Microsoft on the Midnight Blizzard Incident
One of the things I enjoy doing is digging into reports on high profile security breaches. I’ve presented on the supply-chain attack of SolarWinds and HAFNIUM’s breach of Microsoft Exchange for ColaSec. We’ve got a new one with Microsoft releasing some details on their incident with Midnight Blizzard. There are some details but it’s more of spin article on how to defend yourself against nation-state actors. Alex Stamos has provided some scathing commentary on the piece.
What we do know is that initial access is due to a password spray attack on a legacy non-production test tenant the account compromised did not have multifactor authentication enabled (MFA). The attackers then used an OAuth application in the test environment that had access to the corporate environment. A new user account with elevated permissions was created and used to get into the O365 Exchange Online. From there they compromised a variety of email accounts looking for information on their own group.
The rest of the piece is meant to be a guide on how to proactively secure and identify this type of attack. There isn’t any detail on how the discovered Midnight Blizzard or any indicators of compromise (IoC). They did provide some generic hunting queries to be run in Microsoft Defender XDR.
I would expect to get more details later as we’re probably getting more information now than we would have in the past due to the new SEC rules requiring earlier reporting of security incidents. We also may have never heard of this incident without the rules. One thing is certain, we’ll see more of these types of breaches in the news cycle this year with a similar level of detail.
This post first appeared on Exploring Information Security.