad access to all mailboxes in an environment if not configured correctly. The post also offers guidelines on protecting against password spray attacks.