Executive Email Account Takeovers in the News: Unpacking Midnight Blizzard

In recent news, a Russian-backed threat group known as Midnight Blizzard (or Nobelium or Cozy Bear) infiltrated Microsoft’s Exchange environment. While the initial entry was relatively simple, the path attackers took to compromise the mailboxes of top executives was sophisticated and effective. Before we talk about what could have been done to thwart this attack, let’s break it down step by step.

---

Update:

Since the publication of our previous article, Microsoft has released new information on this attack. In the original bulletin about the attack, the assumption was that the threat group involved was looking for information on themselves, but in a recent blog post, Microsoft asserts that secrets shared between Microsoft and its customers were among the exfiltrated emails.

Microsoft indicates that these secrets are being used by Nobellium to attempt to gain access to sensitive systems such as Microsoft’s source code repositories. Attempts at password spraying, a tactic used in the initial attack, have increased tenfold since February. It is clear that this is a concentrated, coordinated effort to continue to breach Microsoft’s systems and establish persistence and underscores the importance of solutions that can detect and auto-remediate compromised email accounts.

There’s no denying that advanced tactics like session hijacking and the deployment of MFA phishing kits are becoming increasingly popular. But in this case, all it took for Midnight Blizzard to gain access was one successful hit from a password spray attack—an attack that uses or “sprays” a password across multiple accounts, cycling through different passwords until one is successful.

Based on what we currently know, here’s how they did it:

• Identified and Compromised an Unsecured Legacy Tenant: Most organizations have an unsecured tenant or user account sitting in their environment and in need of purging simply due to the high volume of users and environments created over time. In this case, one of those unsecured accounts was an open door and the threat actor successfully compromised an account on a legacy, non-production tenant. Multi-factor authentication (MFA) was not enabled on that account—meaning once a correct set of credentials was entered, there were no remaining obstacles to overcome to gain access. Typically, an identity security solution should be able to detect an unusual number of sign-in attempts, whether in a single account or a group of accounts. However, as this attack focused on a small set of accounts that the attacker likely knew were tied to the sprayed credentials, the volume of attempts did not raise any alarms.

• Obfuscation via Proxy Infrastructure: To further obfuscate their activity, Midnight Blizzard used residential proxy infrastructure, routing traffic through legitimate IP addresses. In this case, even if a flag had been raised due to the outsized number of authentication attempts, the use of legitimate IPs could simply indicate it was from a user who had forgotten their password.

• Exploited OAuth Applications: Once Midnight Blizzard was successfully inside Microsoft’s security perimeter the group then needed to gain visibility into VIP mailboxes. This was done through the use of OAuth applications, in which the attacks first started by compromising a legacy application with elevated access that was already on the tenant and then created additional malicious applications.

• Permission Elevation to Gain Mailbox Access: The attackers also created a new user account, which allowed them to grant excessive permissions to these malicious apps. In this case, these apps were granted full_access_as_app, which does exactly as it says: allows the applications full access to the Exchange Online environment, including visibility into VIP mailboxes.

Midnight Blizzard then used these malicious OAuth apps to exfiltrate email communications. While details are still unclear as of this publication, the investigation indicates that the threat group was looking for information related to itself.

While 100% of the attack details are not yet known, it is worth discussing how certain tactics used by Midnight Blizzard in this attack could be detected by the Abnormal platform.

First and foremost, monitoring the cloud email environment means monitoring the entire environment—whether that is a test account, QA, or production. Abnormal monitors tenants in the mail environment not only for unusual mail activity but also to detect permissions changes or risks to the tenants themselves. A user enabling a legacy authentication or disabling MFA are critical misconfigurations that can leave the door open for attackers, and in this case, did just that. But even if the misconfiguration had not been detected, a crucial piece of detecting compromise in the ecosystem is the analysis of user behavior—not only user inbox activity but also authentication signals and identity markers like geolocation, IP, MFA device registration, user privilege escalation, and more.

Abnormal delivers this capability through Account Takeover Protection—monitoring and analyzing sign-in activity across the cloud email and collaboration environment then alerting, contextualizing, and remediating when suspicious activity occurs, as shown below.

But even if a threat actor is exceptionally good at obfuscation, Abnormal actively monitors tenants for new installations of third-party applications integrated into Microsoft and presents them in AppBase—highlighting those that may be suspicious or unverified. Any additional malicious OAuth apps installed by an attacker can be detected by Abnormal via Security Posture Management—which identifies when an application has been granted access to a tenant and when that application has its permissions unexpectedly elevated, like those shown here.

Both parts of the Abnormal platform, Security Posture Management and Account Takeover Protection, then integrate, sharing tenant configuration changes and user privilege changes to enrich the behavioral case built by the Account Takeover Protection solution. Once Abnormal confidently determines an account has been compromised, that account is then automatically remediated, with access blocked, all active sessions terminated, passwords reset, and security teams notified.

To defend against this sort of attack and protect your organization, there are a few best practices you can implement today.

1. Enable MFA Across All Accounts
   First and foremost, while there are plenty of ways to crack MFA, enabling it for all accounts is non-negotiable. Many threat actors are opportunistic, and the effort required to bypass MFA is still enough to short-circuit many would-be breaches.
2. Actively Monitor Your Cloud Email Platform
   The next step is effective monitoring. Legacy tenants and dead accounts may not have enough activity to warrant oversight, but once again, these old technologies and users often give attackers a foothold into your environment. Detecting anomalous behavior is critical in the most active components of your cloud email platform, but it is just as necessary in the abandoned ones.
3. Automate Detection + Remediation With a Trusted AI Solution
   Implementing MFA is relatively simple, but continuous monitoring and analysis of behavioral anomalies may be challenging for already overwhelmed security teams. This is where an AI-powered solution comes in. It can automate the detection and remediation of email threats, allowing security teams to focus on investigations or—even better, other tasks entirely.

Unfortunately, attacks like the one Midnight Blizzard executed on Microsoft are no longer outliers; they are becoming the norm. That said, there are ways to safeguard your organization, and AI allows those safeguards to dynamically adapt to keep you protected. As more attackers learn how to use these tactics, implementing email security best practices and a modern solution will be necessary to keep your employees, your tenants, and your entire organization safe from attack.

Interested in learning more about how Abnormal’s AI-powered solution can protect you from account takeovers? Schedule a demo today!