Microsoft Blizzard Breach by Russian State-Sponsored Threat Actor
Email spear-phishing + M365 enterprise app exfiltrated code + accessed Microsoft systems.
What is the attack?
- Microsoft systems and code were breached by Midnight Blizzard (APT29), a Russian state-sponsored threat actor.
- The attack was through spear-phishing and compromising the account on a test M365 tenant for Microsoft, from where there was lateral movement to the M365 prod environment to VIP emails + source code + M365 systems.
Why did it get through?
- The attack was through spear-phishing and compromising the account on a test M365 tenant for Microsoft, from where there was lateral movement to the M365 prod environment to VIP emails + source code + M365 systems.Threat actors gained access through a password spray attack on a M365 test tenant using email phishing.
- A M365 Enterprise application was used to escalate privilege to the main production environment.
- Lack of OAuth on test tenant + active monitoring of the Enterprise Applications + Email access patterns.
What is required to solve for this attack?
- Enabling a Human Behavioral AI security platform to a) ingest M365 platform signals like sign-ins and enterprise apps b) analyze normal behavioral norms c) detect suspicious and risky behavior.
- Enhancing email security to prevent spear-phishing.
- Detecting account takeovers across M365 + Cloud + SaaS.