Late Friday, Microsoft revealed in a blog post that a Russian-backed group accessed the tech giant’s corporate email accounts. The compromise is a disconcerting one, according to some IT pros, given both the high privileges of those targeted and the method of access.
“This is not a great look for Microsoft, especially because it looks like, from the small amount of information they gave us, that this was a pretty simple kind of an attack, called a password spray, something that could be prevented by two-factor authentication, and Microsoft was not enforcing their own policies on certain systems,” Alex Stamos, chief trust officer at the cybersecurity company SentinelOne and former Facebook CSO, told CNBC this week.
A password-spraying attack is a type of brute force attack that uses educated guesses of likely credentials, thrown at multiple accounts in an organization.
What Microsoft shared:
- The company identified the attack on Jan. 12 and linked the compromise to a Russian-backed group known as Midnight Blizzard, or Nobelium. The threat actors password-sprayed their way to “a legacy non-production test tenant account.”
- The group wanted to know who was talking about them, “initially targeting email accounts for information related to Midnight Blizzard itself,” read the Microsoft blog.
- According to the post, the compromised account’s permissions allowed access to “a very small percentage” of Microsoft corporate emails, including those of senior leaders, legal team members, and cybersecurity employees. The attackers exfiltrated emails and attached documents, Microsoft reported.
- Microsoft said it is continuing its investigation and cooperating with law enforcement. “The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems,” read the post.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Who is Midnight Blizzard? Not a late-night guilty pleasure at Dairy Queen, the group is perhaps best known for its compromise of the software company SolarWinds. In August of 2023, Microsoft wrote about how threat actors use compromised small-business accounts to create new domains that mimic tech-support entities. The group has also had a reputation for going after Active Directory.
Adam Meyers, SVP of counter adversary operations at the cybersecurity company CrowdStrike, knows the group as Cozy Bear, a crew considered responsible for multiple breaches over the last decade, said the VP, and likely acting on behalf of the Foreign Intelligence Service of the Russian Federation.
Meyers expressed skepticism about Microsoft’s claims that the compromise occurred on non-production systems.
“I don’t think there’s too many environments in the world where you’re going to put your senior executives, your cybersecurity team, and your legal team on a test environment,” Meyers told IT Brew.
“Either they’re being disingenuous about the fact that this was a test environment, which is probably the best-case scenario for them. The worst-case scenario is that a legacy test environment is so deeply connected inside of the fabric of their infrastructure in their cloud, that a penetration of any aspect of the Microsoft Cloud can lead to a deeper intrusion into customer data or Microsoft’s data itself,” Meyers added.
Microsoft, which declined an interview with IT Brew to address questions related to the non-production accounts, also faced a breach in September 2023 from China-based hackers, who, according to reports, extracted a cryptographic key from a Microsoft engineer’s corporate account.