On January 19th, Microsoft disclosed that a group of Russian state-sponsored hackers, known as Nobelium or Midnight Blizzard, infiltrated its corporate systems and accessed sensitive emails from members of its leadership team. New details have now emerged explaining how the attackers gained entry and what they were after.

The initial breach occurred in late November 2023 when the hackers conducted password spray attacks, trying common password combinations across multiple accounts. They successfully guessed the password for a legacy non-production Microsoft test account that did not have multi-factor authentication enabled.

From this foothold, the hackers identified an outdated OAuth test application with extensive permissions to Microsoft’s corporate environment. They compromised this application to create additional malicious OAuth apps, as well as new user accounts, that granted them access to Microsoft’s Office 365 Exchange Online email system.

Armed with these elevated privileges, the Russian hacking group proceeded to target the inboxes of Microsoft’s senior executives, legal staff, cybersecurity personnel and other employees. They gained visibility into sensitive internal communications, possibly even reading emails describing what Microsoft knew about these state-sponsored hackers’ own activities.

While the initial password spray occurred in November, Microsoft only detected the breach in a review of its Exchange Web Services logs on January 12th. This means the hackers had access to confidential Microsoft emails for close to two months without detection.

Microsoft believes Nobelium has also breached other organizations beyond its own systems. It began notifying additional targeted companies after identifying similarities between the attack on its network and intrusions elsewhere. One company confirmed to have been breached is Hewlett Packard Enterprise, which reported unauthorized access to its cloud email environment as far back as May 2023.

To prevent similar attacks, Microsoft advises all organizations audit their OAuth applications to ensure only legitimate apps have privileged permissions. It also recommends enabling multi-factor authentication across all accounts, even legacy ones no longer in daily use. Additionally, monitoring tools like Microsoft Defender XDR can help quickly identify suspicious account activities that may indicate an advanced hacking group has broken in.

While investigations are ongoing, this breach makes clear that even the world’s largest software company is still vulnerable to sophisticated, patient nation-state actors. Russian intelligence continues finding ways into Microsoft’s most sensitive systems, despite strengthened cyber defenses in the wake of past high-profile attacks like SolarWinds. There are doubtless valuable lessons to be learned here that can help improve security protections for Microsoft and its customers alike. But significant risks remain in an era of unrelenting virtual spy games between rival countries.

Secure your Exchange Servers

When a server is compromised by a cyber attack, time is of the essence in responding. The faster a breach can be detected and containment actions taken, the less damage the attackers can inflict. Every minute that passes allows adversaries to further infiltrate systems, escalate privileges, and quietly expand their access.

Security analysts suggest compromised servers are leveraged in under 90 minutes. Messageware Z-Day Guard catches changes to your server baseline instantly, and sends you alerts to respond long before this threat window closes.

Protect your Microsoft Exchange Servers from zero-day attacks with Next-Generation threat hunting: