Microsoft: Hack By Russian Group Exploited Lack Of MFA

The company said the hackers compromised a ‘legacy’ account that didn’t have multifactor authentication enabled, in an attack that ultimately led to accessing senior Microsoft executive accounts.

Microsoft confirmed that the Russia-aligned threat group responsible for the recently disclosed hack of senior executive accounts initially gained access by exploiting a lack of multifactor authentication (MFA) on a “legacy” account.

In its latest update Thursday, Microsoft also disclosed that its investigation has turned up other organizations that were targeted by the same group, tracked as Midnight Blizzard. Microsoft said it has started to notify the other affected organizations.

The disclosure comes after Hewlett Packard Enterprise revealed, in a regulatory filing Wednesday, that it was also compromised by the threat actor known as Midnight Blizzard. However, HPE said in the filing with the U.S. Securities and Exchange Commission that it was notified about the incident on Dec. 12, a month before Microsoft learned of its own breach on Jan. 12.

CRN has reached out to HPE and Microsoft for comment.

Microsoft’s update also follows criticism of the initial disclosure by cybersecurity industry executives including George Kurtz, the CEO and co-founder of Microsoft rival CrowdStrike. Kurtz suggested in a CNBC interview Monday that Microsoft’s original explanation for the Midnight Blizzard attack didn’t add up and that he expected “there's a lot more that's going to come out on this.”

Lack Of MFA

In Microsoft’s update post, the company said that Midnight Blizzard initially used a tactic known as a password spray attack to target a “legacy, non-production test tenant account.”

Crucially, this account “did not have multifactor authentication (MFA) enabled,” Microsoft said in the post.

While stopping short of acknowledging that the hack was enabled by an oversight — the lack of a basic security measure that Microsoft itself is known to fervently advocate — Microsoft did note that “this incident has highlighted the urgent need to move even faster” on improving its security posture.

Additionally, “if the same team were to deploy the legacy tenant today, mandatory Microsoft policy and workflows would ensure MFA and our active protections are enabled to comply with current policies and guidance, resulting in better protection against these sorts of attacks,” Microsoft said in its post.

Series Of Attacks

Previously, Microsoft had attributed attacks to Midnight Blizzard including the widely felt breach of SolarWinds in 2020. Microsoft formerly had tracked the group, which the U.S. and U.K. governments have associated with Russia’s SVR foreign intelligence unit, under the name Nobelium.

Microsoft said its most recent Midnight Blizzard incident began in late November 2023. Attackers used the permissions from the compromised “legacy” account to “access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents,” Microsoft said.

“The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself,” the company said previously.

Attack Details

In the update posted Thursday, Microsoft disclosed that Midnight Blizzard used its initial access to “identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment.”

The hackers then created new OAuth apps, along with a new account that could “grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications,” the company said.

Midnight Blizzard then “used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes,” Microsoft said.

Ultimately, “Midnight Blizzard leveraged these malicious OAuth applications to authenticate to Microsoft Exchange Online and target Microsoft corporate email accounts,” the company said.