Anatomy of a Breach

Anatomy of a Breach: Microsoft — Russia's Midnight Blizzard Reads Executives' Email Through a Legacy OAuth App

> series: anatomy_of_a_breach —— part: 181 —— target: microsoft_corporate —— attacker: midnight_blizzard_svr —— method: password_spray_legacy_oauth_no_mfa<span class="cursor-blink">_</span>_

Hedgehog Security 31 January 2024 14 min read
microsoft midnight-blizzard nobelium russia svr oauth password-spraying no-mfa series
Breach #181

Microsoft's own executives. Russia's SVR. A legacy test account. No MFA.

On 19 January 2024, Microsoft disclosed that Midnight Blizzard — the Russian SVR intelligence service, the same group behind the SolarWinds/Sunburst attack — had accessed the corporate email accounts of Microsoft's senior leadership team, cybersecurity personnel, and legal staff. The attackers had been reading executive emails since at least November 2023.

The attack chain was remarkably simple: the attackers used password spraying (trying common passwords against multiple accounts) to compromise a legacy test tenant account that did not have multi-factor authentication enabled. That test account had residual permissions to a legacy OAuth application, which in turn had elevated access to Microsoft's corporate environment. From there, the attackers accessed executive mailboxes — including those of cybersecurity and legal staff, suggesting they were seeking to understand what Microsoft knew about Midnight Blizzard's operations. Microsoft — the company whose Entra ID (Azure AD) platform manages identity for millions of organisations — was compromised through the most basic authentication failure: a test account with no MFA.

Legacy Systems Strike Again
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

A test account. Legacy OAuth. No MFA. At Microsoft.

No MFA on a Test Account
The initial compromise was through a test account without MFA — a legacy configuration that had not been cleaned up. If Microsoft — the company that builds MFA solutions — has test accounts without MFA, the question for every organisation is: what legacy accounts exist in your environment without MFA? <a href="/cyber-essentials">Cyber Essentials Danzell</a> mandates MFA on all accounts and requires removal of unused accounts. Our <a href="/penetration-testing/infrastructure">internal testing</a> identifies accounts without MFA.
Legacy OAuth Permissions
The test account had permissions to a legacy OAuth application with elevated access — a residual configuration from an earlier era. Legacy applications with excessive permissions are a persistent threat in cloud environments. Our <a href="/penetration-testing/cloud-configuration-review">cloud configuration reviews</a> assess OAuth application permissions, consent grants, and legacy app registrations.
SVR Targeting Security Staff Emails
Midnight Blizzard specifically targeted the emails of Microsoft's cybersecurity and legal teams — seeking intelligence about what Microsoft knew about their operations. This is counter-intelligence tradecraft: understanding the defender's knowledge and capabilities. <a href="https://www.cyber-defence.io/services/threat-intelligence">UK Cyber Defence's threat intelligence</a> helps organisations understand what nation-state adversaries may be seeking.
If Microsoft Can Be Breached This Way...
Microsoft is one of the world's most technically sophisticated organisations, with dedicated security teams and advanced detection capabilities. Yet it was compromised through a test account with no MFA. The lesson for every UK organisation: no one is immune to basic authentication failures. <a href="/penetration-testing">Penetration testing</a> finds these failures before nation-states do.
Lessons

Clean up legacy accounts. Enforce MFA everywhere. Even Microsoft didn't.

The Microsoft/Midnight Blizzard breach reinforced that legacy configurations — test accounts, deprecated OAuth apps, residual permissions — create persistent attack surfaces that sophisticated adversaries will discover and exploit. Cyber Essentials Danzell mandates MFA on all accounts and requires regular access reviews. Our cloud configuration reviews identify legacy OAuth apps and excessive permissions. Internal testing finds accounts without MFA. SOC in a Box monitors for password-spraying and anomalous OAuth activity. And UK Cyber Defence provides incident response when nation-state intrusions are detected.

Legacy Account Cleanup

Russia breached Microsoft through a test account with no MFA. What legacy accounts exist in your environment?

<a href="/cyber-essentials">Cyber Essentials</a> mandates MFA everywhere. <a href="/penetration-testing/cloud-configuration-review">Cloud reviews</a> find legacy OAuth apps. <a href="/penetration-testing/infrastructure">Internal testing</a> identifies accounts without MFA.

Commission a Cloud Security Review Next: LockBit Takedown
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 May 2024

Anatomy of a Breach: The Snowflake Campaign — Ticketmaster, Santander, and AT&T All Hit Through Stolen Credentials Without MFA

Breach #185. In May-June 2024, a threat actor exploited stolen credentials to access Snowflake cloud data platform accounts belonging to approximately 165 organisations — including Ticketmaster (560 million customers), Santander (30 million), AT&T (110 million call/text records), Advance Auto Parts, and LendingTree. The compromised Snowflake accounts did not have MFA enabled. The credentials had been stolen through infostealer malware on employees' personal devices. The campaign demonstrated that cloud platform security depends entirely on customer-side authentication controls — and that MFA remains the single most important defence sixteen years into this series.

snowflake ticketmaster
15 min read
Anatomy of a Breach 31 March 2022

Anatomy of a Breach: Lapsus$ — Teenagers Hack Nvidia, Samsung, Microsoft, and Okta Through Social Engineering and MFA Fatigue

Breach #159. In March 2022, a cybercrime group called Lapsus$ — composed largely of teenagers from the UK and Brazil — conducted a rapid-fire series of high-profile breaches against Nvidia (employee credentials and proprietary GPU data), Samsung (190GB of source code), Microsoft (37GB of source code), and Okta (through a third-party support contractor). The group's primary techniques were not sophisticated technical exploits but social engineering: bribing employees, SIM-swapping, and 'MFA fatigue' attacks (repeatedly sending MFA push notifications until the target approved one). A 16-year-old from Oxford was among those arrested.

lapsus nvidia
14 min read
Anatomy of a Breach 28 February 2022

Anatomy of a Breach: Russia-Ukraine — Cyber Warfare as a Component of Kinetic War

Breach #158. On 24 February 2022, Russia invaded Ukraine — and the invasion was accompanied by a sustained cyber offensive that had begun weeks earlier. Hours before the first missiles struck, a cyber attack on Viasat's KA-SAT satellite network disrupted communications across Ukraine and knocked out thousands of wind turbines in Germany. Wiper malware variants — HermeticWiper, IsaacWiper, CaddyWiper — were deployed against Ukrainian government agencies and organisations. The conflict represented the first large-scale integration of cyber operations into conventional warfare, confirming every theoretical scenario about cyber war that security professionals had warned about since Stuxnet.

russia ukraine
15 min read
All Posts Get in Touch