Microsoft Blizzard Breach by Russian State-Sponsored Threat Actor
Email spear-phishing + M365 enterprise app exfiltrated code + accessed Microsoft systems.
What is the attack?
Microsoft systems and code were breached by Midnight Blizzard (APT29), a Russian state-sponsored threat actor. The attack was through spear-phishing and compromising the account on a test M365 tenant for Microsoft, from where there was lateral movement to the M365 prod environment to VIP emails + source code + M365 systems.
Why did it get through?
The attack was through spear-phishing and compromising the account on a test M365 tenant for Microsoft, from where there was lateral movement to the M365 prod environment to VIP emails + source code + M365 systems.Threat actors gained access through a password spray attack on a M365 test tenant using email phishing. A M365 Enterprise application was used to escalate privilege to the main production environment. Lack of OAuth on test tenant + active monitoring of the Enterprise Applications + Email access patterns.
What is required to solve for this attack?
Enabling a Human Behavioral AI security platform to a) ingest M365 platform signals like sign-ins and enterprise apps b) analyze normal behavioral norms c) detect suspicious and risky behavior. Enhancing email security to prevent spear-phishing. Detecting account takeovers across M365 + Cloud + SaaS.