Microsoft says Russian hackers used previously identified tactic to breach senior exec emails
Russian hackers abused a popular authentication tool to gain access to the email accounts of senior executives at Microsoft, according to a new statement from the tech giant.
Microsoft has been tightlipped about an incident — announced late on Friday afternoon last week — that they said involved the months-long compromise of corporate email accounts. Prolific hackers allegedly connected to Russia’s Foreign Intelligence Service (SVR) breached a legacy non-production test tenant account in late November before pivoting into their targets’ email accounts. Microsoft only discovered the incident on January 12.
For the last week, Microsoft has offered little explanation on how the hackers managed to pivot from non-production test accounts into one’s used by senior leaders of the company.
But Microsoft said in a blog post on Thursday night that the hackers managed to gain entry by abusing OAuth — a standard that allows applications to get access to data and resources based on permissions set by a user.
The group — which Microsoft calls Midnight Blizzard, and overlaps with Blue Bravo, Cozy Bear, and APT29 — allegedly “leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment.”
“The actor created additional malicious OAuth applications. They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications,” the company explained.
“The threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes.”
The blog adds that Midnight Blizzard is particularly adept at “identifying and abusing OAuth applications to move laterally across cloud environments and for post-compromise activity, such as email collection.”
Microsoft warned the public about the exact same tactic in December, writing then that both nation-state hackers and cybercriminals had shown the ability to “compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious activity.”
The tactic also allows hackers to maintain access to applications even if they lose access to the initially compromised account.
The December blog post mirrors much of what was in the statement released on Thursday — at times using the exact same language — raising further questions about why Microsoft was caught off guard by the tactic. Microsoft did not respond to requests for comment about how the hackers were able to pull off a scheme the company previously identified in great detail.
Password spray
Microsoft said in December that it had seen hackers use password spraying to compromise a user account and elevate their privileges to “deploy virtual machines (VMs) for cryptocurrency mining, establish persistence following business email compromise (BEC), and launch spamming activity using the targeted organization’s resources and domain name.”
The situation mirrors what Microsoft said recently about how Midnight Blizzard hackers gained access to their systems and elevated their access to the accounts of senior leadership team and employees in their cybersecurity and legal departments.
“In this observed Midnight Blizzard activity, the actor tailored their password spray attacks to a limited number of accounts, using a low number of attempts to evade detection and avoid account blocks based on the volume of failures,” Microsoft explained on Thursday.
“The threat actor further reduced the likelihood of discovery by launching these attacks from a distributed residential proxy infrastructure. These evasion techniques helped ensure the actor obfuscated their activity and could persist the attack over time until successful.”
The hackers also used residential proxy networks — tools that allow someone to navigate the web pretending to be a real user from a specific chosen location. The proxies allow hackers to conceal their IP addresses and serve as intermediaries or buffers.
Midnight Blizzard routed their traffic “through a vast number of IP addresses that are also used by legitimate users, to interact with the compromised tenant and, subsequently, with Exchange Online.”
The hackers were largely looking for information about themselves, including Microsoft reports on the SVR’s tactics, the company said previously.
Microsoft said it has since instituted several new measures designed to stop these kinds of attacks.
If hackers tried the same tactic again, “mandatory Microsoft policy and workflows would ensure MFA and our active protections are enabled to comply with current policies and guidance, resulting in better protection against these sorts of attacks,” the company said.
The incident was announced days before another major tech company — Hewlett Packard Enterprise — told the SEC that the same Russian hacking group targeted their own cloud-based email environment for months last year.
The company said it was notified that Midnight Blizzard hackers had breached its systems in June but declined to answer Recorded Future News questions about who notified them. Microsoft said in August that it had been notifying customers of Midnight Blizzard attacks following several incidents involving compromised Microsoft 365 tenants owned by small businesses.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.